Indicator catalog

3076 value patterns flagged by two or more production detection rules across Sigma, Elastic, and Splunk — process names, file paths, registry keys, and other tokens that rule authors treat as suspicious. 35 of these are flagged by rules from at least two vendors (high-confidence corpus consensus). Field names are unified across vendors (Image covers process.executable, NewProcessName, etc.); the eq: / match: / ends_with: prefix shows the operator a rule uses to check a value. Click any entry for the contributing rules and MITRE technique attribution.

3076 entries

`CommandLine` 882 entries

match: http 31 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, PowerShell T1059.001, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Hidden Window T1564.003

Sample rules (showing 8 of 31):

match: rundll32 19 rules

Top techniques:Windows Management Instrumentation T1047, Windows Service T1543.003, Malicious File T1204.002, Regsvr32 T1218.010, Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557

Sample rules (showing 8 of 19):

sigma Suspicious Child Process of Notepad++ Updater - GUP.Exe
sigma Potential Meterpreter/CobaltStrike Activity
sigma Suspicious Child Process Of Veeam Dabatase
sigma Suspicious Advpack Call Via Rundll32.EXE
sigma Potential Obfuscated Ordinal Call Via Rundll32
sigma Process Memory Dump Via Comsvcs.DLL
sigma ShimCache Flush
sigma Rundll32 UNC Path Execution

match: \Users\Public\ 17 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, Windows Management Instrumentation T1047, Rundll32 T1218.011, Trusted Developer Utilities Proxy Execution T1127, Hidden Files and Directories T1564.001

Sample rules (showing 8 of 17):

match: \AppData\Local\Temp\ 16 rules

Top techniques:System Binary Proxy Execution T1218, Visual Basic T1059.005, JavaScript T1059.007, Regsvr32 T1218.010, Trusted Developer Utilities Proxy Execution T1127, Compile After Delivery T1027.004

Sample rules (showing 8 of 16):

match: add 16 rules

Top techniques:Disable or Modify Tools T1562.001, Modify Registry T1112, Local Account T1136.001, Indicator Blocking T1562.006, Control Panel T1218.002, Event Triggered Execution T1546

Sample rules (showing 8 of 16):

match: powershell 16 rules

Top techniques:Scheduled Task T1053.005, Windows Command Shell T1059.003, PowerShell T1059.001, Windows Service T1543.003, Windows Management Instrumentation T1047, SSH T1021.004

Sample rules (showing 8 of 16):

match: .dll 15 rules

Top techniques:Odbcconf T1218.008, Ingress Tool Transfer T1105, Rundll32 T1218.011, Hidden Files and Directories T1564.001, Rename Legitimate Utilities T1036.003, BITS Jobs T1197

Sample rules (showing 8 of 15):

match: :\Windows\Temp\ 15 rules

Top techniques:System Binary Proxy Execution T1218, Trusted Developer Utilities Proxy Execution T1127, Hidden Window T1564.003, Remote Desktop Software T1219.002, Disable or Modify System Firewall T1562.004, Odbcconf T1218.008

Sample rules (showing 8 of 15):

match: http:// 15 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, Exfiltration Over Web Service T1567, Compiled HTML File T1218.001, Mshta T1218.005, Indirect Command Execution T1202

Sample rules (showing 8 of 15):

match: /create 14 rules

Top techniques:Scheduled Task T1053.005, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, System Binary Proxy Execution T1218, Masquerade Task or Service T1036.004

Sample rules (showing 8 of 14):

match: :\Temp\ 14 rules

Top techniques:System Binary Proxy Execution T1218, Regsvr32 T1218.010, Trusted Developer Utilities Proxy Execution T1127, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197

Sample rules (showing 8 of 14):

match: :\Users\Public\ 14 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Compile After Delivery T1027.004, System Binary Proxy Execution T1218, Remote Desktop Software T1219.002

Sample rules (showing 8 of 14):

match: https:// 14 rules

Sample rules (showing 8 of 14):

match: \Downloads\ 12 rules

Top techniques:System Binary Proxy Execution T1218, Windows Service T1543.003, Hidden Files and Directories T1564.001, Hidden Window T1564.003, Windows Management Instrumentation T1047, PowerShell T1059.001

Sample rules (showing 8 of 12):

match: cscript 12 rules

Top techniques:Scheduled Task T1053.005, Windows Management Instrumentation T1047, Windows Service T1543.003, Malicious File T1204.002, Regsvr32 T1218.010, Command and Scripting Interpreter T1059

Sample rules (showing 8 of 12):

match: wscript 12 rules

Sample rules (showing 8 of 12):

match: -c 11 rules

Top techniques:System Binary Proxy Execution T1218, Modify Registry T1112, LSASS Memory T1003.001, Indirect Command Execution T1202, Native API T1106, Trusted Developer Utilities Proxy Execution T1127

Sample rules (showing 8 of 11):

sigma Potential Adplus.EXE Abuse
sigma Indirect Inline Command Execution Via Bash.EXE
sigma Potential Binary Proxy Execution Via Cdb.EXE
sigma Curl Download And Execute Combination
sigma New Capture Session Launched Via DXCap.EXE
sigma Forfiles Command Execution
sigma File Encryption Using Gpg4win
sigma HackTool - SOAPHound Execution

match: add 11 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Modify Registry T1112, Disable or Modify Tools T1562.001, Windows Management Instrumentation T1047, Disable Windows Event Logging T1562.002, Exploitation for Privilege Escalation T1068

Sample rules (showing 8 of 11):

match: \Desktop\ 11 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Windows Service T1543.003, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules (showing 8 of 11):

match: copy 11 rules

Top techniques:Rename Legitimate Utilities T1036.003, File Deletion T1070.004, Inhibit System Recovery T1490, Accessibility Features T1546.008, Credentials from Web Browsers T1555.003, SMB/Windows Admin Shares T1021.002

Sample rules (showing 8 of 11):

match: mshta 11 rules

Top techniques:Windows Management Instrumentation T1047, Windows Service T1543.003, Malicious File T1204.002, Regsvr32 T1218.010, Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules (showing 8 of 11):

match: regsvr32 11 rules

Top techniques:Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010, Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557, Scheduled Task T1053.005

Sample rules (showing 8 of 11):

match: \AppData\Roaming\ 10 rules

Top techniques:System Binary Proxy Execution T1218, Scheduled Task T1053.005, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules (showing 8 of 10):

match: \Windows\Temp\ 10 rules

Top techniques:System Binary Proxy Execution T1218, Windows Management Instrumentation T1047, Hidden Files and Directories T1564.001, Obfuscated Files or Information T1027, Compile After Delivery T1027.004, PowerShell T1059.001

Sample rules (showing 8 of 10):

ends_with: .dll 9 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Rundll32 T1218.011

Sample rules (showing 8 of 9):

match: %tmp% 9 rules

Top techniques:Ingress Tool Transfer T1105, Windows Management Instrumentation T1047, Registry Run Keys / Startup Folder T1547.001, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, System Binary Proxy Execution T1218

Sample rules (showing 8 of 9):

match: add 9 rules

Top techniques:Disable or Modify Tools T1562.001, Command and Scripting Interpreter T1059, Services Registry Permissions Weakness T1574.011, Disable or Modify System Firewall T1562.004, Windows Service T1543.003

Sample rules (showing 8 of 9):

match: \\\\ 8 rules

Top techniques:Ingress Tool Transfer T1105, SMB/Windows Admin Shares T1021.002, System Binary Proxy Execution T1218, Regsvr32 T1218.010, Rundll32 T1218.011, Malware T1587.001

Sample rules:

match: .bat 8 rules

Top techniques:Hidden Files and Directories T1564.001, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Obfuscated Files or Information T1027, Hidden Window T1564.003

Sample rules:

match: \AppData\ 8 rules

Top techniques:Ingress Tool Transfer T1105, Scheduled Task T1053.005, PowerShell T1059.001, Rundll32 T1218.011, Domain Groups T1069.002, Domain Account T1087.002

Sample rules:

match: \AppData\Local\ 8 rules

Top techniques:System Binary Proxy Execution T1218, Scheduled Task T1053.005, Hidden Files and Directories T1564.001, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197

Sample rules:

match: \AppData\Local\Temp 8 rules

Top techniques:Command and Scripting Interpreter T1059, Windows Service T1543.003, Windows Management Instrumentation T1047, Registry Run Keys / Startup Folder T1547.001, System Binary Proxy Execution T1218, Scheduled Task T1053.005

Sample rules:

match: config 8 rules

Top techniques:Disable or Modify Tools T1562.001, Windows Service T1543.003, Disable Windows Event Logging T1562.002, Exfiltration to Cloud Storage T1567.002, Services Registry Permissions Weakness T1574.011, Service Stop T1489

Sample rules:

sigma Disable Windows IIS HTTP Logging
sigma Suspicious IIS URL GlobalRules Rewrite Via AppCmd
sigma Disable Windows Defender AV Security Monitoring
sigma PUA - Rclone Execution
sigma Possible Privilege Escalation via Weak Service Permissions
sigma New Kernel Driver Via SC.EXE
sigma Suspicious Service Path Modification
sigma Suspicious Windows Service Tampering

match: create 8 rules

Top techniques:Windows Service T1543.003, Windows Management Instrumentation T1047, OS Credential Dumping T1003, Security Account Manager T1003.002, NTDS T1003.003, Malicious File T1204.002

Sample rules:

sigma New Service Creation Using Sc.EXE
sigma New Kernel Driver Via SC.EXE
sigma Suspicious New Service Creation
sigma Shadow Copies Creation Using Operating Systems Utilities
sigma New Virtual Smart Card Created Via TpmVscMgr.EXE
sigma New Process Created Via Wmic.EXE
sigma Process Reconnaissance Via Wmic.EXE
sigma Suspicious WMIC Execution Via Office Process

match: curl 8 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, PowerShell T1059.001, Scheduled Task T1053.005, Stage Capabilities T1608

Sample rules:

match: iwr 8 rules

Top techniques:Ingress Tool Transfer T1105, PowerShell T1059.001, Command and Scripting Interpreter T1059, Stage Capabilities T1608

Sample rules:

ends_with: .dat 7 rules

Top techniques:Ingress Tool Transfer T1105, Regsvr32 T1218.010

Sample rules:

ends_with: .vbe 7 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: .vbs 7 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

match: %AppData% 7 rules

Top techniques:Ingress Tool Transfer T1105, Scheduled Task T1053.005, Windows Management Instrumentation T1047, Registry Run Keys / Startup Folder T1547.001, PowerShell T1059.001, Windows Command Shell T1059.003

Sample rules:

match: .jpg 7 rules

Top techniques:Ingress Tool Transfer T1105, JavaScript T1059.007, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027, Deobfuscate/Decode Files or Information T1140

Sample rules:

match: .png 7 rules

Sample rules:

match: .txt 7 rules

Top techniques:JavaScript T1059.007, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, System Binary Proxy Execution T1218, LSASS Memory T1003.001

Sample rules:

match: /c 7 rules

Top techniques:Windows Command Shell T1059.003, Obfuscated Files or Information T1027, PowerShell T1059.001, Distributed Component Object Model T1021.003, Windows Management Instrumentation T1047, Visual Basic T1059.005

Sample rules:

match: FromBase64String 7 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001, Standard Encoding T1132.001, Rundll32 T1218.011, Remote System Discovery T1018, System Owner/User Discovery T1033

Sample rules:

match: \Temp\ 7 rules

Top techniques:Ingress Tool Transfer T1105, Scheduled Task T1053.005, Rundll32 T1218.011, Rename Legitimate Utilities T1036.003

Sample rules:

match: \\\\ 7 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Windows Management Instrumentation T1047, Visual Basic T1059.005, JavaScript T1059.007, XSL Script Processing T1220

Sample rules:

match: call 7 rules

Top techniques:Windows Management Instrumentation T1047, Query Registry T1012, Modify Registry T1112, Malicious File T1204.002, Regsvr32 T1218.010, Disable or Modify Tools T1562.001

Sample rules:

sigma New Process Created Via Wmic.EXE
sigma Process Reconnaissance Via Wmic.EXE
sigma Registry Manipulation via WMI Stdregprov
sigma Suspicious WMIC Execution Via Office Process
sigma Application Terminated Via Wmic.EXE
sigma Application Removed Via Wmic.EXE
sigma Potential Tampering With Security Products Via WMIC

match: delete 7 rules

Top techniques:Disable or Modify Tools T1562.001, Indicator Removal T1070, Inhibit System Recovery T1490, Bootkit T1542.003, Screen Capture T1113

Sample rules:

match: ftp:// 7 rules

Top techniques:System Binary Proxy Execution T1218, Exfiltration Over Web Service T1567, Mshta T1218.005

Sample rules:

match: set 7 rules

Top techniques:Disable or Modify System Firewall T1562.004, Inhibit System Recovery T1490, Command and Scripting Interpreter T1059, Windows File and Directory Permissions Modification T1222.001, Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: wget 7 rules

Top techniques:Ingress Tool Transfer T1105, PowerShell T1059.001, Stage Capabilities T1608

Sample rules:

ends_with: .dll" 6 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: .dll' 6 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: .exe 6 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: .hta 6 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: .ps1 6 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: .psm1 6 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

match: -d 6 rules

Top techniques:PowerShell T1059.001, Windows Management Instrumentation T1047, Scheduled Task/Job T1053, Windows Command Shell T1059.003, Brute Force T1110, Password Policy Discovery T1201

Sample rules:

match: -enc 6 rules

Top techniques:PowerShell T1059.001, Obfuscated Files or Information T1027, Scheduled Task T1053.005, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087

Sample rules:

match: use 6 rules

Top techniques:SMB/Windows Admin Shares T1021.002, System Network Connections Discovery T1049, Valid Accounts T1078, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087

Sample rules:

match: -i 6 rules

Top techniques:Msiexec T1218.007, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Boot or Logon Autostart Execution T1547, Scheduled Task T1053.005, Network Sniffing T1040

Sample rules:

match: .dmp 6 rules

Top techniques:LSASS Memory T1003.001, Archive via Utility T1560.001, Masquerading T1036

Sample rules:

sigma 7Zip Compressing Dump Files
sigma Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
sigma HackTool - HandleKatz LSASS Dumper Execution
sigma Renamed CreateDump Utility Execution
sigma LSASS Dump Keyword In CommandLine
sigma Winrar Compressing Dump Files

match: .gif 6 rules

Top techniques:JavaScript T1059.007, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Obfuscated Files or Information T1027, Deobfuscate/Decode Files or Information T1140

Sample rules:

match: .jpeg 6 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027, Regsvcs/Regasm T1218.009, Rundll32 T1218.011

Sample rules:

match: .js 6 rules

Top techniques:JavaScript T1059.007, Hidden Window T1564.003, Phishing T1566, Spearphishing Attachment T1566.001, Windows Service T1543.003, Services Registry Permissions Weakness T1574.011

Sample rules:

match: :\PerfLogs\ 6 rules

Top techniques:Odbcconf T1218.008, Regsvr32 T1218.010, Command and Scripting Interpreter T1059

Sample rules:

match: :\Users\ 6 rules

Top techniques:System Binary Proxy Execution T1218, Windows Management Instrumentation T1047, Registry Run Keys / Startup Folder T1547.001, Compile After Delivery T1027.004, Command and Scripting Interpreter T1059

Sample rules:

match: :\Windows\Tasks\ 6 rules

Top techniques:Trusted Developer Utilities Proxy Execution T1127, System Binary Proxy Execution T1218, Remote Desktop Software T1219.002, Disable or Modify System Firewall T1562.004, Odbcconf T1218.008, Command and Scripting Interpreter T1059

Sample rules:

match: C:\ProgramData\ 6 rules

Top techniques:Scheduled Task T1053.005, Ingress Tool Transfer T1105, Native API T1106, Modify Registry T1112, Regsvr32 T1218.010

Sample rules:

match: Invoke-WebRequest 6 rules

Top techniques:Ingress Tool Transfer T1105, PowerShell T1059.001, Stage Capabilities T1608

Sample rules:

match: \Contacts\ 6 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Hidden Window T1564.003, Compile After Delivery T1027.004, System Binary Proxy Execution T1218

Sample rules:

match: \Favorites\ 6 rules

Sample rules:

match: \Favourites\ 6 rules

Sample rules:

match: \Temporary Internet 6 rules

Top techniques:Command and Scripting Interpreter T1059, Compile After Delivery T1027.004, System Binary Proxy Execution T1218, Scheduled Task T1053.005

Sample rules:

match: cmd.exe /c 6 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001, LSASS Memory T1003.001, Windows Management Instrumentation T1047

Sample rules:

match: cmd.exe /k 6 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001, LSASS Memory T1003.001, Windows Management Instrumentation T1047

Sample rules:

match: cmd.exe /r 6 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001, LSASS Memory T1003.001, Windows Management Instrumentation T1047

Sample rules:

match: query 6 rules

Top techniques:System Information Discovery T1082, System Network Configuration Discovery T1016, Domain Trust Discovery T1482, System Service Discovery T1007, Query Registry T1012, Software Discovery T1518

Sample rules:

match: start 6 rules

Top techniques:System Binary Proxy Execution T1218, Network Sniffing T1040, Disable or Modify Tools T1562.001, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, NTDS T1003.003

Sample rules:

match: type 6 rules

Top techniques:PowerShell T1059.001, Ingress Tool Transfer T1105, NTFS File Attributes T1564.004, DLL T1574.001

Sample rules:

ends_with: .bat 5 rules

Sample rules:

ends_with: .bat" 5 rules

Sample rules:

ends_with: .bat' 5 rules

Sample rules:

ends_with: .dat" 5 rules

Sample rules:

ends_with: .dat' 5 rules

Sample rules:

ends_with: .exe" 5 rules

Sample rules:

ends_with: .exe' 5 rules

Sample rules:

ends_with: .hta" 5 rules

Sample rules:

ends_with: .hta' 5 rules

Sample rules:

ends_with: .msi 5 rules

Sample rules:

ends_with: .msi" 5 rules

Sample rules:

ends_with: .msi' 5 rules

Sample rules:

ends_with: .ps1" 5 rules

Sample rules:

ends_with: .ps1' 5 rules

Sample rules:

ends_with: .psm1" 5 rules

Sample rules:

ends_with: .psm1' 5 rules

Sample rules:

ends_with: .vbe" 5 rules

Sample rules:

ends_with: .vbe' 5 rules

Sample rules:

ends_with: .vbs" 5 rules

Sample rules:

ends_with: .vbs' 5 rules

Sample rules:

match: -e 5 rules

Top techniques:PowerShell T1059.001, Modify Registry T1112, Trusted Developer Utilities Proxy Execution T1127

Sample rules:

match: -f 5 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036, Odbcconf T1218.008, File Deletion T1070.004

Sample rules:

sigma Suspicious Ping/Del Command Combination
sigma CreateDump Process Dump
sigma Response File Execution Via Odbcconf.EXE
sigma Suspicious Response File Execution Via Odbcconf.EXE
sigma Renamed CreateDump Utility Execution

match: -n 5 rules

Top techniques:File Deletion T1070.004, Regsvr32 T1218.010, OS Credential Dumping T1003, Obfuscated Files or Information T1027, Access Token Manipulation T1134, Remote System Discovery T1018

Sample rules:

match: -p 5 rules

Top techniques:LSASS Memory T1003.001, Windows Management Instrumentation T1047, Scheduled Task/Job T1053, PowerShell T1059.001, Windows Command Shell T1059.003, Brute Force T1110

Sample rules:

match: /add 5 rules

Top techniques:Account Manipulation T1098, Local Account T1087.001, Domain Account T1087.002, Remote Desktop Protocol T1021.001, External Remote Services T1133, Local Account T1136.001

Sample rules:

match: /addfile 5 rules

Top techniques:Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Ingress Tool Transfer T1105

Sample rules:

match: /transfer 5 rules

Top techniques:Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Ingress Tool Transfer T1105

Sample rules:

match: > 5 rules

Top techniques:System Owner/User Discovery T1033, Ingress Tool Transfer T1105, NTFS File Attributes T1564.004, PowerShell T1059.001

Sample rules:

match: cp 5 rules

Top techniques:Rename Legitimate Utilities T1036.003, Masquerading T1036, Credentials from Web Browsers T1555.003, SMB/Windows Admin Shares T1021.002, Data from Network Shared Drive T1039, Exfiltration Over Alternative Protocol T1048

Sample rules:

match: %temp% 5 rules

Top techniques:Windows Management Instrumentation T1047, Registry Run Keys / Startup Folder T1547.001, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, System Binary Proxy Execution T1218

Sample rules:

match: --headless 5 rules

Top techniques:Hidden Window T1564.003, Ingress Tool Transfer T1105, Browser Session Hijacking T1185, PowerShell T1059.001, Windows Command Shell T1059.003

Sample rules:

match: -f 5 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Scheduled Task T1053.005

Sample rules:

match: .cab 5 rules

Top techniques:NTFS File Attributes T1564.004, Ingress Tool Transfer T1105

Sample rules:

match: .cmd 5 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Hidden Window T1564.003, Phishing T1566, Spearphishing Attachment T1566.001

Sample rules:

match: .hta 5 rules

Top techniques:Hidden Files and Directories T1564.001, Hidden Window T1564.003, Native API T1106, Phishing T1566, Spearphishing Attachment T1566.001, Command and Scripting Interpreter T1059

Sample rules:

match: .scr 5 rules

Top techniques:Hidden Window T1564.003, Phishing T1566, Spearphishing Attachment T1566.001, Screensaver T1546.002, Windows Service T1543.003, Services Registry Permissions Weakness T1574.011

Sample rules:

match: .vbs 5 rules

Top techniques:Hidden Files and Directories T1564.001, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Hidden Window T1564.003, Command and Scripting Interpreter T1059

Sample rules:

match: .xml 5 rules

Top techniques:JavaScript T1059.007, Obfuscated Files or Information T1027, Group Policy Preferences T1552.006, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005, Match Legitimate Resource Name or Location T1036.005

Sample rules:

match: :\ProgramData\ 5 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, System Binary Proxy Execution T1218, Odbcconf T1218.008, Regsvr32 T1218.010

Sample rules:

match: C:\Users\ 5 rules

Top techniques:System Binary Proxy Execution T1218, Modify Registry T1112, Regsvr32 T1218.010, Scheduled Task T1053.005, PowerShell T1059.001, Bypass User Account Control T1548.002

Sample rules:

match: DownloadString 5 rules

Top techniques:Rundll32 T1218.011, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

match: Invoke- 5 rules

Top techniques:Code Repositories T1593.003

Sample rules:

sigma Suspicious Git Clone
sigma Potentially Suspicious Execution Of PDQDeployRunner
sigma Suspicious Usage Of ShellExec_RunDLL
sigma Potentially Suspicious Windows App Activity
sigma Suspicious WindowsTerminal Child Processes

match: anonfiles.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: bitsadmin 5 rules

Top techniques:Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557, Scheduled Task T1053.005, Command and Scripting Interpreter T1059, Hide Artifacts T1564, Malicious Copy and Paste T1204.004

Sample rules:

match: cdn.discordapp.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: certutil 5 rules

Sample rules:

match: cmd 5 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, SSH T1021.004, Windows Command Shell T1059.003, Remote Access Tools T1219, Token Impersonation/Theft T1134.001

Sample rules:

sigma OpenEDR Spawning Command Shell
sigma Invoke-Obfuscation CLIP+ Launcher
sigma Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
sigma Potential Meterpreter/CobaltStrike Activity
sigma Suspicious FileFix Execution Pattern

match: cmd /c 5 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001, LSASS Memory T1003.001, Windows Management Instrumentation T1047

Sample rules:

match: cmd /k 5 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001, LSASS Memory T1003.001, Windows Management Instrumentation T1047

Sample rules:

match: cmd /r 5 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001, LSASS Memory T1003.001, Windows Management Instrumentation T1047

Sample rules:

match: ddns.net 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: del 5 rules

Top techniques:File Deletion T1070.004, Disable or Modify Tools T1562.001, Indicator Removal T1070

Sample rules:

match: dl.dropboxusercontent.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: ghostbin.co 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: glitch.me 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: gofile.io 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: hastebin.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: mediafire.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: mega.nz 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: onrender.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: pages.dev 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: paste.ee 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: pastebin.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: pastebin.pl 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: pastetext.net 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: privatlab.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: privatlab.net 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: pwsh 5 rules

Top techniques:Windows Management Instrumentation T1047, SSH T1021.004, Windows Command Shell T1059.003, Remote Access Tools T1219, Scheduled Task T1053.005, Malicious Copy and Paste T1204.004

Sample rules:

sigma OpenEDR Spawning Command Shell
sigma Schtasks From Suspicious Folders
sigma Suspicious FileFix Execution Pattern
sigma Suspicious Process Created Via Wmic.EXE
sigma Suspicious WmiPrvSE Child Process

match: send.exploit.in 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: sendspace.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: storage.googleapis.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: storjshare.io 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: supabase.co 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: temp.sh 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: transfer.sh 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: trycloudflare.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: ufile.io 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: w3spaces.com 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: workers.dev 5 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

regex_match: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} 5 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: .gif 4 rules

Top techniques:Ingress Tool Transfer T1105, Regsvr32 T1218.010

Sample rules:

ends_with: .jpeg 4 rules

Top techniques:Ingress Tool Transfer T1105, Regsvr32 T1218.010

Sample rules:

ends_with: .png 4 rules

Top techniques:Ingress Tool Transfer T1105, Regsvr32 T1218.010

Sample rules:

match: -R 4 rules

Top techniques:Remote Desktop Protocol T1021.001, Protocol Tunneling T1572, Masquerading T1036, SSH T1021.004, Remote Services T1021

Sample rules:

sigma Suspicious Plink Port Forwarding
sigma Renamed Plink Execution
sigma Port Forwarding Activity Via SSH.EXE
sigma Potential Remote Desktop Tunneling

match: -a 4 rules

Top techniques:Modify Registry T1112, Trusted Developer Utilities Proxy Execution T1127, Archive via Utility T1560.001

Sample rules:

match: -c 4 rules

Top techniques:Command Obfuscation T1027.010, Python T1059.006, Command and Scripting Interpreter T1059, Account Discovery T1087, Local Account T1087.001, Domain Account T1087.002

Sample rules:

sigma Python One-Liners with Base64 Decoding
sigma Python Inline Command Execution
sigma Suspicious Use of PsLogList
sigma Potential File Overwrite Via Sysinternals SDelete

match: -decode 4 rules

Top techniques:Scheduled Task T1053.005, OS Credential Dumping T1003, Obfuscated Files or Information T1027, Access Token Manipulation T1134, Remote System Discovery T1018, System Owner/User Discovery T1033

Sample rules:

match: -e 4 rules

Top techniques:Command and Scripting Interpreter T1059, PowerShell T1059.001, Obfuscated Files or Information T1027

Sample rules:

sigma Perl Inline Command Execution
sigma Suspicious Encoded PowerShell Command Line
sigma PowerShell Base64 Encoded Invoke Keyword
sigma Ruby Inline Command Execution

match: -ma 4 rules

Top techniques:LSASS Memory T1003.001, Rename Legitimate Utilities T1036.003, OS Credential Dumping T1003, Obfuscated Files or Information T1027, Access Token Manipulation T1134, Masquerading T1036

Sample rules:

match: -u 4 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036, Windows Management Instrumentation T1047, Scheduled Task/Job T1053, PowerShell T1059.001, Windows Command Shell T1059.003

Sample rules:

sigma CreateDump Process Dump
sigma HackTool - CrackMapExec Execution
sigma Renamed CreateDump Utility Execution
sigma Potential PsExec Remote Execution

match: a 4 rules

Top techniques:Archive via Utility T1560.001, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

match: copy 4 rules

Top techniques:Rename Legitimate Utilities T1036.003, Exfiltration to Cloud Storage T1567.002, Disable or Modify Tools T1562.001

Sample rules:

sigma PUA - Rclone Execution
sigma Add SafeBoot Keys Via Reg Utility
sigma Suspicious Copy From or To System Directory
sigma LOL-Binary Copied From System Directory

match: delete 4 rules

Top techniques:Disable or Modify Tools T1562.001, Exploitation of Remote Services T1210, Service Stop T1489

Sample rules:

match: set 4 rules

Top techniques:Command and Scripting Interpreter T1059, Windows Management Instrumentation T1047, Account Manipulation T1098

Sample rules:

match: %ProgramData% 4 rules

Top techniques:Scheduled Task T1053.005, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Windows Management Instrumentation T1047

Sample rules:

match: %Public% 4 rules

Top techniques:Ingress Tool Transfer T1105, Windows Management Instrumentation T1047, Registry Run Keys / Startup Folder T1547.001, Scheduled Task T1053.005

Sample rules:

match: %Temp% 4 rules

Top techniques:Ingress Tool Transfer T1105, Rundll32 T1218.011, Scheduled Task T1053.005

Sample rules:

match: %appdata% 4 rules

Top techniques:System Binary Proxy Execution T1218, Modify Registry T1112, Scheduled Task T1053.005, Windows Management Instrumentation T1047

Sample rules:

match: -a 4 rules

Top techniques:Msiexec T1218.007, Ingress Tool Transfer T1105, Boot or Logon Autostart Execution T1547

Sample rules:

sigma Replace.exe Usage
sigma Suspicious Driver Install by pnputil.exe
sigma Msiexec Quiet Installation
sigma Suspicious Msiexec Quiet Install From Remote Location

match: .cpl 4 rules

Top techniques:Hidden Window T1564.003, Hijack Execution Flow T1574, Rundll32 T1218.011, Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211

Sample rules:

match: .doc 4 rules

Top techniques:JavaScript T1059.007, Obfuscated Files or Information T1027, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005, Automated Collection T1119, Credentials In Files T1552.001

Sample rules:

match: .exe 4 rules

Top techniques:Hidden Files and Directories T1564.001, System Binary Proxy Execution T1218, Windows Service T1543.003, Services Registry Permissions Weakness T1574.011, Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211

Sample rules:

match: .githubusercontent.com 4 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: .ppt 4 rules

Sample rules:

match: .vbe 4 rules

Top techniques:Hidden Files and Directories T1564.001, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Hidden Window T1564.003, Visual Basic T1059.005

Sample rules:

match: .xls 4 rules

Sample rules:

match: .zip 4 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Indirect Command Execution T1202, System Binary Proxy Execution T1218, NTFS File Attributes T1564.004

Sample rules:

match: /Create 4 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

match: /delete 4 rules

Top techniques:Indirect Command Execution T1202, System Binary Proxy Execution T1218, Network Share Connection Removal T1070.005, Service Stop T1489, System Owner/User Discovery T1033, Local Account T1087.001

Sample rules:

match: /v 4 rules

Top techniques:Group Policy Discovery T1615, Data Encrypted for Impact T1486, Software Discovery T1518, Hidden Users T1564.002

Sample rules:

match: 0 4 rules

Top techniques:Disable or Modify Tools T1562.001, Screen Capture T1113, Impair Defenses T1562

Sample rules:

match: :// 4 rules

Top techniques:Ingress Tool Transfer T1105, Windows Management Instrumentation T1047, Visual Basic T1059.005, JavaScript T1059.007, XSL Script Processing T1220, PowerShell T1059.001

Sample rules:

match: :\Perflogs\ 4 rules

Top techniques:Hidden Window T1564.003, Compile After Delivery T1027.004, System Binary Proxy Execution T1218, Command and Scripting Interpreter T1059

Sample rules:

match: C:\Windows\Temp\ 4 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, Native API T1106, Modify Registry T1112

Sample rules:

match: Invoke-RestMethod 4 rules

Top techniques:PowerShell T1059.001, Ingress Tool Transfer T1105

Sample rules:

match: Invoke-WebRequest 4 rules

Top techniques:PowerShell T1059.001, Ingress Tool Transfer T1105, Command and Scripting Interpreter T1059, Remote Access Tools T1219

Sample rules:

match: NT AUT 4 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

match: New-ItemProperty 4 rules

Top techniques:Modify Registry T1112, Disable or Modify Tools T1562.001, Indicator Blocking T1562.006, Downgrade Attack T1562.010, Change Default File Association T1546.001, Bypass User Account Control T1548.002

Sample rules:

match: Set-ItemProperty 4 rules

Sample rules:

match: backup 4 rules

Top techniques:Inhibit System Recovery T1490, Exfiltration Over Alternative Protocol T1048, Exfiltration to Cloud Storage T1567.002, NTDS T1003.003

Sample rules:

sigma PUA - Restic Backup Tool Execution
sigma All Backups Deleted Via Wbadmin.EXE
sigma Windows Backup Deleted Via Wbadmin.EXE
sigma Sensitive File Dump Via Wbadmin.EXE

match: binPath 4 rules

Top techniques:Windows Service T1543.003, Services Registry Permissions Weakness T1574.011

Sample rules:

match: cmd /c 4 rules

Top techniques:PowerShell T1059.001, Windows Service T1543.003, Scheduled Task T1053.005

Sample rules:

match: copy-item 4 rules

Top techniques:Rename Legitimate Utilities T1036.003, Credentials from Web Browsers T1555.003, SMB/Windows Admin Shares T1021.002, Data from Network Shared Drive T1039, Exfiltration Over Alternative Protocol T1048

Sample rules:

match: cpi 4 rules

Sample rules:

match: delete 4 rules

Top techniques:Disable or Modify Tools T1562.001, Clear Windows Event Logs T1070.001, Disable or Modify System Firewall T1562.004, Inhibit System Recovery T1490

Sample rules:

match: dir 4 rules

Top techniques:Automated Collection T1119, Credentials In Files T1552.001, System Owner/User Discovery T1033, Local Account T1087.001, Private Keys T1552.004

Sample rules:

match: firewall 4 rules

Top techniques:Disable or Modify System Firewall T1562.004

Sample rules:

match: github.com 4 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: install 4 rules

Top techniques:Network Service Discovery T1046, Web Shell T1505.003, Process Injection T1055, Command and Scripting Interpreter T1059

Sample rules:

match: lsass 4 rules

Top techniques:LSASS Memory T1003.001, Group Policy Preferences T1552.006, Masquerading T1036

Sample rules:

match: msiexec 4 rules

Top techniques:Remote Access Tools T1219, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

match: ping 4 rules

Top techniques:File Deletion T1070.004, Remote System Discovery T1018, Command and Scripting Interpreter T1059, OS Credential Dumping T1003, Obfuscated Files or Information T1027, Access Token Manipulation T1134

Sample rules:

match: reg 4 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Windows Management Instrumentation T1047, Disable or Modify Tools T1562.001

Sample rules:

match: rundll32.exe 4 rules

Top techniques:Rundll32 T1218.011, Process Injection T1055

Sample rules:

match: sdset 4 rules

Top techniques:Windows Service T1543.003, Services Registry Permissions Weakness T1574.011

Sample rules:

match: si 4 rules

Top techniques:Disable or Modify Tools T1562.001, Modify Registry T1112, Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: user 4 rules

Top techniques:Local Account T1136.001, Exfiltration to Cloud Storage T1567.002, System Owner/User Discovery T1033, Local Account T1087.001

Sample rules:

sigma New User Created Via Net.EXE
sigma New User Created Via Net.EXE With Never Expire Option
sigma PUA - Rclone Execution
sigma Local Accounts Discovery

regex_match: :[^ \\] 4 rules

Top techniques:Modify Registry T1112

Sample rules:

ends_with: .log 3 rules

Top techniques:Regsvr32 T1218.010

Sample rules:

ends_with: .txt 3 rules

Top techniques:Ingress Tool Transfer T1105, Regsvr32 T1218.010

Sample rules:

match: -Group 3 rules

Top techniques:Account Manipulation T1098, Remote Desktop Protocol T1021.001, External Remote Services T1133, Local Account T1136.001

Sample rules:

match: -O 3 rules

Sample rules:

match: -en 3 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: -f 3 rules

Top techniques:File Deletion T1070.004, Domain Account T1087.002, Ingress Tool Transfer T1105, NTFS File Attributes T1564.004

Sample rules:

sigma File Deletion Via Del
sigma Active Directory Structure Export Via Csvde.EXE
sigma PrintBrm ZIP Creation of Extraction

match: -hp 3 rules

Top techniques:Archive via Utility T1560.001, Command and Scripting Interpreter T1059, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

match: -i 3 rules

Top techniques:Domain Account T1087.002, Regsvr32 T1218.010

Sample rules:

match: -i 3 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Credentials In Files T1552.001, NTFS File Attributes T1564.004, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

sigma Insensitive Subfolder Search Via Findstr.EXE
sigma Installation of WSL Kali-Linux
sigma WSL Kali-Linux Usage

match: -m 3 rules

Top techniques:Archive via Utility T1560.001, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

sigma Rar Usage with Password and Compression Level
sigma Kernel Memory Dump Via LiveKD
sigma Webshell Hacking Activity Patterns

match: -mp 3 rules

Top techniques:LSASS Memory T1003.001, Rename Legitimate Utilities T1036.003, Masquerading T1036

Sample rules:

match: -w hidden 3 rules

Top techniques:Scheduled Task T1053.005, Command and Scripting Interpreter T1059, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

match: /s 3 rules

Top techniques:Control Panel T1218.002, Event Triggered Execution T1546, Modify Registry T1112, Automated Collection T1119, Credentials In Files T1552.001

Sample rules:

sigma Control Panel Items
sigma Imports Registry Key From a File
sigma Automated Collection Command Prompt

match: 0 3 rules

Top techniques:Modify Registry T1112, Disable or Modify Tools T1562.001

Sample rules:

match: administrateur 3 rules

Top techniques:Local Account T1087.001, Domain Account T1087.002, Account Manipulation T1098

Sample rules:

match: stop 3 rules

Top techniques:Service Stop T1489, Disable or Modify Tools T1562.001

Sample rules:

sigma Stop Windows Service Via Net.EXE
sigma Stop Windows Service Via Sc.EXE
sigma Suspicious Windows Service Tampering

match: tunnel 3 rules

Top techniques:Proxy T1090, Web Service T1102, Protocol Tunneling T1572, Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Tunnel Connections Cleanup
sigma Cloudflared Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: user 3 rules

Top techniques:Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003, Archive via Utility T1560.001

Sample rules:

match: # 3 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001, Command Obfuscation T1027.010

Sample rules:

match: #+ 3 rules

Top techniques:Command Obfuscation T1027.010, LSASS Memory T1003.001, Masquerading T1036

Sample rules:

match: #- 3 rules

Top techniques:Command Obfuscation T1027.010, LSASS Memory T1003.001, Masquerading T1036

Sample rules:

match: %comspec% 3 rules

Top techniques:Scheduled Task T1053.005, Malicious Copy and Paste T1204.004, Windows Management Instrumentation T1047

Sample rules:

match: --accept-server-license-terms 3 rules

Top techniques:Remote Access Tools T1219, Web Protocols T1071.001

Sample rules:

match: --healthcheck 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --level Full 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --no-enum-limit 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --output 3 rules

Sample rules:

match: --output-document 3 rules

Sample rules:

match: --remote-name 3 rules

Sample rules:

match: --scanner aclcheck 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner antivirus 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner computerversion 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner foreignusers 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner laps_bitlocker 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner localadmin 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner nullsession 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner nullsession-trust 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner oxidbindings 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner remote 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner share 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner smb 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner smb3querynetwork 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner spooler 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner startup 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --scanner zerologon 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: --server 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

match: -config 3 rules

Top techniques:Proxy T1090, Web Service T1102, Protocol Tunneling T1572, Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Tunnel Connections Cleanup
sigma Cloudflared Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: -encode 3 rules

Top techniques:Obfuscated Files or Information T1027

Sample rules:

match: -r 3 rules

Top techniques:Data from Local System T1005, Disable or Modify Tools T1562.001, Archive Collected Data T1560, Archive via Utility T1560.001

Sample rules:

sigma Esentutl Steals Browser Information
sigma PUA - CleanWipe Execution
sigma Compressed File Creation Via Tar.EXE

match: -s 3 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

match: -u 3 rules

Top techniques:OS Credential Dumping T1003, Disable or Modify Tools T1562.001, Archive Collected Data T1560, Archive via Utility T1560.001

Sample rules:

sigma Capture Credentials with Rpcping.exe
sigma Uninstall Sysinternals Sysmon
sigma Compressed File Creation Via Tar.EXE

match: -u 3 rules

Top techniques:Windows Remote Management T1021.006, Brute Force T1110, Password Guessing T1110.001, System Binary Proxy Execution T1218

Sample rules:

match: .DownloadFile( 3 rules

Top techniques:Command and Scripting Interpreter T1059, Ingress Tool Transfer T1105, Stage Capabilities T1608

Sample rules:

match: .DownloadString( 3 rules

Top techniques:Command and Scripting Interpreter T1059, Ingress Tool Transfer T1105, Stage Capabilities T1608

Sample rules:

match: .downloadfile( 3 rules

Top techniques:Hidden Window T1564.003, OS Credential Dumping T1003, Obfuscated Files or Information T1027, Access Token Manipulation T1134, Remote System Discovery T1018, System Owner/User Discovery T1033

Sample rules:

match: .downloadstring( 3 rules

Sample rules:

match: .dump 3 rules

Top techniques:Archive via Utility T1560.001

Sample rules:

sigma 7Zip Compressing Dump Files
sigma Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
sigma Winrar Compressing Dump Files

match: .hdmp 3 rules

Top techniques:Archive via Utility T1560.001

Sample rules:

sigma 7Zip Compressing Dump Files
sigma Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
sigma Winrar Compressing Dump Files

match: .inf 3 rules

Top techniques:System Binary Proxy Execution T1218, Boot or Logon Autostart Execution T1547, Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211

Sample rules:

match: .pdf 3 rules

Top techniques:Obfuscated Files or Information T1027, JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005, Automated Collection T1119, Credentials In Files T1552.001

Sample rules:

match: .ps 3 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Service T1543.003, Services Registry Permissions Weakness T1574.011, Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211

Sample rules:

match: .ps1 3 rules

Top techniques:Hidden Files and Directories T1564.001, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Hidden Window T1564.003

Sample rules:

match: .reg 3 rules

Top techniques:Modify Registry T1112, Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211

Sample rules:

sigma Imports Registry Key From a File
sigma Imports Registry Key From an ADS
sigma Writing Of Malicious Files To The Fonts Folder

match: .tmp 3 rules

Top techniques:Obfuscated Files or Information T1027, JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005, Rundll32 T1218.011

Sample rules:

match: .vb 3 rules

Sample rules:

match: /C 3 rules

Top techniques:Distributed Component Object Model T1021.003, Windows Management Instrumentation T1047, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

sigma HackTool - Potential Impacket Lateral Movement Activity
sigma Suspicious Extrac32 Execution
sigma Verclsid.exe Runs COM Object

match: /add 3 rules

Top techniques:System Owner/User Discovery T1033, Install Root Certificate T1553.004, Local Account T1087.001, Remote System Discovery T1018, Account Discovery T1087, Web Shell T1505.003

Sample rules:

sigma New Root Certificate Installed Via CertMgr.EXE
sigma Local Accounts Discovery
sigma Webshell Hacking Activity Patterns

match: /r 3 rules

Top techniques:Windows Command Shell T1059.003, Obfuscated Files or Information T1027, PowerShell T1059.001, Windows File and Directory Permissions Modification T1222.001

Sample rules:

sigma Potential CommandLine Path Traversal Via Cmd.EXE
sigma Invoke-Obfuscation CLIP+ Launcher
sigma Suspicious Recursive Takeown

match: /s 3 rules

Top techniques:File Deletion T1070.004, Credentials in Registry T1552.002, CMSTP T1218.003, Bypass User Account Control T1548.002

Sample rules:

sigma Directory Removal Via Rmdir
sigma Enumeration for Credentials in Registry
sigma Bypass UAC via CMSTP

match: /user: 3 rules

Top techniques:System Binary Proxy Execution T1218, Indirect Command Execution T1202

Sample rules:

match: ://1 3 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: ://2 3 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: ://3 3 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: ://4 3 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: ://5 3 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: ://6 3 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: ://7 3 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: ://8 3 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: ://9 3 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027

Sample rules:

match: :3389 3 rules

Top techniques:Protocol Tunneling T1572, Remote Services T1021

Sample rules:

sigma Potential RDP Tunneling Via Plink
sigma Potential RDP Tunneling Via SSH
sigma Potential Remote Desktop Tunneling

match: :\Perflogs 3 rules

Sample rules:

match: :\Users\Default\ 3 rules

Top techniques:Hidden Window T1564.003, Disable or Modify System Firewall T1562.004, Scheduled Task T1053.005

Sample rules:

match: :\Windows\System32\Tasks\ 3 rules

Top techniques:Trusted Developer Utilities Proxy Execution T1127, System Binary Proxy Execution T1218, Command and Scripting Interpreter T1059

Sample rules:

match: > 3 rules

Top techniques:Remote Services T1021, Exfiltration Over Alternative Protocol T1048

Sample rules:

match: Add-LocalGroupMember 3 rules

Top techniques:Account Manipulation T1098, Remote Desktop Protocol T1021.001, External Remote Services T1133, Local Account T1136.001

Sample rules:

match: Add-MpPreference 3 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: C:\Windows\TEMP\ 3 rules

Top techniques:Windows Service T1543.003, System Binary Proxy Execution T1218

Sample rules:

sigma Potential Suspicious Mofcomp Execution
sigma Suspicious Service Path Modification
sigma Suspicious New Service Creation

match: C:\windows\system32\davclnt.dll,DavSetCookie 3 rules

Top techniques:Exfiltration Over Unencrypted Non-C2 Protocol T1048.003, Exploitation for Credential Access T1212

Sample rules:

match: CATALINA_HOME 3 rules

Top techniques:Web Shell T1505.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087

Sample rules:

match: ControlSet 3 rules

Top techniques:Downgrade Attack T1562.010, Services Registry Permissions Weakness T1574.011, Modify Registry T1112

Sample rules:

match: MSExchange 3 rules

Top techniques:Web Shell T1505.003, Exploit Public-Facing Application T1190, Service Stop T1489, Disable or Modify Tools T1562.001

Sample rules:

sigma Suspicious ASPX File Drop by Exchange
sigma Suspicious File Drop by Exchange
sigma Suspicious Windows Service Tampering

match: MiniDump 3 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036, Rundll32 T1218.011, OS Credential Dumping T1003, Obfuscated Files or Information T1027, Access Token Manipulation T1134

Sample rules:

match: New-ItemProperty 3 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: Out-File 3 rules

Top techniques:System Owner/User Discovery T1033, Command and Scripting Interpreter T1059

Sample rules:

match: Remote Desktop Users 3 rules

Top techniques:Local Account T1087.001, Domain Account T1087.002, Remote Desktop Protocol T1021.001, External Remote Services T1133, Local Account T1136.001

Sample rules:

match: Set-ItemProperty 3 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: Set-MpPreference 3 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: URL 3 rules

Top techniques:Obfuscated Files or Information T1027, Ingress Tool Transfer T1105

Sample rules:

match: Usuarios de escritorio remoto 3 rules

Top techniques:Local Account T1087.001, Domain Account T1087.002, Remote Desktop Protocol T1021.001, External Remote Services T1133, Local Account T1136.001

Sample rules:

match: Utilisateurs du Bureau à distance 3 rules

Top techniques:Local Account T1087.001, Domain Account T1087.002, Remote Desktop Protocol T1021.001, External Remote Services T1133, Local Account T1136.001

Sample rules:

match: \Microsoft\Windows\Start Menu\Programs\Startup\ 3 rules

Top techniques:Windows Service T1543.003, Regsvcs/Regasm T1218.009

Sample rules:

match: \Pictures\ 3 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Compile After Delivery T1027.004

Sample rules:

match: accepteula 3 rules

Top techniques:Malware T1587.001

Sample rules:

match: advfirewall 3 rules

Top techniques:Disable or Modify System Firewall T1562.004

Sample rules:

match: catalina.jar 3 rules

Top techniques:Web Shell T1505.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087

Sample rules:

match: cmd /k 3 rules

Top techniques:PowerShell T1059.001, Windows Service T1543.003, Scheduled Task T1053.005

Sample rules:

match: cmd /r 3 rules

Top techniques:PowerShell T1059.001, Windows Service T1543.003, Scheduled Task T1053.005

Sample rules:

match: cmd.exe /c 3 rules

Top techniques:Windows Service T1543.003, PowerShell T1059.001

Sample rules:

match: cmd.exe /k 3 rules

Top techniques:Windows Service T1543.003, PowerShell T1059.001

Sample rules:

match: cmd.exe /r 3 rules

Top techniques:Windows Service T1543.003, PowerShell T1059.001

Sample rules:

match: copy 3 rules

Top techniques:Exfiltration to Cloud Storage T1567.002, SMB/Windows Admin Shares T1021.002, Data from Network Shared Drive T1039, Exfiltration Over Alternative Protocol T1048, Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211

Sample rules:

sigma PUA - Rclone Execution
sigma Copy From Or To Admin Share Or Sysvol Folder
sigma Writing Of Malicious Files To The Fonts Folder

match: curl 3 rules

Top techniques:Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557, Scheduled Task T1053.005, Malicious Copy and Paste T1204.004

Sample rules:

match: echo 3 rules

Top techniques:Token Impersonation/Theft T1134.001, Create Process with Token T1134.002, Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211, Remote Services T1021

Sample rules:

match: erase 3 rules

Top techniques:File Deletion T1070.004, Indicator Removal T1070

Sample rules:

sigma File Deletion Via Del
sigma Greedy File Deletion Using Del
sigma IIS WebServer Log Deletion via CommandLine Utilities

match: findstr 3 rules

Top techniques:Credentials In Files T1552.001, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, NTFS File Attributes T1564.004, Steal Application Access Token T1528

Sample rules:

match: hkey_local_machine 3 rules

Top techniques:Query Registry T1012, Security Account Manager T1003.002, LSA Secrets T1003.004, Cached Domain Credentials T1003.005

Sample rules:

sigma Dumping of Sensitive Hives Via Reg.EXE
sigma Exports Critical Registry Keys To a File
sigma Exports Registry Key To a File

match: hklm 3 rules

Top techniques:Query Registry T1012, Security Account Manager T1003.002, LSA Secrets T1003.004, Cached Domain Credentials T1003.005

Sample rules:

sigma Dumping of Sensitive Hives Via Reg.EXE
sigma Exports Critical Registry Keys To a File
sigma Exports Registry Key To a File

match: iex 3 rules

Top techniques:Command and Scripting Interpreter T1059, PowerShell T1059.001

Sample rules:

match: irm 3 rules

Top techniques:Command and Scripting Interpreter T1059, PowerShell T1059.001

Sample rules:

match: localgroup 3 rules

Top techniques:Account Manipulation T1098, Remote Desktop Protocol T1021.001, External Remote Services T1133, Local Account T1136.001

Sample rules:

match: new-object 3 rules

Top techniques:PowerShell T1059.001, Obfuscated Files or Information T1027

Sample rules:

match: pixeldrain.com 3 rules

Sample rules:

match: process 3 rules

Top techniques:Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

sigma New Process Created Via Wmic.EXE
sigma Process Reconnaissance Via Wmic.EXE
sigma Suspicious WMIC Execution Via Office Process

match: reg 3 rules

Top techniques:Windows Service T1543.003, Services Registry Permissions Weakness T1574.011, NTFS File Attributes T1564.004, Modify Registry T1112

Sample rules:

match: schtasks 3 rules

Top techniques:Rename Legitimate Utilities T1036.003, Scheduled Task T1053.005, Disable or Modify Tools T1562.001, Malicious Copy and Paste T1204.004

Sample rules:

sigma Renamed Schtasks Execution
sigma Raccine Uninstall
sigma Suspicious FileFix Execution Pattern

match: service 3 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219, Windows Management Instrumentation T1047

Sample rules:

match: snapshot 3 rules

Top techniques:Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482, NTDS T1003.003

Sample rules:

match: source 3 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

match: tunnel 3 rules

Top techniques:Internal Proxy T1090.001, Remote Access Tools T1219

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution
sigma Suspicious Velociraptor Child Process

match: urlcache 3 rules

Top techniques:Obfuscated Files or Information T1027, Ingress Tool Transfer T1105

Sample rules:

match: verifyctl 3 rules

Top techniques:Obfuscated Files or Information T1027, Ingress Tool Transfer T1105

Sample rules:

regex_match: \s-O\s 3 rules

Sample rules:

ends_with: .cpl 2 rules

Top techniques:Control Panel T1218.002, Event Triggered Execution T1546, Rundll32 T1218.011

Sample rules:

sigma Control Panel Items
sigma Rundll32 Execution With Uncommon DLL Extension

ends_with: .exe tunnel 2 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

ends_with: .gif" 2 rules

Sample rules:

ends_with: .gif' 2 rules

Sample rules:

ends_with: .jpeg" 2 rules

Sample rules:

ends_with: .jpeg' 2 rules

Sample rules:

ends_with: .jpg 2 rules

Top techniques:Ingress Tool Transfer T1105, Regsvr32 T1218.010

Sample rules:

ends_with: .log" 2 rules

Sample rules:

ends_with: .log' 2 rules

Sample rules:

ends_with: .png" 2 rules

Sample rules:

ends_with: .png' 2 rules

Sample rules:

ends_with: .rdp 2 rules

Top techniques:Remote Desktop Software T1219.002

Sample rules:

ends_with: .rdp" 2 rules

Top techniques:Remote Desktop Software T1219.002

Sample rules:

ends_with: .temp 2 rules

Top techniques:Ingress Tool Transfer T1105, Regsvr32 T1218.010

Sample rules:

ends_with: .tmp 2 rules

Top techniques:Ingress Tool Transfer T1105, Regsvr32 T1218.010

Sample rules:

ends_with: \rundll32.exe 2 rules

Top techniques:Indirect Command Execution T1202

Sample rules:

ends_with: \sam 2 rules

Top techniques:Query Registry T1012

Sample rules:

sigma Exports Critical Registry Keys To a File
sigma Exports Registry Key To a File

ends_with: \security 2 rules

Top techniques:Query Registry T1012

Sample rules:

sigma Exports Critical Registry Keys To a File
sigma Exports Registry Key To a File

ends_with: \system 2 rules

Top techniques:Query Registry T1012

Sample rules:

sigma Exports Critical Registry Keys To a File
sigma Exports Registry Key To a File

ends_with: rundll32.exe 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, Rundll32 T1218.011

Sample rules:

match: --full 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma CreateDump Process Dump
sigma Renamed CreateDump Utility Execution

match: --install 2 rules

Top techniques:Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

sigma Installation of WSL Kali-Linux
sigma WSL Kali-Linux Usage

match: --name 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma CreateDump Process Dump
sigma Renamed CreateDump Utility Execution

match: -E 2 rules

Top techniques:Query Registry T1012

Sample rules:

sigma Exports Critical Registry Keys To a File
sigma Exports Registry Key To a File

match: -EncodedCommand 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

match: -Filter \* 2 rules

Top techniques:System Owner/User Discovery T1033

Sample rules:

match: -LoadDLL 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

sigma DLL Loaded via CertOC.EXE
sigma Suspicious DLL Loaded via CertOC.EXE

match: -NoP 2 rules

Top techniques:OS Credential Dumping T1003, Obfuscated Files or Information T1027, Access Token Manipulation T1134, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087

Sample rules:

sigma Suspicious SYSTEM User Process Creation
sigma Webshell Hacking Activity Patterns

match: -P 2 rules

Top techniques:Masquerading T1036, Remote Services T1021

Sample rules:

sigma Renamed Plink Execution
sigma Potential Remote Desktop Tunneling

match: -W Hidden 2 rules

Sample rules:

sigma Suspicious SYSTEM User Process Creation
sigma Webshell Hacking Activity Patterns

match: -af 2 rules

Top techniques:System Binary Proxy Execution T1218, Indirect Command Execution T1202

Sample rules:

match: -clsid 2 rules

Top techniques:Kerberoasting T1558.003

Sample rules:

sigma HackTool - KrbRelay Execution
sigma HackTool - RemoteKrbRelay Execution

match: -ec 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: -enco 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: -g 2 rules

Top techniques:Cached Domain Credentials T1003.005, Account Discovery T1087, Local Account T1087.001, Domain Account T1087.002

Sample rules:

sigma New Generic Credentials Added Via Cmdkey.EXE
sigma Suspicious Use of PsLogList

match: -i -s cmd 2 rules

Top techniques:Malware T1587.001

Sample rules:

match: -i -s powershell 2 rules

Top techniques:Malware T1587.001

Sample rules:

match: -i -s pwsh 2 rules

Top techniques:Malware T1587.001

Sample rules:

match: -o 2 rules

Top techniques:Windows Management Instrumentation T1047, Scheduled Task/Job T1053, PowerShell T1059.001, Windows Command Shell T1059.003, Brute Force T1110, Password Policy Discovery T1201

Sample rules:

sigma HackTool - CrackMapExec Execution
sigma HackTool - SOAPHound Execution

match: -p 2 rules

Top techniques:Archive via Utility T1560.001, Cached Domain Credentials T1003.005

Sample rules:

match: -powershell 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

match: -q 2 rules

Top techniques:File Deletion T1070.004, Kerberoasting T1558.003

Sample rules:

match: -r 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

match: -r 2 rules

Top techniques:Exfiltration Over Alternative Protocol T1048, Exfiltration to Cloud Storage T1567.002, Command and Scripting Interpreter T1059

Sample rules:

match: -remediationScript 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

match: -s 2 rules

Top techniques:File Deletion T1070.004, Account Discovery T1087, Local Account T1087.001, Domain Account T1087.002

Sample rules:

sigma File Deletion Via Del
sigma Suspicious Use of PsLogList

match: -s 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Credentials In Files T1552.001, NTFS File Attributes T1564.004, LSASS Memory T1003.001

Sample rules:

match: -s -i cmd 2 rules

Top techniques:Malware T1587.001

Sample rules:

match: -s -i powershell 2 rules

Top techniques:Malware T1587.001

Sample rules:

match: -s -i pwsh 2 rules

Top techniques:Malware T1587.001

Sample rules:

match: -s cmd 2 rules

Top techniques:Malware T1587.001

Sample rules:

match: -s powershell 2 rules

Top techniques:Malware T1587.001

Sample rules:

match: -s pwsh 2 rules

Top techniques:Malware T1587.001

Sample rules:

match: -sc 2 rules

Top techniques:LSASS Memory T1003.001, Pass the Ticket T1550.003, Kerberoasting T1558.003

Sample rules:

sigma Potential Adplus.EXE Abuse
sigma HackTool - KrbRelayUp Execution

match: -u -p 2 rules

Top techniques:Regsvr32 T1218.010, LSASS Memory T1003.001

Sample rules:

match: -ur 2 rules

Top techniques:Ingress Tool Transfer T1105, PowerShell T1059.001

Sample rules:

match: /c 2 rules

Top techniques:Dynamic-link Library Injection T1055.001

Sample rules:

match: /change 2 rules

Top techniques:Scheduled Task T1053.005, Rename Legitimate Utilities T1036.003

Sample rules:

match: /d 2 rules

Top techniques:Dynamic-link Library Injection T1055.001, NTFS File Attributes T1564.004

Sample rules:

match: /decode 2 rules

Sample rules:

sigma Suspicious SYSTEM User Process Creation
sigma Webshell Hacking Activity Patterns

match: /delete 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Scheduled Task T1053.005, Service Stop T1489

Sample rules:

sigma Renamed Schtasks Execution
sigma Delete All Scheduled Tasks

match: /f 2 rules

Top techniques:Remote Desktop Protocol T1021.001, Modify Registry T1112, Service Stop T1489

Sample rules:

match: /i 2 rules

Top techniques:Modify Registry T1112

Sample rules:

sigma Imports Registry Key From a File
sigma Imports Registry Key From an ADS

match: /o 2 rules

Top techniques:LSASS Memory T1003.001, NTFS File Attributes T1564.004

Sample rules:

match: /ticket: 2 rules

Sample rules:

sigma Suspicious SYSTEM User Process Creation
sigma Webshell Hacking Activity Patterns

match: /y 2 rules

Top techniques:Security Account Manager T1003.002, NTDS T1003.003, NTFS File Attributes T1564.004

Sample rules:

match: 0x 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

match: > 2 rules

Top techniques:System Binary Proxy Execution T1218, Command and Scripting Interpreter T1059

Sample rules:

match: C:\ 2 rules

Top techniques:Regsvr32 T1218.010, PowerShell T1059.001

Sample rules:

match: C:\Windows\ 2 rules

Top techniques:System Binary Proxy Execution T1218, Regsvr32 T1218.010

Sample rules:

match: Full 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma DumpMinitool Execution
sigma Suspicious DumpMinitool Execution

match: IAB 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: JAB 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: Mini 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma DumpMinitool Execution
sigma Suspicious DumpMinitool Execution

match: ONCE 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

match: ONIDLE 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

match: ONLOGON 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

match: ONSTART 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

match: SQBFAFgA 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: SUVYI 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: SYSTEM 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

match: SYSTEM 2 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

match: WithHeap 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma DumpMinitool Execution
sigma Suspicious DumpMinitool Execution

match: aQBlAHgA 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: aWV4I 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: administrator 2 rules

Top techniques:Local Account T1087.001, Domain Account T1087.002

Sample rules:

match: administrators 2 rules

Top techniques:Account Manipulation T1098, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

match: exec 2 rules

Top techniques:Token Impersonation/Theft T1134.001, Make and Impersonate Token T1134.003, Service Execution T1569.002

Sample rules:

sigma HackTool - Impersonate Execution
sigma PUA - NirCmd Execution

match: export 2 rules

Top techniques:Security Account Manager T1003.002, LSA Secrets T1003.004, Cached Domain Credentials T1003.005, NTFS File Attributes T1564.004

Sample rules:

sigma Dumping of Sensitive Hives Via Reg.EXE
sigma Execute From Alternate Data Streams

match: firewall 2 rules

Top techniques:Disable or Modify System Firewall T1562.004

Sample rules:

sigma New Firewall Rule Added Via Netsh.EXE
sigma Firewall Rule Update Via Netsh.EXE

match: gp 2 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

match: group 2 rules

Top techniques:Local Account T1087.001, Domain Account T1087.002, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

match: i 2 rules

Top techniques:Proxy T1090, NTDS T1003.003

Sample rules:

match: irm 2 rules

Top techniques:Ingress Tool Transfer T1105, PowerShell T1059.001

Sample rules:

match: list 2 rules

Top techniques:Token Impersonation/Theft T1134.001, Make and Impersonate Token T1134.003, Windows Management Instrumentation T1047, System Information Discovery T1082

Sample rules:

match: localgroup 2 rules

Top techniques:Local Account T1087.001, Domain Account T1087.002, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

match: mi 2 rules

Top techniques:Credentials from Web Browsers T1555.003, SMB/Windows Admin Shares T1021.002, Data from Network Shared Drive T1039, Exfiltration Over Alternative Protocol T1048

Sample rules:

match: msiexec 2 rules

Top techniques:Ingress Tool Transfer T1105, Msiexec T1218.007, Masquerade Task or Service T1036.004, Match Legitimate Resource Name or Location T1036.005, Scheduled Task T1053.005

Sample rules:

match: mssql 2 rules

Sample rules:

sigma HackTool - CrackMapExec Execution
sigma HackTool - NetExec Execution

match: mv 2 rules

Top techniques:Credentials from Web Browsers T1555.003, SMB/Windows Admin Shares T1021.002, Data from Network Shared Drive T1039, Exfiltration Over Alternative Protocol T1048

Sample rules:

match: oudmp 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: p 2 rules

Top techniques:Proxy T1090, Network Sniffing T1040

Sample rules:

match: recovery 2 rules

Top techniques:Inhibit System Recovery T1490, NTDS T1003.003

Sample rules:

match: relay 2 rules

Top techniques:Steal or Forge Authentication Certificates T1649, Pass the Ticket T1550.003, Kerberoasting T1558.003

Sample rules:

sigma HackTool - Certipy Execution
sigma HackTool - KrbRelayUp Execution

match: run 2 rules

Top techniques:Proxy T1090, Web Service T1102, Protocol Tunneling T1572, Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: script 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

match: smb 2 rules

Sample rules:

sigma HackTool - CrackMapExec Execution
sigma HackTool - NetExec Execution

match: start 2 rules

Top techniques:Service Execution T1569.002, Protocol Tunneling T1572

Sample rules:

sigma Start Windows Service Via Net.EXE
sigma PUA - Ngrok Execution

match: | Select 2 rules

Top techniques:System Owner/User Discovery T1033

Sample rules:

match: %2e 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

match: %COMSPEC% 2 rules

Top techniques:BITS Jobs T1197, Token Impersonation/Theft T1134.001, Create Process with Token T1134.002

Sample rules:

match: %TEMP% 2 rules

Top techniques:Disable or Modify System Firewall T1562.004, Command and Scripting Interpreter T1059

Sample rules:

match: %TMP% 2 rules

Top techniques:Disable or Modify System Firewall T1562.004, Command and Scripting Interpreter T1059

Sample rules:

match: %localappdata% 2 rules

Top techniques:Scheduled Task T1053.005, Windows Management Instrumentation T1047

Sample rules:

match: && 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

sigma Invoke-Obfuscation CLIP+ Launcher
sigma Invoke-Obfuscation Via Use MSHTA

match: &cd&echo 2 rules

Top techniques:Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

match: --load-extension= 2 rules

Top techniques:Browser Extensions T1176.001

Sample rules:

match: --meshServiceName 2 rules

Top techniques:Remote Desktop Software T1219.002, Rename Legitimate Utilities T1036.003

Sample rules:

match: -AclObject 2 rules

Sample rules:

match: -AddInRoot: 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

match: -BinaryPathName 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

sigma New Service Creation Using PowerShell
sigma Suspicious New Service Creation

match: -ComObject 2 rules

Top techniques:PowerShell T1059.001, Command Obfuscation T1027.010, Msiexec T1218.007, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

match: -GetCACAPS 2 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

match: -PipelineRoot: 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

match: -SecurityDescriptorSddl 2 rules

Top techniques:Services Registry Permissions Weakness T1574.011, Windows Service T1543.003

Sample rules:

match: -a 2 rules

Top techniques:Password Cracking T1110.002, System Binary Proxy Execution T1218

Sample rules:

match: -c 2 rules

Top techniques:Disable or Modify Tools T1562.001, Archive Collected Data T1560, Archive via Utility T1560.001

Sample rules:

sigma Sysmon Configuration Update
sigma Compressed File Creation Via Tar.EXE

match: -connector-id 2 rules

Top techniques:Proxy T1090, Web Service T1102, Protocol Tunneling T1572, Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Tunnel Connections Cleanup
sigma Renamed Cloudflared.EXE Execution

match: -credentials-contents 2 rules

Top techniques:Proxy T1090, Web Service T1102, Protocol Tunneling T1572, Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: -credentials-file 2 rules

Top techniques:Proxy T1090, Web Service T1102, Protocol Tunneling T1572, Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: -j 2 rules

Top techniques:Msiexec T1218.007

Sample rules:

match: -m 2 rules

Top techniques:Command and Scripting Interpreter T1059, System Binary Proxy Execution T1218

Sample rules:

match: -o 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Scheduled Task T1053.005

Sample rules:

match: -p 2 rules

Top techniques:Windows Remote Management T1021.006, Brute Force T1110, Password Guessing T1110.001

Sample rules:

match: -package 2 rules

Top techniques:Msiexec T1218.007

Sample rules:

match: -path 2 rules

Top techniques:Domain Accounts T1078.002, Account Manipulation T1098, Hijack Execution Flow T1574

Sample rules:

match: -q 2 rules

Top techniques:Msiexec T1218.007

Sample rules:

match: -s 2 rules

Top techniques:OS Credential Dumping T1003, CMSTP T1218.003, Bypass User Account Control T1548.002

Sample rules:

sigma Capture Credentials with Rpcping.exe
sigma Bypass UAC via CMSTP

match: -sc u: 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: -sd 2 rules

Top techniques:Services Registry Permissions Weakness T1574.011, Windows Service T1543.003

Sample rules:

match: -subnets -f 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: -token 2 rules

Top techniques:Proxy T1090, Web Service T1102, Protocol Tunneling T1572, Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: -url 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: .00x 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

match: .0x 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

match: .7z 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005

Sample rules:

match: .DownloadFile 2 rules

Top techniques:Scheduled Task T1053.005, Remote Access Tools T1219

Sample rules:

match: .DownloadString 2 rules

Top techniques:Scheduled Task T1053.005, Remote Access Tools T1219

Sample rules:

match: .bmp 2 rules

Top techniques:JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005, Rundll32 T1218.011

Sample rules:

match: .chm 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Compiled HTML File T1218.001

Sample rules:

sigma File With Suspicious Extension Downloaded Via Bitsadmin
sigma HH.EXE Execution

match: .csv 2 rules

Top techniques:JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005, Visual Basic T1059.005

Sample rules:

match: .dat 2 rules

Top techniques:Regsvcs/Regasm T1218.009, Visual Basic T1059.005, JavaScript T1059.007

Sample rules:

match: .dll 2 rules

Top techniques:PowerShell T1059.001, Rundll32 T1218.011

Sample rules:

match: .dll" 2 rules

Top techniques:Ingress Tool Transfer T1105, Rundll32 T1218.011

Sample rules:

match: .dmp 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma CreateDump Process Dump
sigma Potential SysInternals ProcDump Evasion

match: .exe tunnel 2 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

match: .jar 2 rules

Top techniques:Windows Service T1543.003, Services Registry Permissions Weakness T1574.011, Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211

Sample rules:

match: .lnk 2 rules

Top techniques:JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005, PowerShell T1059.001

Sample rules:

match: .log 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005

Sample rules:

match: .mp3 2 rules

Top techniques:Obfuscated Files or Information T1027, JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005

Sample rules:

match: .pl 2 rules

Top techniques:Windows Service T1543.003, Services Registry Permissions Weakness T1574.011, Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211

Sample rules:

match: .rar 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005

Sample rules:

match: .rsp 2 rules

Top techniques:Odbcconf T1218.008

Sample rules:

match: .rtf 2 rules

Top techniques:JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005, Automated Collection T1119, Credentials In Files T1552.001

Sample rules:

match: .sdb 2 rules

Top techniques:Application Shimming T1546.011

Sample rules:

match: .sh 2 rules

Top techniques:Windows Service T1543.003, Services Registry Permissions Weakness T1574.011, Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211

Sample rules:

match: .wsf 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Visual Basic T1059.005, JavaScript T1059.007

Sample rules:

match: .wsh 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Phishing T1566, Spearphishing Attachment T1566.001

Sample rules:

match: .yml 2 rules

Top techniques:JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005, Protocol Tunneling T1572

Sample rules:

sigma MSHTA Execution with Suspicious File Extensions
sigma PUA - Ngrok Execution

match: /../../ 2 rules

Top techniques:Windows Command Shell T1059.003

Sample rules:

match: //0x 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

match: /Create 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

match: /TN TVInstallRestore 2 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

match: /c 2 rules

Top techniques:PowerShell T1059.001, Remote Desktop Software T1219.002

Sample rules:

match: /d 2 rules

Top techniques:Disable or Modify Tools T1562.001, Screensaver T1546.002

Sample rules:

match: /d /c 2 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

match: /d 0 2 rules

Top techniques:Screensaver T1546.002, Hidden Users T1564.002

Sample rules:

match: /d 1 2 rules

Top techniques:Modify Registry T1112, Internal Defacement T1491.001, Screensaver T1546.002

Sample rules:

match: /disable 2 rules

Top techniques:Inhibit System Recovery T1490, Service Stop T1489

Sample rules:

match: /f 2 rules

Top techniques:Data Encrypted for Impact T1486, Screensaver T1546.002

Sample rules:

sigma Suspicious Reg Add BitLocker
sigma Suspicious ScreenSave Change by Reg.exe

match: /f 2 rules

Top techniques:Credentials in Registry T1552.002, Windows File and Directory Permissions Modification T1222.001

Sample rules:

sigma Enumeration for Credentials in Registry
sigma Suspicious Recursive Takeown

match: /lng 2 rules

Top techniques:Network Service Discovery T1046, Network Share Discovery T1135

Sample rules:

sigma PUA - Advanced IP Scanner Execution
sigma PUA - Advanced Port Scanner Execution

match: /pass: 2 rules

Top techniques:Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

sigma HackTool - SharpLDAPmonitor Execution
sigma Suspicious ZipExec Execution

match: /portable 2 rules

Top techniques:Network Service Discovery T1046, Network Share Discovery T1135

Sample rules:

sigma PUA - Advanced IP Scanner Execution
sigma PUA - Advanced Port Scanner Execution

match: /q 2 rules

Top techniques:File Deletion T1070.004, Windows Command Shell T1059.003, Visual Basic T1059.005, JavaScript T1059.007

Sample rules:

sigma Directory Removal Via Rmdir
sigma HackTool - Koadic Execution

match: /t 2 rules

Top techniques:Disable or Modify Tools T1562.001, Credentials in Registry T1552.002

Sample rules:

match: /t REG_SZ 2 rules

Top techniques:Modify Registry T1112, Internal Defacement T1491.001, Screensaver T1546.002

Sample rules:

match: /v 2 rules

Top techniques:Disable or Modify Tools T1562.001, System Information Discovery T1082

Sample rules:

match: 127.0.0.1 2 rules

Top techniques:OS Credential Dumping T1003, Obfuscated Files or Information T1027, Access Token Manipulation T1134, Windows Management Instrumentation T1047

Sample rules:

sigma Suspicious SYSTEM User Process Creation
sigma WMIC Remote Command Execution

match: ://7- 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, BITS Jobs T1197, Obfuscated Files or Information T1027, Ingress Tool Transfer T1105

Sample rules:

match: ::FromBase64String 2 rules

Top techniques:PowerShell T1059.001, Deobfuscate/Decode Files or Information T1140

Sample rules:

match: :\Tmp\ 2 rules

Top techniques:Scheduled Task T1053.005, Visual Basic T1059.005, JavaScript T1059.007

Sample rules:

match: :\Windows\ 2 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, BITS Jobs T1197

Sample rules:

match: :\Windows\Temp 2 rules

Top techniques:Windows Management Instrumentation T1047, Registry Run Keys / Startup Folder T1547.001, Scheduled Task T1053.005

Sample rules:

match: :\Windows\Tracing\ 2 rules

Top techniques:Remote Desktop Software T1219.002, Odbcconf T1218.008

Sample rules:

match: :\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

match: :\Windows\UUS\amd64\UpdateDeploy.dll /ClassId 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

match: :\Windows\WinSxS\ 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

match: ; 2 rules

Top techniques:System Script Proxy Execution T1216, PowerShell T1059.001, System Binary Proxy Execution T1218

Sample rules:

match: ;BA 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

match: ;IU 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

match: ;SU 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

match: ;SY 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

match: ;WD 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

match: Add-Content 2 rules

Top techniques:System Owner/User Discovery T1033

Sample rules:

match: Add-PSSnapin 2 rules

Top techniques:PowerShell T1059.001, Email Collection T1114

Sample rules:

sigma Email Exifiltration Via Powershell
sigma Exchange PowerShell Snap-Ins Usage

match: Allow 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: Antivirus 2 rules

Top techniques:Disable or Modify Tools T1562.001, Service Stop T1489

Sample rules:

match: Bookmarks 2 rules

Top techniques:Data from Local System T1005, Steal Web Session Cookie T1539, Credentials from Web Browsers T1555.003, Browser Information Discovery T1217

Sample rules:

sigma SQLite Chromium Profile Data DB Access
sigma Suspicious Where Execution

match: Bypass 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: C:\ProgramData\Microsoft\WSL\wslg.rdp 2 rules

Top techniques:Remote Desktop Protocol T1021.001, Remote Desktop Software T1219.002

Sample rules:

match: C:\Users\Public 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

sigma Suspicious Service Path Modification
sigma Suspicious New Service Creation

match: Control_RunDLL 2 rules

Top techniques:Rundll32 T1218.011

Sample rules:

match: Cookies 2 rules

Top techniques:Data from Local System T1005, Steal Web Session Cookie T1539, Credentials from Web Browsers T1555.003, Browser Information Discovery T1217

Sample rules:

sigma SQLite Chromium Profile Data DB Access
sigma Suspicious Where Execution

match: DCLCWPDTSD 2 rules

Top techniques:Services Registry Permissions Weakness T1574.011

Sample rules:

match: DownloadFile 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

match: EnableVirtualizationBasedSecurity 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: Exchange Trusted Subsystem 2 rules

Top techniques:Local Account T1087.001, Domain Account T1087.002

Sample rules:

match: FailureCommand 2 rules

Top techniques:Windows Service T1543.003, Services Registry Permissions Weakness T1574.011, Modify Registry T1112

Sample rules:

match: Find-GPOLocation 2 rules

Top techniques:Domain Groups T1069.002, Domain Trust Discovery T1482, System Owner/User Discovery T1033, System Network Connections Discovery T1049, Network Share Discovery T1135, PowerShell T1059.001

Sample rules:

match: Get-ChildItem 2 rules

Top techniques:Private Keys T1552.004

Sample rules:

match: Get-Content 2 rules

Top techniques:NTFS File Attributes T1564.004, PowerShell T1059.001

Sample rules:

match: Get-ItemProperty 2 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

match: HIGHEST 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

match: HKCU: 2 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

match: HKEY_ 2 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

match: HKLM: 2 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

match: History 2 rules

Top techniques:Data from Local System T1005, Steal Web Session Cookie T1539, Credentials from Web Browsers T1555.003, Browser Information Discovery T1217

Sample rules:

sigma SQLite Chromium Profile Data DB Access
sigma Suspicious Where Execution

match: INSTALLDRIVER 2 rules

Top techniques:Odbcconf T1218.008

Sample rules:

match: IWR 2 rules

Top techniques:PowerShell T1059.001, Ingress Tool Transfer T1105, Remote Access Tools T1219

Sample rules:

match: ImagePath 2 rules

Top techniques:Windows Service T1543.003, Services Registry Permissions Weakness T1574.011, Modify Registry T1112

Sample rules:

match: Import-Module 2 rules

Sample rules:

match: InstallProduct( 2 rules

Top techniques:PowerShell T1059.001, Command Obfuscation T1027.010, Msiexec T1218.007, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

match: Invoke-ACLScanner 2 rules

Sample rules:

match: Invoke-Command 2 rules

Top techniques:Rundll32 T1218.011, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

match: Invoke-Expression 2 rules

Top techniques:Command and Scripting Interpreter T1059, Rundll32 T1218.011

Sample rules:

match: Invoke-Kerberoast 2 rules

Top techniques:Windows Command Shell T1059.003, System Owner/User Discovery T1033, System Network Connections Discovery T1049, Domain Groups T1069.002, Network Share Discovery T1135, Domain Trust Discovery T1482

Sample rules:

sigma Operator Bloopers Cobalt Strike Modules
sigma HackTool - SharpView Execution

match: Invoke-Nightmare 2 rules

Top techniques:Windows Command Shell T1059.003, PowerShell T1059.001, Permission Groups Discovery T1069, Local Groups T1069.001, Domain Groups T1069.002, Account Discovery T1087

Sample rules:

match: Invoke-RestMethod 2 rules

Top techniques:PowerShell T1059.001, Ingress Tool Transfer T1105, Command and Scripting Interpreter T1059

Sample rules:

match: Invoke-Tater 2 rules

Top techniques:LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, PowerShell T1059.001, Permission Groups Discovery T1069, Local Groups T1069.001, Domain Groups T1069.002, Account Discovery T1087

Sample rules:

match: Invoke-UserHunter 2 rules

Top techniques:Windows Command Shell T1059.003, PowerShell T1059.001, Permission Groups Discovery T1069, Local Groups T1069.001, Domain Groups T1069.002, Account Discovery T1087

Sample rules:

match: LaunchApplication 2 rules

Top techniques:Rundll32 T1218.011

Sample rules:

sigma Code Execution via Pcwutl.dll
sigma Potentially Suspicious Rundll32 Activity

match: Login Data 2 rules

Top techniques:Data from Local System T1005, Steal Web Session Cookie T1539, Credentials from Web Browsers T1555.003, Browser Information Discovery T1217

Sample rules:

sigma SQLite Chromium Profile Data DB Access
sigma Suspicious Where Execution

match: New-Service 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

sigma New Service Creation Using PowerShell
sigma Suspicious New Service Creation

match: REGSVR 2 rules

Top techniques:Odbcconf T1218.008

Sample rules:

match: Set-Acl 2 rules

Sample rules:

match: Set-Content 2 rules

Top techniques:System Owner/User Discovery T1033

Sample rules:

match: Set-Service 2 rules

Top techniques:Services Registry Permissions Weakness T1574.011, Windows Service T1543.003

Sample rules:

match: Shell32.dll 2 rules

Top techniques:Rundll32 T1218.011

Sample rules:

sigma Potentially Suspicious Rundll32 Activity
sigma Suspicious Control Panel DLL Load

match: ShellExec_RunDLL 2 rules

Top techniques:Rundll32 T1218.011

Sample rules:

match: Start-BitsTransfer 2 rules

Top techniques:Ingress Tool Transfer T1105, Stage Capabilities T1608, PowerShell T1059.001

Sample rules:

match: Stop-Service 2 rules

Top techniques:Service Stop T1489, Disable or Modify Tools T1562.001

Sample rules:

match: Unrestricted 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: WinDefend 2 rules

Top techniques:Disable or Modify Tools T1562.001, Service Stop T1489

Sample rules:

match: \AppData\Roaming\Temp 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

match: \Appdata\Local\Temp\ 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

match: \DavWWWRoot\ 2 rules

Top techniques:PowerShell T1059.001, User Execution T1204

Sample rules:

match: \Music\ 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Hidden Window T1564.003

Sample rules:

match: \PerfLogs\ 2 rules

Top techniques:Obfuscated Files or Information T1027, Regsvcs/Regasm T1218.009

Sample rules:

match: \ProgramData\ 2 rules

Top techniques:Hidden Files and Directories T1564.001, System Binary Proxy Execution T1218

Sample rules:

match: \SYSTEM\CurrentControlSet\Control\SafeBoot 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: \Software\Aerofox\FoxmailPreview 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\Aerofox\Foxmail\V3.1 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\DownloadManager\Passwords 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\FTPWare\COREFTP\Sites 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\IncrediMail\Identities 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\Martin Prikryl\WinSCP 2\Sessions 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Windows Management Instrumentation T1047

Sample rules:

match: \Software\ORL\WinVNC3\Password 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\OpenSSH\Agent\Keys 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\OpenVPN-GUI\configs 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\Qualcomm\Eudora\CommandLine 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\RealVNC\WinVNC4 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\RimArts\B2\Settings 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\SimonTatham\PuTTY\Sessions 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\Sota\FFFTP 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\TightVNC\Server 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Windows Management Instrumentation T1047

Sample rules:

match: \Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: \System\CurrentControlSet\Control\Lsa 2 rules

Top techniques:Modify Registry T1112

Sample rules:

match: \UpdateDeploy.dll /ClassId 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

match: \Videos\ 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, BITS Jobs T1197, Hidden Window T1564.003

Sample rules:

match: \WINDOWS\Temp\ 2 rules

Top techniques:System Binary Proxy Execution T1218, Scheduled Task T1053.005

Sample rules:

match: \Windows\BitLocker 2 rules

Top techniques:Service Stop T1489

Sample rules:

sigma Delete Important Scheduled Task
sigma Disable Important Scheduled Task

match: \Windows\ExploitGuard 2 rules

Top techniques:Service Stop T1489

Sample rules:

sigma Delete Important Scheduled Task
sigma Disable Important Scheduled Task

match: \Windows\NTDS\NTDS.dit 2 rules

Top techniques:NTDS T1003.003

Sample rules:

match: \Windows\SystemRestore\SR 2 rules

Top techniques:Service Stop T1489

Sample rules:

sigma Delete Important Scheduled Task
sigma Disable Important Scheduled Task

match: \Windows\Temp 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

match: \Windows\UpdateOrchestrator\ 2 rules

Top techniques:Service Stop T1489

Sample rules:

sigma Delete Important Scheduled Task
sigma Disable Important Scheduled Task

match: \Windows\Windows Defender\ 2 rules

Top techniques:Service Stop T1489

Sample rules:

sigma Delete Important Scheduled Task
sigma Disable Important Scheduled Task

match: \Windows\WindowsBackup\ 2 rules

Top techniques:Service Stop T1489

Sample rules:

sigma Delete Important Scheduled Task
sigma Disable Important Scheduled Task

match: \Windows\WindowsUpdate\ 2 rules

Top techniques:Service Stop T1489

Sample rules:

sigma Delete Important Scheduled Task
sigma Disable Important Scheduled Task

match: \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy 2 rules

Top techniques:Inhibit System Recovery T1490

Sample rules:

match: \catalina_start.bat 2 rules

Top techniques:Process Discovery T1057, Process Injection T1055

Sample rules:

match: \config\SAM 2 rules

Top techniques:NTDS T1003.003

Sample rules:

match: \config\SECURITY 2 rules

Top techniques:NTDS T1003.003

Sample rules:

match: \config\SYSTEM 2 rules

Top techniques:NTDS T1003.003

Sample rules:

match: \dismhost.exe { 2 rules

Top techniques:Inhibit System Recovery T1490, Bypass User Account Control T1548.002

Sample rules:

match: \servers\Stable- 2 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

match: \software\ 2 rules

Top techniques:Software Discovery T1518

Sample rules:

match: \windows\ntds\ntds.dit 2 rules

Top techniques:NTDS T1003.003, Security Account Manager T1003.002

Sample rules:

match: \xampp\ 2 rules

Top techniques:Process Discovery T1057, Process Injection T1055

Sample rules:

match: account 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: adinfo 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: anti-bot 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: botcheck 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: bypass 2 rules

Sample rules:

match: captcha 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: cat 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: challenge 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: cleanup 2 rules

Top techniques:Proxy T1090, Web Service T1102, Protocol Tunneling T1572, Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Tunnel Connections Cleanup
sigma Renamed Cloudflared.EXE Execution

match: cmd 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

sigma Suspicious Service Path Modification
sigma Suspicious New Service Creation

match: cmd.exe 2 rules

Top techniques:BITS Jobs T1197, Distributed Component Object Model T1021.003, Windows Management Instrumentation T1047

Sample rules:

match: code-server.cmd 2 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

match: collect 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

match: computer_pwdnotreqd 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: computers_active 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: computers_pwdnotreqd 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: comsvcs 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

sigma Process Memory Dump Via Comsvcs.DLL
sigma Webshell Hacking Activity Patterns

match: config 2 rules

Top techniques:System Network Configuration Discovery T1016, Windows Service T1543.003, Services Registry Permissions Weakness T1574.011

Sample rules:

match: confirmation 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: cookies.sqlite 2 rules

Top techniques:Data from Local System T1005, Steal Web Session Cookie T1539, Browser Information Discovery T1217

Sample rules:

sigma SQLite Firefox Profile Data DB Access
sigma Suspicious Where Execution

match: dcmodes 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: diantz.exe 2 rules

Top techniques:NTFS File Attributes T1564.004, Ingress Tool Transfer T1105

Sample rules:

match: disable 2 rules

Top techniques:Disable Windows Event Logging T1562.002, Disable or Modify System Firewall T1562.004

Sample rules:

sigma Audit Policy Tampering Via Auditpol
sigma Firewall Disabled via Netsh.EXE

match: dllhost 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

sigma Suspicious Service Path Modification
sigma Suspicious New Service Creation

match: domain admins 2 rules

Top techniques:Local Account T1087.001, Domain Account T1087.002

Sample rules:

match: domainlist 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: domainncs 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: dompol 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: dpapi:: 2 rules

Top techniques:LSASS Memory T1003.001, Security Account Manager T1003.002, LSA Secrets T1003.004, Cached Domain Credentials T1003.005, DCSync T1003.006, OS Credential Dumping T1003

Sample rules:

sigma HackTool - Mimikatz Execution
sigma Suspicious SYSTEM User Process Creation

match: echo 2 rules

Top techniques:Remote Desktop Software T1219.002, DLL T1574.001

Sample rules:

sigma Remote Access Tool - AnyDesk Piped Password Via CLI
sigma Tasks Folder Evasion

match: encodedcommand 2 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

match: enterprise admins 2 rules

Top techniques:Local Account T1087.001, Domain Account T1087.002

Sample rules:

match: export 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: extrac32.exe 2 rules

Top techniques:Ingress Tool Transfer T1105, NTFS File Attributes T1564.004

Sample rules:

match: failure 2 rules

Top techniques:Services Registry Permissions Weakness T1574.011, Windows Service T1543.003

Sample rules:

match: file createnew 2 rules

Top techniques:Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211, DLL T1574.001

Sample rules:

sigma Writing Of Malicious Files To The Fonts Folder
sigma Tasks Folder Evasion

match: finger 2 rules

Top techniques:Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557, Malicious Copy and Paste T1204.004

Sample rules:

match: firewall 2 rules

Top techniques:Disable or Modify System Firewall T1562.004, System Network Configuration Discovery T1016

Sample rules:

match: for 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, Deobfuscate/Decode Files or Information T1140, Remote System Discovery T1018, Command and Scripting Interpreter T1059

Sample rules:

sigma Suspicious XOR Encoded PowerShell Command
sigma Suspicious Scan Loop Network

match: forfiles 2 rules

Top techniques:Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557, Scheduled Task T1053.005

Sample rules:

match: fraud 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: fspdmp 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: ftp 2 rules

Top techniques:Exfiltration to Cloud Storage T1567.002, Regsvr32 T1218.010

Sample rules:

sigma PUA - Rclone Execution
sigma Potentially Suspicious Regsvr32 HTTP/FTP Pattern

match: gatherNetworkInfo.vbs 2 rules

Top techniques:Visual Basic T1059.005, Group Policy Discovery T1615

Sample rules:

match: gpodmp 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: http://% 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

match: human 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: identification 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: identificator 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: identity 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: iex 2 rules

Sample rules:

match: import 2 rules

Top techniques:Indicator Removal T1070, Bootkit T1542.003, Command Obfuscation T1027.010, Python T1059.006

Sample rules:

match: interactive 2 rules

Top techniques:At T1053.002, Kerberoasting T1558.003

Sample rules:

sigma Interactive AT Job
sigma HackTool - RemoteKrbRelay Execution

match: internal-run 2 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

match: ipmo 2 rules

Sample rules:

match: itemtype:File 2 rules

Top techniques:Inhibit System Recovery T1490, NTDS T1003.003

Sample rules:

match: keepVersions:0 2 rules

Top techniques:Inhibit System Recovery T1490

Sample rules:

sigma All Backups Deleted Via Wbadmin.EXE
sigma Windows Backup Deleted Via Wbadmin.EXE

match: kerberos:: 2 rules

Top techniques:LSASS Memory T1003.001, Security Account Manager T1003.002, LSA Secrets T1003.004, Cached Domain Credentials T1003.005, DCSync T1003.006, OS Credential Dumping T1003

Sample rules:

sigma HackTool - Mimikatz Execution
sigma Suspicious SYSTEM User Process Creation

match: lsadump:: 2 rules

Top techniques:LSASS Memory T1003.001, Security Account Manager T1003.002, LSA Secrets T1003.004, Cached Domain Credentials T1003.005, DCSync T1003.006, OS Credential Dumping T1003

Sample rules:

sigma HackTool - Mimikatz Execution
sigma Suspicious SYSTEM User Process Creation

match: mklink 2 rules

Top techniques:Accessibility Features T1546.008, Security Account Manager T1003.002, NTDS T1003.003

Sample rules:

match: move 2 rules

Top techniques:Credentials from Web Browsers T1555.003, SMB/Windows Admin Shares T1021.002, Data from Network Shared Drive T1039, Exfiltration Over Alternative Protocol T1048

Sample rules:

match: name="Domain Admins" 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: ni 2 rules

Top techniques:Modify Registry T1112, Disable Windows Event Logging T1562.002, Change Default File Association T1546.001, Bypass User Account Control T1548.002

Sample rules:

match: nslookup 2 rules

Top techniques:System Information Discovery T1082, Account Discovery T1087, Remote System Discovery T1018, Command and Scripting Interpreter T1059

Sample rules:

sigma Network Reconnaissance Activity
sigma Suspicious Scan Loop Network

match: objectcategory= 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: osk.exe 2 rules

Top techniques:Accessibility Features T1546.008

Sample rules:

match: paexec 2 rules

Top techniques:Malware T1587.001

Sample rules:

match: passphrase 2 rules

Sample rules:

sigma File Decryption Using Gpg4win
sigma File Encryption Using Gpg4win

match: path 2 rules

Top techniques:JavaScript T1059.007, Windows Management Instrumentation T1047, System Information Discovery T1082

Sample rules:

match: places.sqlite 2 rules

Top techniques:Data from Local System T1005, Steal Web Session Cookie T1539, Browser Information Discovery T1217

Sample rules:

sigma SQLite Firefox Profile Data DB Access
sigma Suspicious Where Execution

match: powershell.exe 2 rules

Top techniques:Windows Command Shell T1059.003, PowerShell T1059.001

Sample rules:

match: privilege:: 2 rules

Top techniques:LSASS Memory T1003.001, Security Account Manager T1003.002, LSA Secrets T1003.004, Cached Domain Credentials T1003.005, DCSync T1003.006, OS Credential Dumping T1003

Sample rules:

sigma HackTool - Mimikatz Execution
sigma Suspicious SYSTEM User Process Creation

match: process 2 rules

Top techniques:Windows Management Instrumentation T1047, Disable or Modify Tools T1562.001

Sample rules:

match: pwsh.exe 2 rules

Top techniques:Windows Command Shell T1059.003, PowerShell T1059.001

Sample rules:

match: recoveryTarget 2 rules

Top techniques:Inhibit System Recovery T1490, NTDS T1003.003

Sample rules:

match: registry:: 2 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

match: regsvr32.exe 2 rules

Top techniques:BITS Jobs T1197, Scheduled Task T1053.005

Sample rules:

match: robot 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: root 2 rules

Top techniques:Install Root Certificate T1553.004

Sample rules:

match: rpc:: 2 rules

Top techniques:LSASS Memory T1003.001, Security Account Manager T1003.002, LSA Secrets T1003.004, Cached Domain Credentials T1003.005, DCSync T1003.006, OS Credential Dumping T1003

Sample rules:

sigma HackTool - Mimikatz Execution
sigma Suspicious SYSTEM User Process Creation

match: rule 2 rules

Top techniques:Disable or Modify System Firewall T1562.004

Sample rules:

match: save 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

match: sekurlsa:: 2 rules

Top techniques:LSASS Memory T1003.001, Security Account Manager T1003.002, LSA Secrets T1003.004, Cached Domain Credentials T1003.005, DCSync T1003.006, OS Credential Dumping T1003

Sample rules:

sigma HackTool - Mimikatz Execution
sigma Suspicious SYSTEM User Process Creation

match: sethc.exe 2 rules

Top techniques:Accessibility Features T1546.008

Sample rules:

match: shadow 2 rules

Top techniques:OS Credential Dumping T1003, Security Account Manager T1003.002, NTDS T1003.003, Indicator Removal T1070, Inhibit System Recovery T1490

Sample rules:

match: shell32.dll 2 rules

Top techniques:Rundll32 T1218.011

Sample rules:

match: sp 2 rules

Top techniques:Disable or Modify Tools T1562.001, Indicator Blocking T1562.006, Modify Registry T1112, Change Default File Association T1546.001, Bypass User Account Control T1548.002

Sample rules:

match: start=disabled 2 rules

Top techniques:Disable or Modify Tools T1562.001, Service Stop T1489

Sample rules:

match: subnetdmp 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: svchost 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

sigma Suspicious Service Path Modification
sigma Suspicious New Service Creation

match: sysmon 2 rules

Top techniques:Indicator Removal T1070, Impair Defenses T1562, Disable Windows Event Logging T1562.002, Service Stop T1489, Disable or Modify Tools T1562.001

Sample rules:

sigma Sysmon Driver Unloaded Via Fltmc.EXE
sigma Suspicious Windows Service Tampering

match: token:: 2 rules

Top techniques:LSASS Memory T1003.001, Security Account Manager T1003.002, LSA Secrets T1003.004, Cached Domain Credentials T1003.005, DCSync T1003.006, OS Credential Dumping T1003

Sample rules:

sigma HackTool - Mimikatz Execution
sigma Suspicious SYSTEM User Process Creation

match: trace 2 rules

Top techniques:Network Sniffing T1040, Indicator Removal T1070, Indicator Blocking T1562.006

Sample rules:

sigma New Network Trace Capture Started Via Netsh.EXE
sigma ETW Trace Evasion Activity

match: trustdmp 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: tunnel 2 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

match: tunnel-service.log 2 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

match: type 2 rules

Top techniques:Windows Service T1543.003, Command and Scripting Interpreter T1059, Exploitation for Defense Evasion T1211

Sample rules:

match: uninstall 2 rules

Top techniques:Windows Management Instrumentation T1047, Disable or Modify Tools T1562.001

Sample rules:

match: unload 2 rules

Top techniques:Indicator Removal T1070, Impair Defenses T1562, Disable Windows Event Logging T1562.002

Sample rules:

sigma Filter Driver Unloaded Via Fltmc.EXE
sigma Sysmon Driver Unloaded Via Fltmc.EXE

match: update 2 rules

Top techniques:Network Service Discovery T1046, Indicator Removal T1070, Indicator Blocking T1562.006

Sample rules:

sigma Python Initiated Connection
sigma ETW Trace Evasion Activity

match: useraccount 2 rules

Top techniques:System Owner/User Discovery T1033, Local Account T1087.001, Windows Management Instrumentation T1047, Account Manipulation T1098

Sample rules:

sigma Local Accounts Discovery
sigma Password Set to Never Expire via WMI

match: users_noexpire 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind Suspicious Execution
sigma Renamed AdFind Execution

match: utilman.exe 2 rules

Top techniques:Accessibility Features T1546.008

Sample rules:

match: validation 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: vbscript 2 rules

Top techniques:JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140, Mshta T1218.005, Scheduled Task T1053.005

Sample rules:

match: verification 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: verify 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: wget 2 rules

Top techniques:Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557, Malicious Copy and Paste T1204.004

Sample rules:

match: winrm 2 rules

Top techniques:System Script Proxy Execution T1216

Sample rules:

match: wmic 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

match: wmic.exe 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

match: zzzzInvokeManagedCustomActionOutOfProc 2 rules

Top techniques:System Binary Proxy Execution T1218, Rundll32 T1218.011

Sample rules:

match: ☂️ 2 rules

Sample rules:

match: ♟ 2 rules

Sample rules:

match: ❤️‍🔥 2 rules

Sample rules:

match: ❤️‍🩹 2 rules

Sample rules:

match: 😮‍💨 2 rules

Sample rules:

match: 😵‍💫 2 rules

Sample rules:

match: 😶‍🌫️ 2 rules

Sample rules:

match: 🛝 2 rules

Sample rules:

match: 🛞 2 rules

Sample rules:

match: 🛟 2 rules

Sample rules:

match: 🟰 2 rules

Sample rules:

match: 🥹 2 rules

Sample rules:

match: 🦴 2 rules

Sample rules:

match: 🧌 2 rules

Sample rules:

match: 🧔‍♀️ 2 rules

Sample rules:

match: 🧔‍♂️ 2 rules

Sample rules:

match: 🧔🏻‍♀️ 2 rules

Sample rules:

match: 🧔🏻‍♂️ 2 rules

Sample rules:

match: 🧔🏼‍♀️ 2 rules

Sample rules:

match: 🧔🏼‍♂️ 2 rules

Sample rules:

match: 🧔🏽‍♀️ 2 rules

Sample rules:

match: 🧔🏽‍♂️ 2 rules

Sample rules:

match: 🧔🏾‍♀️ 2 rules

Sample rules:

match: 🧔🏾‍♂️ 2 rules

Sample rules:

match: 🧔🏿‍♀️ 2 rules

Sample rules:

match: 🧔🏿‍♂️ 2 rules

Sample rules:

match: 🩰 2 rules

Sample rules:

match: 🩸 2 rules

Sample rules:

match: 🩻 2 rules

Sample rules:

match: 🩼 2 rules

Sample rules:

match: 🪩 2 rules

Sample rules:

match: 🪪 2 rules

Sample rules:

match: 🪫 2 rules

Sample rules:

match: 🪬 2 rules

Sample rules:

match: 🪷 2 rules

Sample rules:

match: 🪸 2 rules

Sample rules:

match: 🪹 2 rules

Sample rules:

match: 🪺 2 rules

Sample rules:

match: 🫃 2 rules

Sample rules:

match: 🫃🏻 2 rules

Sample rules:

match: 🫃🏼 2 rules

Sample rules:

match: 🫃🏽 2 rules

Sample rules:

match: 🫃🏾 2 rules

Sample rules:

match: 🫃🏿 2 rules

Sample rules:

match: 🫄 2 rules

Sample rules:

match: 🫄🏻 2 rules

Sample rules:

match: 🫄🏼 2 rules

Sample rules:

match: 🫄🏽 2 rules

Sample rules:

match: 🫄🏾 2 rules

Sample rules:

match: 🫄🏿 2 rules

Sample rules:

match: 🫅 2 rules

Sample rules:

match: 🫅🏻 2 rules

Sample rules:

match: 🫅🏼 2 rules

Sample rules:

match: 🫅🏽 2 rules

Sample rules:

match: 🫅🏾 2 rules

Sample rules:

match: 🫅🏿 2 rules

Sample rules:

match: 🫗 2 rules

Sample rules:

match: 🫘 2 rules

Sample rules:

match: 🫙 2 rules

Sample rules:

match: 🫡 2 rules

Sample rules:

match: 🫢 2 rules

Sample rules:

match: 🫣 2 rules

Sample rules:

match: 🫥 2 rules

Sample rules:

match: 🫦 2 rules

Sample rules:

match: 🫧 2 rules

Sample rules:

match: 🫰 2 rules

Sample rules:

match: 🫰🏻 2 rules

Sample rules:

match: 🫰🏼 2 rules

Sample rules:

match: 🫰🏽 2 rules

Sample rules:

match: 🫰🏾 2 rules

Sample rules:

match: 🫰🏿 2 rules

Sample rules:

match: 🫱 2 rules

Sample rules:

match: 🫱🏻 2 rules

Sample rules:

match: 🫱🏼 2 rules

Sample rules:

match: 🫱🏽 2 rules

Sample rules:

match: 🫱🏾 2 rules

Sample rules:

match: 🫱🏿 2 rules

Sample rules:

match: 🫲 2 rules

Sample rules:

match: 🫲🏻 2 rules

Sample rules:

match: 🫲🏼 2 rules

Sample rules:

match: 🫲🏽 2 rules

Sample rules:

match: 🫲🏾 2 rules

Sample rules:

match: 🫲🏿 2 rules

Sample rules:

match: 🫳 2 rules

Sample rules:

match: 🫳🏻 2 rules

Sample rules:

match: 🫳🏼 2 rules

Sample rules:

match: 🫳🏽 2 rules

Sample rules:

match: 🫳🏾 2 rules

Sample rules:

match: 🫳🏿 2 rules

Sample rules:

match: 🫴 2 rules

Sample rules:

match: 🫴🏻 2 rules

Sample rules:

match: 🫴🏼 2 rules

Sample rules:

match: 🫴🏽 2 rules

Sample rules:

match: 🫴🏾 2 rules

Sample rules:

match: 🫴🏿 2 rules

Sample rules:

match: 🫵 2 rules

Sample rules:

match: 🫵🏻 2 rules

Sample rules:

match: 🫵🏼 2 rules

Sample rules:

match: 🫵🏽 2 rules

Sample rules:

match: 🫵🏾 2 rules

Sample rules:

match: 🫵🏿 2 rules

Sample rules:

match: 🫶 2 rules

Sample rules:

match: 🫶🏻 2 rules

Sample rules:

match: 🫶🏼 2 rules

Sample rules:

match: 🫶🏽 2 rules

Sample rules:

match: 🫶🏾 2 rules

Sample rules:

match: 🫶🏿 2 rules

Sample rules:

ne: unknown 2 rules

Top techniques:Break Process Trees T1036.009, Bootkit T1542.003

Sample rules:

regex_match: [0-7]{7,13} 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

regex_match: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} 2 rules

Top techniques:Exfiltration Over Unencrypted Non-C2 Protocol T1048.003, Command and Scripting Interpreter T1059

Sample rules:

regex_match: :[^\\] 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

regex_match: https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4} 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

regex_match: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11} 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

regex_match: https?://0[0-9]{1,11} 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

regex_match: https?://0[0-9]{3,11} 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

regex_match: https?://[0-9]{1,3}\.0[0-9]{3,7} 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

regex_match: https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4} 2 rules

Sample rules:

sigma Obfuscated IP Download Activity
sigma Obfuscated IP Via CLI

`Image` 619 entries

ends_with: \powershell.exe 143 rules

Top techniques:PowerShell T1059.001, System Binary Proxy Execution T1218, Disable or Modify Tools T1562.001, Command and Scripting Interpreter T1059, Obfuscated Files or Information T1027, Windows Management Instrumentation T1047

Sample rules (showing 8 of 143):

ends_with: \pwsh.exe 140 rules

Top techniques:PowerShell T1059.001, System Binary Proxy Execution T1218, Command and Scripting Interpreter T1059, Disable or Modify Tools T1562.001, Obfuscated Files or Information T1027, Windows Management Instrumentation T1047

Sample rules (showing 8 of 140):

ends_with: \cmd.exe 92 rules

Top techniques:System Binary Proxy Execution T1218, Windows Command Shell T1059.003, Command and Scripting Interpreter T1059, Exploit Public-Facing Application T1190, PowerShell T1059.001, Web Shell T1505.003

Sample rules (showing 8 of 92):

ends_with: \rundll32.exe 76 rules

Top techniques:Rundll32 T1218.011, System Binary Proxy Execution T1218, Masquerading T1036, Regsvr32 T1218.010, Exploitation for Client Execution T1203, Windows Management Instrumentation T1047

Sample rules (showing 8 of 76):

ends_with: \cscript.exe 64 rules

Top techniques:System Binary Proxy Execution T1218, Visual Basic T1059.005, Command and Scripting Interpreter T1059, JavaScript T1059.007, Spearphishing Attachment T1566.001, Indirect Command Execution T1202

Sample rules (showing 8 of 64):

ends_with: \wscript.exe 64 rules

Sample rules (showing 8 of 64):

ends_with: \mshta.exe 57 rules

Top techniques:System Binary Proxy Execution T1218, Command and Scripting Interpreter T1059, Mshta T1218.005, Process Injection T1055, Spearphishing Attachment T1566.001, Exploitation for Client Execution T1203

Sample rules (showing 8 of 57):

ends_with: \regsvr32.exe 57 rules

Top techniques:Regsvr32 T1218.010, System Binary Proxy Execution T1218, Rundll32 T1218.011, Windows Management Instrumentation T1047, Process Injection T1055, Spearphishing Attachment T1566.001

Sample rules (showing 8 of 57):

ends_with: \reg.exe 46 rules

Top techniques:Disable or Modify Tools T1562.001, Modify Registry T1112, Registry Run Keys / Startup Folder T1547.001, System Information Discovery T1082, Credentials in Registry T1552.002, Rename Legitimate Utilities T1036.003

Sample rules (showing 8 of 46):

ends_with: \schtasks.exe 45 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001, System Binary Proxy Execution T1218, Windows Management Instrumentation T1047, Regsvr32 T1218.010, Service Stop T1489

Sample rules (showing 8 of 45):

ends_with: \wmic.exe 37 rules

Top techniques:Windows Management Instrumentation T1047, XSL Script Processing T1220, Visual Basic T1059.005, JavaScript T1059.007, Process Injection T1055, Command and Scripting Interpreter T1059

Sample rules (showing 8 of 37):

ends_with: \certutil.exe 34 rules

Top techniques:Obfuscated Files or Information T1027, System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, Phishing T1566, Spearphishing Attachment T1566.001, Command and Scripting Interpreter T1059

Sample rules (showing 8 of 34):

ends_with: \net.exe 27 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Process Injection T1055, Local Account T1087.001, Service Stop T1489, Local Account T1136.001, Web Service T1102

Sample rules (showing 8 of 27):

ends_with: \powershell_ise.exe 27 rules

Top techniques:PowerShell T1059.001, System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, Exploit Public-Facing Application T1190, Web Shell T1505.003, Disable or Modify Tools T1562.001

Sample rules (showing 8 of 27):

ends_with: \net1.exe 25 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Local Account T1087.001, Service Stop T1489, Local Account T1136.001, Web Service T1102, Domain Account T1087.002

Sample rules (showing 8 of 25):

ends_with: \bitsadmin.exe 23 rules

Top techniques:BITS Jobs T1197, Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, System Binary Proxy Execution T1218, Exploit Public-Facing Application T1190, Web Shell T1505.003

Sample rules (showing 8 of 23):

ends_with: \msedge.exe 22 rules

Top techniques:Web Service T1102, Ingress Tool Transfer T1105, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Hidden Window T1564.003, Browser Extensions T1176.001

Sample rules (showing 8 of 22):

ends_with: \msiexec.exe 21 rules

Top techniques:Windows Management Instrumentation T1047, Msiexec T1218.007, Regsvr32 T1218.010, Malicious File T1204.002, Rundll32 T1218.011, Phishing T1566

Sample rules (showing 8 of 21):

ends_with: \opera.exe 21 rules

Top techniques:Web Service T1102, Ingress Tool Transfer T1105, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Hidden Window T1564.003, Browser Extensions T1176.001

Sample rules (showing 8 of 21):

ends_with: \brave.exe 20 rules

Top techniques:Web Service T1102, Ingress Tool Transfer T1105, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Hidden Window T1564.003, Browser Extensions T1176.001

Sample rules (showing 8 of 20):

ends_with: \svchost.exe 20 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005, PowerShell T1059.001, Masquerading T1036, Remote Desktop Protocol T1021.001, Protocol Tunneling T1572, Malicious File T1204.002

Sample rules (showing 8 of 20):

ends_with: \curl.exe 19 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Ingress Tool Transfer T1105, Hijack Execution Flow T1574, DLL T1574.001, Web Service T1102

Sample rules (showing 8 of 19):

ends_with: \vivaldi.exe 19 rules

Top techniques:Web Service T1102, Ingress Tool Transfer T1105, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Hidden Window T1564.003, Browser Extensions T1176.001

Sample rules (showing 8 of 19):

ends_with: \whoami.exe 18 rules

Top techniques:System Owner/User Discovery T1033, Process Injection T1055, Web Service T1102, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, Local Account T1087.001

Sample rules (showing 8 of 18):

ends_with: \bash.exe 17 rules

Top techniques:Exploit Public-Facing Application T1190, Web Shell T1505.003, Malicious File T1204.002, Process Injection T1055, Command and Scripting Interpreter T1059, Web Service T1102

Sample rules (showing 8 of 17):

ends_with: \sc.exe 17 rules

Top techniques:Windows Service T1543.003, Disable or Modify Tools T1562.001, Services Registry Permissions Weakness T1574.011, Service Stop T1489, OS Credential Dumping T1003, Exploitation for Privilege Escalation T1068

Sample rules (showing 8 of 17):

ends_with: \winword.exe 17 rules

Top techniques:Malicious File T1204.002, DLL T1574.001, Process Hollowing T1055.012, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005

Sample rules (showing 8 of 17):

ends_with: \excel.exe 16 rules

Top techniques:Malicious File T1204.002, Process Hollowing T1055.012, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Process Injection T1055

Sample rules (showing 8 of 16):

ends_with: \netsh.exe 16 rules

Top techniques:Disable or Modify System Firewall T1562.004, Network Sniffing T1040, Proxy T1090, System Network Configuration Discovery T1016, Netsh Helper DLL T1546.007, Rename Legitimate Utilities T1036.003

Sample rules (showing 8 of 16):

ends_with: \outlook.exe 16 rules

Top techniques:Malicious File T1204.002, Fallback Channels T1008, Office Application Startup T1137, Event Triggered Execution T1546, Process Injection T1055, Spearphishing Attachment T1566.001

Sample rules (showing 8 of 16):

sigma Rare Remote Thread Creation By Uncommon Source Image
sigma Office Macro File Download
sigma New Outlook Macro Created
sigma Potential Persistence Via Outlook Form
sigma Suspicious Outlook Macro Created
sigma DotNET Assembly DLL Loaded Via Office Application
sigma CLR DLL Loaded Via Office Applications
sigma GAC DLL Loaded Via Office Applications

starts_with: C:\Windows\SysWOW64\ 16 rules

Top techniques:DLL T1574.001, Inhibit System Recovery T1490, GUI Input Capture T1056.002, Regsvr32 T1218.010, Rundll32 T1218.011, Path Interception by Search Order Hijacking T1574.008

Sample rules (showing 8 of 16):

starts_with: C:\Windows\System32\ 16 rules

Top techniques:DLL T1574.001, Inhibit System Recovery T1490, GUI Input Capture T1056.002, Regsvr32 T1218.010, Rundll32 T1218.011, Path Interception by Search Order Hijacking T1574.008

Sample rules (showing 8 of 16):

sigma UAC Bypass Using EventVwr
sigma Potential Azure Browser SSO Abuse
sigma CredUI.DLL Loaded By Uncommon Process
sigma Suspicious Volume Shadow Copy Vssapi.dll Load
sigma Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
sigma Unsigned DLL Loaded by Windows Utility
sigma Using SettingSyncHost.exe as LOLBin
sigma Suspicious Mshta.EXE Execution Patterns

ends_with: \msedgewebview2.exe 15 rules

Top techniques:Web Service T1102, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Ingress Tool Transfer T1105, Gather Victim Network Information T1590, Spearphishing Attachment T1566.001

Sample rules (showing 8 of 15):

starts_with: C:\Program Files\ 15 rules

Top techniques:Inhibit System Recovery T1490, Non-Standard Port T1571, Modify Registry T1112, Shortcut Modification T1547.009, GUI Input Capture T1056.002, DLL T1574.001

Sample rules (showing 8 of 15):

ends_with: \hh.exe 14 rules

Top techniques:System Binary Proxy Execution T1218, Compiled HTML File T1218.001, Windows Management Instrumentation T1047, Regsvr32 T1218.010, Phishing T1566, Spearphishing Attachment T1566.001

Sample rules (showing 8 of 14):

match: :\Users\Public\ 14 rules

Top techniques:System Binary Proxy Execution T1218, Disable or Modify Tools T1562.001, Ingress Tool Transfer T1105, Indirect Command Execution T1202, Command and Scripting Interpreter T1059, Data Encrypted for Impact T1486

Sample rules (showing 8 of 14):

starts_with: C:\Program Files (x86)\ 14 rules

Top techniques:Inhibit System Recovery T1490, Non-Standard Port T1571, Shortcut Modification T1547.009, GUI Input Capture T1056.002, DLL T1574.001, Software Packing T1027.002

Sample rules (showing 8 of 14):

ends_with: \MsMpEng.exe 13 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001, Disable or Modify Tools T1562.001, Impair Defenses T1562, Domain Trust Discovery T1482

Sample rules (showing 8 of 13):

ends_with: \calc.exe 13 rules

Top techniques:System Binary Proxy Execution T1218, Indirect Command Execution T1202, Masquerading T1036, Trusted Developer Utilities Proxy Execution T1127, Visual Basic T1059.005, Web Service T1102

Sample rules (showing 8 of 13):

ends_with: \maxthon.exe 13 rules

Top techniques:Web Service T1102, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Gather Victim Network Information T1590, Spearphishing Attachment T1566.001, Malware T1587.001

Sample rules (showing 8 of 13):

ends_with: \powerpnt.exe 13 rules

Top techniques:Malicious File T1204.002, Process Injection T1055, Phishing T1566, Spearphishing Attachment T1566.001, Hijack Execution Flow T1574, DLL T1574.001

Sample rules (showing 8 of 13):

ends_with: \seamonkey.exe 13 rules

Sample rules (showing 8 of 13):

ends_with: \sh.exe 13 rules

Top techniques:Exploit Public-Facing Application T1190, Web Shell T1505.003, Malicious File T1204.002, Command and Scripting Interpreter T1059, Web Service T1102, Distributed Component Object Model T1021.003

Sample rules (showing 8 of 13):

starts_with: C:\Windows\WinSxS\ 13 rules

Top techniques:DLL T1574.001, Inhibit System Recovery T1490, Match Legitimate Resource Name or Location T1036.005, Masquerading T1036, Direct Volume Access T1006, Disable Windows Event Logging T1562.002

Sample rules (showing 8 of 13):

ends_with: \WMIC.exe 12 rules

Top techniques:Windows Management Instrumentation T1047, System Information Discovery T1082, Automated Collection T1119, Impair Defenses T1562

Sample rules (showing 8 of 12):

ends_with: \WindowsApps\MicrosoftEdge.exe 12 rules

Top techniques:Web Service T1102, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Gather Victim Network Information T1590, DLL T1574.001, System Network Configuration Discovery T1016

Sample rules (showing 8 of 12):

ends_with: \explorer.exe 12 rules

Top techniques:Process Injection T1055, Boot or Logon Autostart Execution T1547, LSASS Memory T1003.001, Network Share Discovery T1135, Bypass User Account Control T1548.002, Phishing T1566

Sample rules (showing 8 of 12):

ends_with: \safari.exe 12 rules

Sample rules (showing 8 of 12):

ends_with: \whale.exe 12 rules

Sample rules (showing 8 of 12):

eq: C:\Program Files\Google\Chrome\Application\chrome.exe 12 rules

Top techniques:Web Service T1102, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Gather Victim Network Information T1590, File Deletion T1070.004, System Network Configuration Discovery T1016

Sample rules (showing 8 of 12):

eq: C:\Program Files\Mozilla Firefox\firefox.exe 12 rules

Sample rules (showing 8 of 12):

match: :\Temp\ 12 rules

Top techniques:System Binary Proxy Execution T1218, Disable or Modify Tools T1562.001, Ingress Tool Transfer T1105, Indirect Command Execution T1202, OS Credential Dumping T1003, LSASS Memory T1003.001

Sample rules (showing 8 of 12):

ends_with: \chrome.exe 11 rules

Top techniques:Ingress Tool Transfer T1105, Hidden Window T1564.003, Browser Extensions T1176.001, Domain Trust Discovery T1482, Spearphishing Attachment T1566.001, Malware T1587.001

Sample rules (showing 8 of 11):

ends_with: \findstr.exe 11 rules

Top techniques:Group Policy Preferences T1552.006, Security Software Discovery T1518.001, Process Injection T1055, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Steganography T1027.003

Sample rules (showing 8 of 11):

ends_with: \forfiles.exe 11 rules

Top techniques:Command and Scripting Interpreter T1059, Malicious File T1204.002, Process Injection T1055, Web Service T1102, Phishing T1566, Spearphishing Attachment T1566.001

Sample rules (showing 8 of 11):

ends_with: \notepad.exe 11 rules

Top techniques:System Binary Proxy Execution T1218, Process Injection T1055, Trusted Developer Utilities Proxy Execution T1127, Visual Basic T1059.005, Indirect Command Execution T1202, Web Service T1102

Sample rules (showing 8 of 11):

ends_with: \odbcconf.exe 11 rules

Top techniques:Odbcconf T1218.008, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules (showing 8 of 11):

eq: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 11 rules

Sample rules (showing 8 of 11):

eq: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 11 rules

Top techniques:Web Service T1102, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Gather Victim Network Information T1590, File Deletion T1070.004, DLL T1574.001

Sample rules (showing 8 of 11):

eq: C:\Program Files (x86)\Mozilla Firefox\firefox.exe 11 rules

Sample rules (showing 8 of 11):

eq: C:\Program Files\Internet Explorer\iexplore.exe 11 rules

Top techniques:Web Service T1102, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Process Injection T1055, Gather Victim Network Information T1590, DLL T1574.001

Sample rules (showing 8 of 11):

eq: C:\Program Files\Microsoft\Edge\Application\msedge.exe 11 rules

Top techniques:Web Service T1102, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Gather Victim Network Information T1590, File Deletion T1070.004, DLL T1574.001

Sample rules (showing 8 of 11):

starts_with: C:\Program Files (x86)\Microsoft\EdgeCore\ 11 rules

Top techniques:Web Service T1102, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Ingress Tool Transfer T1105, Gather Victim Network Information T1590, DLL T1574.001

Sample rules (showing 8 of 11):

starts_with: C:\Program Files\Microsoft\EdgeCore\ 11 rules

Top techniques:Web Service T1102, Remote Desktop Software T1219.002, Dead Drop Resolver T1102.001, Ingress Tool Transfer T1105, Gather Victim Network Information T1590, DLL T1574.001

Sample rules (showing 8 of 11):

ends_with: \OfficeClickToRun.exe 10 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Modify Registry T1112, Malware T1587.001, Add-ins T1137.006, Component Object Model Hijacking T1546.015

Sample rules (showing 8 of 10):

ends_with: \certoc.exe 10 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002

Sample rules (showing 8 of 10):

sigma Legitimate Application Dropped Archive
sigma Legitimate Application Dropped Executable
sigma Legitimate Application Writing Files In Uncommon Location
sigma Legitimate Application Dropped Script
sigma File Download via CertOC.EXE
sigma File Download From IP Based URL Via CertOC.EXE
sigma DLL Loaded via CertOC.EXE
sigma Suspicious DLL Loaded via CertOC.EXE

ends_with: \msdt.exe 10 rules

Top techniques:Indirect Command Execution T1202, System Binary Proxy Execution T1218, Malicious File T1204.002, Registry Run Keys / Startup Folder T1547.001, Masquerading T1036, Phishing T1566

Sample rules (showing 8 of 10):

eq: C:\Program Files (x86)\Internet Explorer\iexplore.exe 10 rules

Sample rules (showing 8 of 10):

starts_with: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ 10 rules

Sample rules (showing 8 of 10):

ends_with: \cmstp.exe 9 rules

Top techniques:CMSTP T1218.003, Process Injection T1055, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002

Sample rules (showing 8 of 9):

ends_with: \finger.exe 9 rules

Top techniques:System Binary Proxy Execution T1218, Windows Command Shell T1059.003, DNS T1071.004, Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003, Masquerading T1036

Sample rules (showing 8 of 9):

ends_with: \nltest.exe 9 rules

Top techniques:Exploit Public-Facing Application T1190, Web Shell T1505.003, System Network Configuration Discovery T1016, Domain Trust Discovery T1482, Remote System Discovery T1018, Regsvr32 T1218.010

Sample rules (showing 8 of 9):

ends_with: \systeminfo.exe 9 rules

Top techniques:Web Shell T1505.003, Web Service T1102, Exploit Public-Facing Application T1190, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, System Binary Proxy Execution T1218

Sample rules (showing 8 of 9):

eq: C:\Windows\explorer.exe 9 rules

Top techniques:Inhibit System Recovery T1490, Process Injection T1055, File Deletion T1070.004, GUI Input Capture T1056.002, System Script Proxy Execution T1216, Scheduled Task/Job T1053

Sample rules (showing 8 of 9):

match: :\Windows\Temp\ 9 rules

Top techniques:Indirect Command Execution T1202, System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, Service Execution T1569.002, Trusted Developer Utilities Proxy Execution T1127, Visual Basic T1059.005

Sample rules (showing 8 of 9):

match: \AppData\ 9 rules

Top techniques:NTDS T1003.003, Security Account Manager T1003.002, Scheduled Task/Job T1053, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047

Sample rules (showing 8 of 9):

match: \AppData\Local\Temp\ 9 rules

Top techniques:DLL T1574.001, Service Execution T1569.002, Trusted Developer Utilities Proxy Execution T1127, Bypass User Account Control T1548.002, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules (showing 8 of 9):

ends_with: \WerFault.exe 8 rules

Top techniques:Masquerading T1036, Windows Management Instrumentation T1047, LSASS Memory T1003.001, Rundll32 T1218.011, Abuse Elevation Control Mechanism T1548, Bypass User Account Control T1548.002

Sample rules:

ends_with: \dllhost.exe 8 rules

Top techniques:Masquerading T1036, Inhibit System Recovery T1490, Process Injection T1055, Remote Desktop Software T1219.002, Windows Management Instrumentation T1047

Sample rules:

ends_with: \esentutl.exe 8 rules

Top techniques:System Binary Proxy Execution T1218, Process Injection T1055, Ingress Tool Transfer T1105, Security Account Manager T1003.002, NTDS T1003.003, Data from Local System T1005

Sample rules:

ends_with: \find.exe 8 rules

Top techniques:Group Policy Preferences T1552.006, Security Software Discovery T1518.001, Process Injection T1055, Steganography T1027.003, Masquerading T1036, Indirect Command Execution T1202

Sample rules:

ends_with: \regedit.exe 8 rules

Top techniques:Query Registry T1012, Modify Registry T1112, NTFS File Attributes T1564.004, Abuse Elevation Control Mechanism T1548, Rename Legitimate Utilities T1036.003

Sample rules:

sigma Exports Registry Key To an Alternate Data Stream
sigma PDF File Created By RegEdit.EXE
sigma Exports Critical Registry Keys To a File
sigma Exports Registry Key To a File
sigma Imports Registry Key From a File
sigma Imports Registry Key From an ADS
sigma Regedit as Trusted Installer
sigma Potential PendingFileRenameOperations Tampering

ends_with: \scrcons.exe 8 rules

Top techniques:Windows Management Instrumentation T1047, Malicious File T1204.002, Windows Management Instrumentation Event Subscription T1546.003, Web Service T1102, Phishing T1566, Spearphishing Attachment T1566.001

Sample rules:

ends_with: \scriptrunner.exe 8 rules

Top techniques:Malicious File T1204.002, Command and Scripting Interpreter T1059, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Regsvr32 T1218.010

Sample rules:

ends_with: \wsl.exe 8 rules

Top techniques:Exploit Public-Facing Application T1190, Security Account Manager T1003.002, NTDS T1003.003, Web Shell T1505.003, Masquerading T1036, Web Protocols T1071.001

Sample rules:

eq: System 8 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Distributed Component Object Model T1021.003, Web Shell T1505.003, Windows Management Instrumentation T1047, Direct Volume Access T1006, Scheduled Task/Job T1053

Sample rules:

match: \Downloads\ 8 rules

Top techniques:DLL T1574.001, Service Execution T1569.002, LSASS Memory T1003.001, Disable or Modify Tools T1562.001, Python T1059.006, Indirect Command Execution T1202

Sample rules:

match: \Users\Public\ 8 rules

Top techniques:DLL T1574.001, Trusted Developer Utilities Proxy Execution T1127, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002

Sample rules:

starts_with: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ 8 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Add-ins T1137.006, Modify Registry T1112, Component Object Model Hijacking T1546.015

Sample rules:

ends_with: \TiWorker.exe 7 rules

Top techniques:Disable Windows Event Logging T1562.002, Screensaver T1546.002, Match Legitimate Resource Name or Location T1036.005, DLL T1574.001, Modify Registry T1112, Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: \conhost.exe 7 rules

Top techniques:Masquerading T1036, PowerShell T1059.001, Windows Command Shell T1059.003, Hidden Window T1564.003, Command and Scripting Interpreter T1059, External Remote Services T1133

Sample rules:

sigma Powershell Executed From Headless ConHost Process
sigma Conhost Spawned By Uncommon Parent Process
sigma Unusual Child Process of dns.exe
sigma Potential Defense Evasion Via Binary Rename
sigma Suspicious Process Parents
sigma System File Execution Location Anomaly
sigma Bypass UAC via WSReset.exe

ends_with: \livekd.exe 7 rules

Top techniques:Tool T1588.002, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \msbuild.exe 7 rules

Top techniques:Malicious File T1204.002, Windows Management Instrumentation T1047, Process Injection T1055, Command and Scripting Interpreter T1059, MSBuild T1127.001, Phishing T1566

Sample rules:

ends_with: \mspub.exe 7 rules

Top techniques:Malicious File T1204.002, System Binary Proxy Execution T1218

Sample rules:

ends_with: \msxsl.exe 7 rules

Top techniques:XSL Script Processing T1220, Process Injection T1055, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002

Sample rules:

ends_with: \thor.exe 7 rules

Top techniques:Remote Desktop Protocol T1021.001, Internal Proxy T1090.001, External Proxy T1090.002, PowerShell T1059.001, Inhibit System Recovery T1490, DLL T1574.001

Sample rules:

eq: C:\Windows\System32\poqexec.exe 7 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Netsh Helper DLL T1546.007, OS Credential Dumping T1003, Windows Service T1543.003, SIP and Trust Provider Hijacking T1553.003

Sample rules:

match: :\Perflogs\ 7 rules

Top techniques:Disable or Modify Tools T1562.001, Ingress Tool Transfer T1105, Command and Scripting Interpreter T1059, Data Encrypted for Impact T1486, OS Credential Dumping T1003, LSASS Memory T1003.001

Sample rules:

match: :\Windows\SysWOW64\ 7 rules

Top techniques:Masquerading T1036, Disable Windows Event Logging T1562.002, LSASS Memory T1003.001, Native API T1106, Bypass User Account Control T1548.002

Sample rules:

match: \Windows\Temp\ 7 rules

Top techniques:System Binary Proxy Execution T1218, Command and Scripting Interpreter T1059, LSASS Memory T1003.001, Disable or Modify Tools T1562.001, Phishing T1566, Spearphishing Attachment T1566.001

Sample rules:

starts_with: C:\ProgramData\Microsoft\Windows Defender\Platform\ 7 rules

Top techniques:DLL T1574.001, Disable or Modify Tools T1562.001, Direct Volume Access T1006

Sample rules:

starts_with: C:\Users\ 7 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001, Shortcut Modification T1547.009, GUI Input Capture T1056.002, Data Encrypted for Impact T1486, Disable or Modify Tools T1562.001

Sample rules:

ends_with: \ADExplorer.exe 6 rules

Top techniques:Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482, Tool T1588.002, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202

Sample rules:

ends_with: \ADExplorer64.exe 6 rules

Sample rules:

ends_with: \AppVLP.exe 6 rules

Top techniques:Malicious File T1204.002, Web Service T1102, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Regsvr32 T1218.010

Sample rules:

ends_with: \firefox.exe 6 rules

Top techniques:Domain Trust Discovery T1482, Spearphishing Attachment T1566.001, Malware T1587.001, Browser Session Hijacking T1185, Malicious File T1204.002

Sample rules:

ends_with: \mftrace.exe 6 rules

Top techniques:Malicious File T1204.002, Web Service T1102, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Regsvr32 T1218.010

Sample rules:

ends_with: \mmc.exe 6 rules

Top techniques:MMC T1218.014, Distributed Component Object Model T1021.003, Visual Basic T1059.005, PowerShell T1059.001, Group Policy Modification T1484.001, Right-to-Left Override T1036.002

Sample rules:

sigma MMC Loading Script Engines DLLs
sigma Suspicious WSMAN Provider Image Loads
sigma Windows Default Domain GPO Modification via GPME
sigma MMC20 Lateral Movement
sigma MMC Executing Files with Reversed Extensions Using RTLO Abuse
sigma Suspicious Process Parents

ends_with: \onenote.exe 6 rules

Top techniques:Malicious File T1204.002

Sample rules:

ends_with: \onenoteim.exe 6 rules

Top techniques:Malicious File T1204.002

Sample rules:

ends_with: \ping.exe 6 rules

Top techniques:Obfuscated Files or Information T1027, Process Injection T1055, Exploit Public-Facing Application T1190, Web Shell T1505.003, Deobfuscate/Decode Files or Information T1140, OS Credential Dumping T1003

Sample rules:

sigma Rare Remote Thread Creation By Uncommon Source Image
sigma Suspicious Child Process Of SQL Server
sigma Suspicious Child Process Of Veeam Dabatase
sigma Ping Hex IP
sigma Obfuscated IP Via CLI
sigma Suspicious SYSTEM User Process Creation

ends_with: \procdump.exe 6 rules

Top techniques:Tool T1588.002, Rename Legitimate Utilities T1036.003, LSASS Memory T1003.001, Masquerading T1036, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202

Sample rules:

ends_with: \procexp.exe 6 rules

Top techniques:Tool T1588.002, Exploitation for Privilege Escalation T1068, GUI Input Capture T1056.002, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \procexp64.exe 6 rules

Sample rules:

ends_with: \thor64.exe 6 rules

Top techniques:Remote Desktop Protocol T1021.001, Internal Proxy T1090.001, External Proxy T1090.002, PowerShell T1059.001, Inhibit System Recovery T1490, DLL T1574.001

Sample rules:

ends_with: \w3wp.exe 6 rules

Top techniques:Web Shell T1505.003, Exploit Public-Facing Application T1190, Process Injection T1055, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087

Sample rules:

ends_with: \wbadmin.exe 6 rules

Top techniques:Inhibit System Recovery T1490, NTDS T1003.003, Indicator Removal T1070

Sample rules:

ends_with: \wevtutil.exe 6 rules

Top techniques:Account Discovery T1087, Remote Desktop Software T1219.002, Rename Legitimate Utilities T1036.003, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, Clear Windows Event Logs T1070.001

Sample rules:

ends_with: \wget.exe 6 rules

Top techniques:Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, PowerShell T1059.001, Ingress Tool Transfer T1105, Stage Capabilities T1608

Sample rules:

ends_with: \wordview.exe 6 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, Exploitation for Client Execution T1203

Sample rules:

eq: C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe 6 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Add-ins T1137.006, Component Object Model Hijacking T1546.015

Sample rules:

eq: C:\Program Files\Microsoft Office\root\integration\integrator.exe 6 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Add-ins T1137.006, Component Object Model Hijacking T1546.015

Sample rules:

match: :\Program Files\ 6 rules

Top techniques:Domain Trust Discovery T1482, Protocol or Service Impersonation T1001.003, Disable Windows Event Logging T1562.002, LSASS Memory T1003.001, Native API T1106, Process Hollowing T1055.012

Sample rules:

match: :\Windows\System32\ 6 rules

Top techniques:Masquerading T1036, Disable Windows Event Logging T1562.002, LSASS Memory T1003.001, Native API T1106

Sample rules:

match: \Desktop\ 6 rules

Top techniques:DLL T1574.001, Service Execution T1569.002, LSASS Memory T1003.001, Disable or Modify Tools T1562.001, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

match: \Favorites\ 6 rules

Top techniques:Disable or Modify Tools T1562.001, Command and Scripting Interpreter T1059, Data Encrypted for Impact T1486, OS Credential Dumping T1003, Ingress Tool Transfer T1105, LSASS Memory T1003.001

Sample rules:

ends_with: \AnyDesk.exe 5 rules

Top techniques:Remote Desktop Software T1219.002

Sample rules:

ends_with: \CertReq.exe 5 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, Windows Management Instrumentation T1047, PowerShell T1059.001, Windows Command Shell T1059.003, Visual Basic T1059.005

Sample rules:

ends_with: \InstallUtil.exe 5 rules

Top techniques:Rundll32 T1218.011, Regsvr32 T1218.010, System Binary Proxy Execution T1218, Rename Legitimate Utilities T1036.003

Sample rules:

ends_with: \MpCmdRun.exe 5 rules

Top techniques:DLL T1574.001, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Disable or Modify Tools T1562.001, Native API T1106

Sample rules:

ends_with: \MsSense.exe 5 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001, Impair Defenses T1562

Sample rules:

ends_with: \WINWORD.exe 5 rules

Top techniques:Indirect Command Execution T1202, Office Application Startup T1137, Rename Legitimate Utilities T1036.003

Sample rules:

ends_with: \csc.exe 5 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Exploit Public-Facing Application T1190

Sample rules:

ends_with: \eqnedt32.exe 5 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, Exploitation for Client Execution T1203

Sample rules:

ends_with: \gpg.exe 5 rules

Top techniques:Data Encrypted for Impact T1486

Sample rules:

sigma File Decryption Using Gpg4win
sigma File Encryption Using Gpg4win
sigma Portable Gpg.EXE Execution
sigma File Encryption/Decryption Via Gpg4win From Suspicious Locations
sigma Renamed Gpg.EXE Execution

ends_with: \gpg2.exe 5 rules

Top techniques:Data Encrypted for Impact T1486

Sample rules:

sigma File Decryption Using Gpg4win
sigma File Encryption Using Gpg4win
sigma Portable Gpg.EXE Execution
sigma File Encryption/Decryption Via Gpg4win From Suspicious Locations
sigma Renamed Gpg.EXE Execution

ends_with: \handle.exe 5 rules

Top techniques:Tool T1588.002, LSASS Memory T1003.001, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218, Disable or Modify Tools T1562.001

Sample rules:

ends_with: \handle64.exe 5 rules

Sample rules:

ends_with: \installutil.exe 5 rules

Top techniques:Windows Management Instrumentation T1047, Regsvr32 T1218.010, Phishing T1566, Spearphishing Attachment T1566.001, Process Injection T1055, PowerShell T1059.001

Sample rules:

ends_with: \livekd64.exe 5 rules

Top techniques:Tool T1588.002, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \lsass.exe 5 rules

Top techniques:Masquerading T1036, LSASS Memory T1003.001, Rename Legitimate Utilities T1036.003, Match Legitimate Resource Name or Location T1036.005, Local Account T1136.001

Sample rules:

ends_with: \mstsc.exe 5 rules

Top techniques:Remote Desktop Software T1219.002, Remote Desktop Protocol T1021.001

Sample rules:

ends_with: \netstat.exe 5 rules

Top techniques:Process Injection T1055, Web Shell T1505.003, Exploit Public-Facing Application T1190, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087

Sample rules:

ends_with: \procdump64.exe 5 rules

Sample rules:

ends_with: \query.exe 5 rules

Top techniques:Web Service T1102, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, Exploit Public-Facing Application T1190, Web Shell T1505.003

Sample rules:

ends_with: \robocopy.exe 5 rules

Top techniques:Rename Legitimate Utilities T1036.003, Process Injection T1055, Credentials from Web Browsers T1555.003, SMB/Windows Admin Shares T1021.002, Data from Network Shared Drive T1039, Exfiltration Over Alternative Protocol T1048

Sample rules:

ends_with: \vssadmin.exe 5 rules

Top techniques:Inhibit System Recovery T1490, Process Injection T1055, OS Credential Dumping T1003, Security Account Manager T1003.002, NTDS T1003.003, Indicator Removal T1070

Sample rules:

ends_with: \winget.exe 5 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

ends_with: \winlogon.exe 5 rules

Top techniques:Masquerading T1036, Process Injection T1055, Rundll32 T1218.011, Rename Legitimate Utilities T1036.003, Match Legitimate Resource Name or Location T1036.005

Sample rules:

ends_with: \wordpad.exe 5 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105

Sample rules:

ends_with: \xcopy.exe 5 rules

Top techniques:Rename Legitimate Utilities T1036.003, Windows Command Shell T1059.003, Credentials from Web Browsers T1555.003, SMB/Windows Admin Shares T1021.002, Data from Network Shared Drive T1039, Exfiltration Over Alternative Protocol T1048

Sample rules:

eq: C:\Windows\system32\svchost.exe 5 rules

Top techniques:File Deletion T1070.004, Masquerading T1036, Modify Registry T1112, Registry Run Keys / Startup Folder T1547.001, Component Object Model Hijacking T1546.015

Sample rules:

sigma TeamViewer Log File Deleted
sigma Windows Binaries Write Suspicious Extensions
sigma Removal of Potential COM Hijacking Registry Keys
sigma CurrentVersion NT Autorun Keys Modification
sigma COM Hijacking via TreatAs

match: :\Windows\Tasks\ 5 rules

Top techniques:Ingress Tool Transfer T1105, Trusted Developer Utilities Proxy Execution T1127, Masquerading T1036

Sample rules:

match: \AppData\Local\Programs\Opera\ 5 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001, Process Hollowing T1055.012

Sample rules:

match: \Contacts\ 5 rules

Sample rules:

match: \Favourites\ 5 rules

Sample rules:

match: \Pictures\ 5 rules

Top techniques:Disable or Modify Tools T1562.001, Command and Scripting Interpreter T1059, OS Credential Dumping T1003, Ingress Tool Transfer T1105, LSASS Memory T1003.001

Sample rules:

match: \Temp\ 5 rules

Top techniques:NTDS T1003.003, Security Account Manager T1003.002, NTFS File Attributes T1564.004, Modify Registry T1112

Sample rules:

sigma NTDS.DIT Creation By Uncommon Process
sigma Suspicious Process Patterns NTDS.DIT Exfil
sigma Use Short Name Path in Image
sigma Service Binary in Suspicious Folder
sigma Internet Explorer DisableFirstRunCustomize Enabled

starts_with: C:\Program Files (x86)\Windows Defender\ 5 rules

Top techniques:DLL T1574.001, Disable or Modify Tools T1562.001

Sample rules:

starts_with: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ 5 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Modify Registry T1112

Sample rules:

starts_with: C:\Program Files\Windows Defender\ 5 rules

Top techniques:DLL T1574.001, Disable or Modify Tools T1562.001

Sample rules:

ends_with: .exe 4 rules

Top techniques:Disable or Modify Tools T1562.001, Malicious File T1204.002

Sample rules:

ends_with: \ADExplorer64a.exe 4 rules

Top techniques:Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \AnyDeskMSI.exe 4 rules

Top techniques:Remote Desktop Software T1219.002

Sample rules:

ends_with: \Desktopimgdownldr.exe 4 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105

Sample rules:

ends_with: \Flock.exe 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \POWERPNT.EXE 4 rules

Top techniques:Indirect Command Execution T1202, Process Injection T1055, Rename Legitimate Utilities T1036.003

Sample rules:

ends_with: \Phoebe.exe 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \RdrCEF.exe 4 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105

Sample rules:

ends_with: \RuntimeBroker.exe 4 rules

Top techniques:Masquerading T1036, Spearphishing Attachment T1566.001

Sample rules:

sigma Office Macro File Download
sigma .RDP File Created By Uncommon Application
sigma Windows Binaries Write Suspicious Extensions
sigma System File Execution Location Anomaly

ends_with: \Teams.exe 4 rules

Top techniques:GUI Input Capture T1056.002, Malicious File T1204.002, Add-ins T1137.006

Sample rules:

ends_with: \Waterfox.exe 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \addinutil.exe 4 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: \appcmd.exe 4 rules

Top techniques:Disable Windows Event Logging T1562.002, OS Credential Dumping T1003, Web Shell T1505.003

Sample rules:

ends_with: \avant.exe 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \bcdedit.exe 4 rules

Top techniques:Inhibit System Recovery T1490, Indicator Removal T1070, Bootkit T1542.003, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, Masquerading T1036

Sample rules:

ends_with: \dism.exe 4 rules

Top techniques:Bypass User Account Control T1548.002, DLL T1574.001, Masquerading T1036

Sample rules:

sigma UAC Bypass With Fake DLL
sigma PowerShell Web Access Feature Enabled Via DISM
sigma System File Execution Location Anomaly
sigma UAC Bypass Using PkgMgr and DISM

ends_with: \falkon.exe 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \fsutil.exe 4 rules

Top techniques:Peripheral Device Discovery T1120, Indicator Removal T1070, Data Destruction T1485, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, Remote System Discovery T1018

Sample rules:

sigma Fsutil Drive Enumeration
sigma Fsutil Suspicious Invocation
sigma Suspicious Spool Service Child Process
sigma Webshell Hacking Activity Patterns

ends_with: \iexplore.exe 4 rules

Top techniques:Process Injection T1055, Spearphishing Attachment T1566.001, Malware T1587.001

Sample rules:

sigma Remote Thread Creation By Uncommon Source Image
sigma Office Macro File Download
sigma .RDP File Created By Uncommon Application
sigma VHD Image Download Via Browser

ends_with: \nslookup.exe 4 rules

Top techniques:Process Injection T1055, PowerShell T1059.001, Visual Basic T1059.005, System Binary Proxy Execution T1218, Remote System Discovery T1018, System Owner/User Discovery T1033

Sample rules:

ends_with: \ntdsutil.exe 4 rules

Top techniques:NTDS T1003.003, Web Shell T1505.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Exploit Public-Facing Application T1190

Sample rules:

ends_with: \psloglist.exe 4 rules

Top techniques:Tool T1588.002, Account Discovery T1087, Local Account T1087.001, Domain Account T1087.002, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202

Sample rules:

ends_with: \psloglist64.exe 4 rules

Sample rules:

ends_with: \rar.exe 4 rules

Top techniques:Archive via Utility T1560.001, Command and Scripting Interpreter T1059

Sample rules:

sigma Files Added To An Archive Using Rar.EXE
sigma Suspicious Greedy Compression Using Rar.EXE
sigma Winrar Compressing Dump Files
sigma WinRAR Execution in Non-Standard Folder

ends_with: \regasm.exe 4 rules

Top techniques:Regsvcs/Regasm T1218.009, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

ends_with: \runonce.exe 4 rules

Top techniques:Process Injection T1055, Rundll32 T1218.011, Modify Registry T1112, Masquerading T1036

Sample rules:

ends_with: \slimbrowser.exe 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \tasklist.exe 4 rules

Top techniques:Web Shell T1505.003, Exploit Public-Facing Application T1190, OS Credential Dumping T1003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087

Sample rules:

ends_with: \verclsid.exe 4 rules

Top techniques:Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010, Phishing T1566, Spearphishing Attachment T1566.001, System Binary Proxy Execution T1218

Sample rules:

sigma Suspicious Microsoft OneNote Child Process
sigma Suspicious Microsoft Office Child Process
sigma Verclsid.exe Runs COM Object
sigma Suspicious WmiPrvSE Child Process

ends_with: \werfault.exe 4 rules

Top techniques:Regsvr32 T1218.010, Masquerading T1036, Bypass User Account Control T1548.002

Sample rules:

ends_with: \wt.exe 4 rules

Top techniques:Inhibit System Recovery T1490, Security Account Manager T1003.002, NTDS T1003.003, Accessibility Features T1546.008

Sample rules:

sigma Backup Files Deleted
sigma NTDS.DIT Creation By Uncommon Process
sigma Sticky Key Like Backdoor Execution
sigma Suspicious Child Process Of Veeam Dabatase

eq: C:\Program Files\PowerShell\7\pwsh.exe 4 rules

Top techniques:PowerShell T1059.001, File Deletion T1070.004, Distributed Component Object Model T1021.003

Sample rules:

eq: C:\Windows\ImmersiveControlPanel\SystemSettings.exe 4 rules

Top techniques:Inhibit System Recovery T1490, GUI Input Capture T1056.002, Direct Volume Access T1006

Sample rules:

eq: C:\Windows\SysWOW64\msiexec.exe 4 rules

Top techniques:Modify Registry T1112, Add-ins T1137.006, Component Object Model Hijacking T1546.015

Sample rules:

eq: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 4 rules

Top techniques:PowerShell T1059.001, File Deletion T1070.004, Distributed Component Object Model T1021.003

Sample rules:

eq: C:\Windows\System32\msiexec.exe 4 rules

Top techniques:Modify Registry T1112, Add-ins T1137.006, Scheduled Task/Job T1053, Scheduled Task T1053.005

Sample rules:

eq: C:\Windows\System32\svchost.exe 4 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005, Registry Run Keys / Startup Folder T1547.001, Disable Windows Event Logging T1562.002, Impair Defenses T1562, Service Execution T1569.002

Sample rules:

sigma Suspicious Process Masquerading As SvcHost.EXE
sigma Classes Autorun Keys Modification
sigma Disable Windows Event Logging Via Registry
sigma WFP Filter Added via Registry

match: :\PerfLogs\ 4 rules

Top techniques:System Binary Proxy Execution T1218, Visual Basic T1059.005, Indirect Command Execution T1202

Sample rules:

match: :\Program Files (x86)\ 4 rules

Top techniques:Domain Trust Discovery T1482, Disable Windows Event Logging T1562.002, LSASS Memory T1003.001, Native API T1106

Sample rules:

match: :\Program Files\Microsoft Office\ 4 rules

Top techniques:Malware T1587.001, Modify Registry T1112

Sample rules:

match: :\Windows\System32\Tasks\ 4 rules

Top techniques:Ingress Tool Transfer T1105, Trusted Developer Utilities Proxy Execution T1127, Masquerading T1036

Sample rules:

match: C:\Program Files\WindowsApps\Microsoft.PowerShellPreview 4 rules

Top techniques:PowerShell T1059.001, Masquerading T1036

Sample rules:

match: \AppData\Local\Flock\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

match: \AppData\Local\Maxthon\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

match: \AppData\Local\Microsoft\OneDrive\ 4 rules

Top techniques:Shortcut Modification T1547.009, GUI Input Capture T1056.002, Web Service T1102, Dead Drop Resolver T1102.001, Phishing T1566, Spearphishing Attachment T1566.001

Sample rules:

match: \AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview 4 rules

Top techniques:PowerShell T1059.001, Masquerading T1036

Sample rules:

match: \AppData\Local\Phoebe\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

match: \AppData\Local\Vivaldi\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

match: \Music\ 4 rules

Top techniques:Disable or Modify Tools T1562.001, OS Credential Dumping T1003, Ingress Tool Transfer T1105, LSASS Memory T1003.001

Sample rules:

match: \Users\Default\ 4 rules

Top techniques:Disable or Modify Tools T1562.001, OS Credential Dumping T1003, LSASS Memory T1003.001, Indirect Command Execution T1202

Sample rules:

match: \Videos\ 4 rules

Top techniques:Disable or Modify Tools T1562.001, OS Credential Dumping T1003, Ingress Tool Transfer T1105, LSASS Memory T1003.001

Sample rules:

match: \Windows\System32\Tasks\ 4 rules

Top techniques:System Binary Proxy Execution T1218, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

match: \Windows\Tasks\ 4 rules

Sample rules:

match: \Windows\addins\ 4 rules

Top techniques:Ingress Tool Transfer T1105, Indirect Command Execution T1202

Sample rules:

match: \config\systemprofile\ 4 rules

Top techniques:Ingress Tool Transfer T1105, Masquerading T1036, Indirect Command Execution T1202

Sample rules:

starts_with: C:\Program Files (x86)\Avant Browser\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files (x86)\Falkon\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files (x86)\Naver\Naver Whale\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files (x86)\SeaMonkey\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files (x86)\SlimBrowser\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files (x86)\Waterfox\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files\Avant Browser\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files\BraveSoftware\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files\Falkon\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files\Naver\Naver Whale\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files\SeaMonkey\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files\SlimBrowser\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files\Waterfox\ 4 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Windows\ 4 rules

Top techniques:Shortcut Modification T1547.009, Inhibit System Recovery T1490, Indicator Removal T1070, Scheduled Task/Job T1053, Scheduled Task T1053.005

Sample rules:

ends_with: :\Windows\System32\mmc.exe 3 rules

Top techniques:Data from Local System T1005, Bypass User Account Control T1548.002, Masquerading T1036

Sample rules:

ends_with: \7z.exe 3 rules

Top techniques:Archive via Utility T1560.001, Rename Legitimate Utilities T1036.003

Sample rules:

ends_with: \7za.exe 3 rules

Top techniques:Archive via Utility T1560.001, Rename Legitimate Utilities T1036.003

Sample rules:

ends_with: \ADExp.exe 3 rules

Top techniques:Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

ends_with: \AcroRd32.exe 3 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: \Discord.exe 3 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \MicrosoftEdge.exe 3 rules

Top techniques:Spearphishing Attachment T1566.001, Malware T1587.001, Ingress Tool Transfer T1105, Hidden Window T1564.003

Sample rules:

sigma Office Macro File Download
sigma VHD Image Download Via Browser
sigma File Download with Headless Browser

ends_with: \Midori Next Generation.exe 3 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \ONENOTE.EXE 3 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Rename Legitimate Utilities T1036.003

Sample rules:

sigma OneNote Attachment File Dropped In Suspicious Location
sigma Startup Folder File Write
sigma Renamed Office Binary Execution

ends_with: \OUTLOOK.EXE 3 rules

Top techniques:Protocol or Service Impersonation T1001.003, Rename Legitimate Utilities T1036.003

Sample rules:

ends_with: \PingCastle.exe 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

ends_with: \PsService.exe 3 rules

Top techniques:Service Stop T1489, Disable or Modify Tools T1562.001, Windows Service T1543.003, Tool T1588.002

Sample rules:

ends_with: \PsService64.exe 3 rules

Top techniques:Service Stop T1489, Disable or Modify Tools T1562.001, Windows Service T1543.003, Tool T1588.002

Sample rules:

ends_with: \RegAsm.exe 3 rules

Top techniques:Rundll32 T1218.011, Regsvr32 T1218.010, Regsvcs/Regasm T1218.009

Sample rules:

ends_with: \Sysmon.exe 3 rules

Top techniques:Disable or Modify Tools T1562.001, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

sigma Sysmon Configuration Update
sigma Uninstall Sysinternals Sysmon
sigma Potential Binary Impersonating Sysinternals Tools

ends_with: \Sysmon64.exe 3 rules

Top techniques:Disable or Modify Tools T1562.001, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

sigma Sysmon Configuration Update
sigma Uninstall Sysinternals Sysmon
sigma Potential Binary Impersonating Sysinternals Tools

ends_with: \WmiPrvSE.exe 3 rules

Top techniques:Windows Management Instrumentation T1047, Inhibit System Recovery T1490, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

sigma Suspicious Volume Shadow Copy VSS_PS.dll Load
sigma WmiPrvSE Spawned A Process
sigma Suspicious WmiPrvSE Child Process

ends_with: \accesschk.exe 3 rules

Top techniques:Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, Local Groups T1069.001, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \arp.exe 3 rules

Top techniques:Process Injection T1055, Exploit Public-Facing Application T1190, Web Shell T1505.003

Sample rules:

sigma Potential Process Injection Via Msra.EXE
sigma Obfuscated IP Via CLI
sigma Suspicious Process By Web Server Process

ends_with: \aspnet_compiler.exe 3 rules

Top techniques:Trusted Developer Utilities Proxy Execution T1127

Sample rules:

ends_with: \attrib.exe 3 rules

Top techniques:Hidden Files and Directories T1564.001, Windows Command Shell T1059.003

Sample rules:

ends_with: \cloudflared.exe 3 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Portable Execution
sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

ends_with: \cmdkey.exe 3 rules

Top techniques:Cached Domain Credentials T1003.005, System Owner/User Discovery T1033, Local Account T1087.001

Sample rules:

ends_with: \code.exe 3 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

ends_with: \control.exe 3 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010, System Binary Proxy Execution T1218

Sample rules:

sigma Suspicious Microsoft OneNote Child Process
sigma Suspicious Microsoft Office Child Process
sigma Execution via WorkFolders.exe

ends_with: \csrss.exe 3 rules

Top techniques:Masquerading T1036, Rename Legitimate Utilities T1036.003, Match Legitimate Resource Name or Location T1036.005

Sample rules:

ends_with: \diskshadow.exe 3 rules

Top techniques:System Binary Proxy Execution T1218, Indicator Removal T1070, Inhibit System Recovery T1490

Sample rules:

ends_with: \expand.exe 3 rules

Top techniques:System Binary Proxy Execution T1218, Process Injection T1055, Ingress Tool Transfer T1105

Sample rules:

ends_with: \ftp.exe 3 rules

Top techniques:Command and Scripting Interpreter T1059, Indirect Command Execution T1202, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

ends_with: \gup.exe 3 rules

Top techniques:Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557, DLL T1574.001

Sample rules:

ends_with: \ldifde.exe 3 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

ends_with: \msteams.exe 3 rules

Sample rules:

ends_with: \ngen.exe 3 rules

Top techniques:Process Injection T1055, Registry Run Keys / Startup Folder T1547.001, Scheduled Task/Job T1053, Scheduled Task T1053.005

Sample rules:

ends_with: \node.exe 3 rules

Top techniques:JavaScript T1059.007, Trusted Developer Utilities Proxy Execution T1127

Sample rules:

ends_with: \pcalua.exe 3 rules

Top techniques:Command and Scripting Interpreter T1059, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

sigma Use of Pcalua For Execution
sigma Suspicious Microsoft OneNote Child Process
sigma Suspicious Microsoft Office Child Process

ends_with: \pspasswd.exe 3 rules

Top techniques:Tool T1588.002, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \pspasswd64.exe 3 rules

Top techniques:Tool T1588.002, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \pssuspend.exe 3 rules

Top techniques:Windows Service T1543.003, Disable or Modify Tools T1562.001, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \pssuspend64.exe 3 rules

Sample rules:

ends_with: \python.exe 3 rules

Top techniques:Process Injection T1055, Security Account Manager T1003.002, Remote System Discovery T1018

Sample rules:

ends_with: \regsvcs.exe 3 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010, Rundll32 T1218.011

Sample rules:

ends_with: \sdelete.exe 3 rules

Top techniques:Data Destruction T1485, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218, Tool T1588.002

Sample rules:

ends_with: \services.exe 3 rules

Top techniques:Abuse Elevation Control Mechanism T1548, Rename Legitimate Utilities T1036.003, Match Legitimate Resource Name or Location T1036.005, Masquerading T1036

Sample rules:

ends_with: \ssh.exe 3 rules

Top techniques:Protocol Tunneling T1572, Remote Desktop Protocol T1021.001, SSH T1021.004, System Binary Proxy Execution T1218

Sample rules:

ends_with: \visio.exe 3 rules

Top techniques:Malicious File T1204.002, System Binary Proxy Execution T1218, Add-ins T1137.006

Sample rules:

ends_with: \vmmap.exe 3 rules

Top techniques:DLL T1574.001, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \vmmap64.exe 3 rules

Top techniques:DLL T1574.001, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \wermgr.exe 3 rules

Top techniques:Rename Legitimate Utilities T1036.003, Masquerading T1036

Sample rules:

ends_with: \wininit.exe 3 rules

Top techniques:Masquerading T1036, Rename Legitimate Utilities T1036.003, Match Legitimate Resource Name or Location T1036.005

Sample rules:

ends_with: \wsmprovhost.exe 3 rules

Top techniques:Inhibit System Recovery T1490, Masquerading T1036, Windows Remote Management T1021.006, PowerShell T1059.001

Sample rules:

ends_with: \wusa.exe 3 rules

Top techniques:Exploit Public-Facing Application T1190, Web Shell T1505.003

Sample rules:

ends_with: reg.exe 3 rules

Top techniques:Disable or Modify Tools T1562.001, Credentials in Registry T1552.002

Sample rules:

eq: C:\Program Files\AVG\Antivirus\RegSvr.exe 3 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Add-ins T1137.006

Sample rules:

eq: C:\Program Files\Avast Software\Avast\RegSvr.exe 3 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Add-ins T1137.006

Sample rules:

eq: C:\Program Files\PowerShell\7-preview\pwsh.exe 3 rules

Top techniques:File Deletion T1070.004, PowerShell T1059.001

Sample rules:

eq: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 3 rules

Top techniques:File Deletion T1070.004, PowerShell T1059.001

Sample rules:

eq: C:\Windows\SysWOW64\svchost.exe 3 rules

Top techniques:Masquerading T1036, Match Legitimate Resource Name or Location T1036.005, Impair Defenses T1562, Service Execution T1569.002

Sample rules:

eq: C:\Windows\System32\ServerManager.exe 3 rules

Top techniques:PowerShell T1059.001, Distributed Component Object Model T1021.003

Sample rules:

eq: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe 3 rules

Top techniques:PowerShell T1059.001, Distributed Component Object Model T1021.003

Sample rules:

eq: C:\Windows\System32\cmd.exe 3 rules

Top techniques:Exploit Public-Facing Application T1190, Web Shell T1505.003, PowerShell T1059.001, Bypass User Account Control T1548.002

Sample rules:

eq: C:\Windows\System32\wuauclt.exe 3 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005, Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: C:\Windows\servicing\TrustedInstaller.exe 3 rules

Top techniques:Disable Windows Event Logging T1562.002, Modify Registry T1112, Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: Registry 3 rules

Top techniques:Direct Volume Access T1006

Sample rules:

in: "*\\ProgramData\\*" 3 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548, Ingress Tool Transfer T1105

Sample rules:

in: "*\\Temp\\*" 3 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548, Ingress Tool Transfer T1105

Sample rules:

match: :\ProgramData\ 3 rules

Sample rules:

match: :\Users\ 3 rules

Top techniques:Command and Scripting Interpreter T1059, Data Encrypted for Impact T1486, Disable or Modify Tools T1562.001, Indirect Command Execution T1202

Sample rules:

match: :\Users\Default\ 3 rules

Top techniques:Ingress Tool Transfer T1105, Masquerading T1036

Sample rules:

match: :\Windows\Fonts\ 3 rules

Top techniques:Ingress Tool Transfer T1105, Masquerading T1036

Sample rules:

match: :\Windows\IME\ 3 rules

Top techniques:Ingress Tool Transfer T1105, Masquerading T1036

Sample rules:

match: :\Windows\Microsoft.NET\Framework64\ 3 rules

Top techniques:Trusted Developer Utilities Proxy Execution T1127, System Binary Proxy Execution T1218

Sample rules:

match: :\Windows\Microsoft.NET\FrameworkArm64\ 3 rules

Top techniques:Trusted Developer Utilities Proxy Execution T1127, System Binary Proxy Execution T1218

Sample rules:

match: :\Windows\Microsoft.NET\FrameworkArm\ 3 rules

Top techniques:Trusted Developer Utilities Proxy Execution T1127, System Binary Proxy Execution T1218

Sample rules:

match: :\Windows\Microsoft.NET\Framework\ 3 rules

Top techniques:Trusted Developer Utilities Proxy Execution T1127, System Binary Proxy Execution T1218

Sample rules:

match: :\Windows\WinSxS\ 3 rules

Top techniques:Native API T1106, System Binary Proxy Execution T1218, Masquerading T1036

Sample rules:

match: \AppData\Local\Programs\midori-ng\ 3 rules

Top techniques:Remote Desktop Software T1219.002, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

match: \AppData\Temp\ 3 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105

Sample rules:

match: \PerfLogs\ 3 rules

Top techniques:NTDS T1003.003, DLL T1574.001, Security Account Manager T1003.002

Sample rules:

match: \ntlmrelayx 3 rules

Top techniques:LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, LSASS Memory T1003.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution
sigma Potential SMB Relay Attack Tool Execution

match: \smbrelayx 3 rules

Top techniques:LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, LSASS Memory T1003.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution
sigma Potential SMB Relay Attack Tool Execution

starts_with: C:\Program Files (x86)\Microsoft Office\ 3 rules

Top techniques:Process Injection T1055, DLL T1574.001, Registry Run Keys / Startup Folder T1547.001

Sample rules:

starts_with: C:\Program Files\Microsoft Office\ 3 rules

Top techniques:Process Injection T1055, DLL T1574.001, Registry Run Keys / Startup Folder T1547.001

Sample rules:

starts_with: C:\Program Files\Microsoft\Exchange Server\ 3 rules

Top techniques:Exfiltration Over Unencrypted Non-C2 Protocol T1048.003, PowerShell T1059.001, Windows Management Instrumentation Event Subscription T1546.003

Sample rules:

sigma Suspicious Outbound SMTP Connections
sigma Alternate PowerShell Hosts Pipe
sigma WMI Backdoor Exchange Transport Agent

starts_with: C:\Windows\Installer\MSI 3 rules

Top techniques:Modify Registry T1112, System Binary Proxy Execution T1218, Boot or Logon Autostart Execution T1547, Registry Run Keys / Startup Folder T1547.001

Sample rules:

starts_with: C:\Windows\Temp\asgard2-agent\ 3 rules

Top techniques:PowerShell T1059.001, Distributed Component Object Model T1021.003, Direct Volume Access T1006

Sample rules:

ends_with: .tmp 2 rules

Top techniques:Data Encrypted for Impact T1486, Disable or Modify Tools T1562.001

Sample rules:

ends_with: :\Windows\SysWOW64\bash.exe 2 rules

Top techniques:Indirect Command Execution T1202

Sample rules:

ends_with: :\Windows\System32\bash.exe 2 rules

Top techniques:Indirect Command Execution T1202

Sample rules:

ends_with: :\Windows\System32\conhost.exe 2 rules

Top techniques:System Binary Proxy Execution T1218, Indirect Command Execution T1202

Sample rules:

ends_with: :\windows\system32\svchost.exe 2 rules

Top techniques:File Deletion T1070.004, Protocol or Service Impersonation T1001.003

Sample rules:

sigma Prefetch File Deleted
sigma ADSI-Cache File Creation By Uncommon Tool

ends_with: C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: C:\Program Files\PRTG Network Monitor\PRTG Probe.exe 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \7zr.exe 2 rules

Top techniques:Archive via Utility T1560.001

Sample rules:

ends_with: \AdFind.exe 2 rules

Top techniques:Domain Account T1087.002, Remote System Discovery T1018, Domain Groups T1069.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind.EXE Execution
sigma Renamed AdFind Execution

ends_with: \Akagi.exe 2 rules

Top techniques:LSASS Memory T1003.001, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - UACMe Akagi Execution

ends_with: \Akagi64.exe 2 rules

Top techniques:LSASS Memory T1003.001, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - UACMe Akagi Execution

ends_with: \AppData\Local\Google\Chrome\Application\chrome.exe 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \AppData\Local\Microsoft\Teams\current\Teams.exe 2 rules

Top techniques:Native API T1106, Phishing T1566, Spearphishing Attachment T1566.001

Sample rules:

ends_with: \AppData\Local\Mozilla Firefox\firefox.exe 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \AppData\Local\Programs\Microsoft VS Code\Code.exe 2 rules

Top techniques:LSASS Memory T1003.001, Native API T1106

Sample rules:

ends_with: \AppData\Local\WebEx\WebexHost.exe 2 rules

Top techniques:LSASS Memory T1003.001, Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: \AppData\Roaming\Spotify\Spotify.exe 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: \Certify.exe 2 rules

Top techniques:LSASS Memory T1003.001, Steal or Forge Authentication Certificates T1649

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Certify Execution

ends_with: \Certipy.exe 2 rules

Top techniques:LSASS Memory T1003.001, Steal or Forge Authentication Certificates T1649

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Certipy Execution

ends_with: \CoercedPotato.exe 2 rules

Top techniques:LSASS Memory T1003.001, Process Injection T1055

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - CoercedPotato Execution

ends_with: \CreateMiniDump.exe 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - CreateMiniDump Execution

ends_with: \Dbgview.exe 2 rules

Top techniques:Tool T1588.002, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \DismHost.exe 2 rules

Top techniques:Disable or Modify Tools T1562.001, Bypass User Account Control T1548.002

Sample rules:

sigma Dism Remove Online Package
sigma UAC Bypass Using NTFS Reparse Point - Process

ends_with: \Dropbox.exe 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001, Modify Registry T1112

Sample rules:

ends_with: \DumpMinitool.arm64.exe 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma DumpMinitool Execution
sigma Suspicious DumpMinitool Execution

ends_with: \DumpMinitool.exe 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma DumpMinitool Execution
sigma Suspicious DumpMinitool Execution

ends_with: \DumpMinitool.x86.exe 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma DumpMinitool Execution
sigma Suspicious DumpMinitool Execution

ends_with: \EXCEL.EXE 2 rules

Top techniques:Indirect Command Execution T1202

Sample rules:

ends_with: \EXCEL.exe 2 rules

Top techniques:Office Application Startup T1137, Rename Legitimate Utilities T1036.003

Sample rules:

ends_with: \GUP.exe 2 rules

Top techniques:Ingress Tool Transfer T1105, DLL T1574.001

Sample rules:

sigma File Download Using Notepad++ GUP Utility
sigma Suspicious GUP Usage

ends_with: \GetADUsers_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \GetNPUsers_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \GetUserSPNs_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \IMEWDBLD.exe 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

ends_with: \Inveigh.exe 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Inveigh Execution

ends_with: \LocalPotato.exe 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - LocalPotato Execution

ends_with: \MBAMInstallerService.exe 2 rules

Top techniques:LSASS Memory T1003.001, Hidden Files and Directories T1564.001

Sample rules:

ends_with: \MSPUB.EXE 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Hijack Execution Flow T1574, DLL T1574.001, Rename Legitimate Utilities T1036.003

Sample rules:

ends_with: \Microsoft.Workflow.Compiler.exe 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

ends_with: \Microsoft\Teams\current\Teams.exe 2 rules

Top techniques:Steal Application Access Token T1528, Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: \NisSrv.exe 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \PowerTool.exe 2 rules

Top techniques:LSASS Memory T1003.001, Disable or Modify Tools T1562.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - PowerTool Execution

ends_with: \PowerTool64.exe 2 rules

Top techniques:LSASS Memory T1003.001, Disable or Modify Tools T1562.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - PowerTool Execution

ends_with: \PsExec.exe 2 rules

Top techniques:Tool T1588.002

Sample rules:

ends_with: \PsExec64.exe 2 rules

Top techniques:Tool T1588.002

Sample rules:

ends_with: \QtWeb.exe 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: \QuarksPwDump.exe 2 rules

Top techniques:LSASS Memory T1003.001, Security Account Manager T1003.002

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Quarks PwDump Execution

ends_with: \QuickAssist.exe 2 rules

Top techniques:Web Protocols T1071.001, Exploitation of Remote Services T1210, Remote Desktop Software T1219.002

Sample rules:

sigma DNS Query Request By QuickAssist.EXE
sigma QuickAssist Execution

ends_with: \RDCMan.exe 2 rules

Top techniques:Remote Desktop Protocol T1021.001, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \RegSvcs.exe 2 rules

Top techniques:Rundll32 T1218.011, Regsvr32 T1218.010

Sample rules:

ends_with: \Regasm.exe 2 rules

Top techniques:Regsvcs/Regasm T1218.009

Sample rules:

ends_with: \Regsvcs.exe 2 rules

Top techniques:Regsvcs/Regasm T1218.009

Sample rules:

ends_with: \Rubeus.exe 2 rules

Top techniques:LSASS Memory T1003.001, OS Credential Dumping T1003, Pass the Ticket T1550.003, Kerberoasting T1558.003

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Rubeus Execution

ends_with: \SafetyKatz.exe 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - SafetyKatz Execution

ends_with: \SelectMyParent.exe 2 rules

Top techniques:LSASS Memory T1003.001, Parent PID Spoofing T1134.004

Sample rules:

ends_with: \SharPersist.exe 2 rules

Top techniques:LSASS Memory T1003.001, Scheduled Task/Job T1053

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - SharPersist Execution

ends_with: \SharpChisel.exe 2 rules

Top techniques:LSASS Memory T1003.001, Internal Proxy T1090.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - SharpChisel Execution

ends_with: \SharpEvtMute.exe 2 rules

Top techniques:LSASS Memory T1003.001, Disable Windows Event Logging T1562.002

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - SharpEvtMute Execution

ends_with: \SharpImpersonation.exe 2 rules

Top techniques:LSASS Memory T1003.001, Token Impersonation/Theft T1134.001, Make and Impersonate Token T1134.003

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - SharpImpersonation Execution

ends_with: \SharpLDAPmonitor.exe 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - SharpLDAPmonitor Execution

ends_with: \SharpLdapWhoami.exe 2 rules

Top techniques:LSASS Memory T1003.001, System Owner/User Discovery T1033

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - SharpLdapWhoami Execution

ends_with: \SharpUp.exe 2 rules

Top techniques:LSASS Memory T1003.001, Service Execution T1569.002, Executable Installer File Permissions Weakness T1574.005, Group Policy Discovery T1615

Sample rules:

ends_with: \SharpView.exe 2 rules

Top techniques:LSASS Memory T1003.001, System Owner/User Discovery T1033, System Network Connections Discovery T1049, Domain Groups T1069.002, Network Share Discovery T1135, Domain Trust Discovery T1482

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - SharpView Execution

ends_with: \Stracciatella.exe 2 rules

Top techniques:LSASS Memory T1003.001, Command and Scripting Interpreter T1059, Disable or Modify Tools T1562.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Stracciatella Execution

ends_with: \SysmonEOP.exe 2 rules

Top techniques:LSASS Memory T1003.001, Exploitation for Privilege Escalation T1068

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - SysmonEOP Execution

ends_with: \Tools\Binn\SQLPS.exe 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

ends_with: \TrolleyExpress.exe 2 rules

Top techniques:LSASS Memory T1003.001, Rundll32 T1218.011

Sample rules:

ends_with: \TruffleSnout.exe 2 rules

Top techniques:LSASS Memory T1003.001, Domain Trust Discovery T1482

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - TruffleSnout Execution

ends_with: \VMwareToolBoxCmd.exe 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

ends_with: \VMwareXferlogs.exe 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \WerFaultSecure.exe 2 rules

Top techniques:Disable or Modify Tools T1562.001, LSASS Memory T1003.001

Sample rules:

ends_with: \WinRAR.exe 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Rename Legitimate Utilities T1036.003

Sample rules:

ends_with: \Windows\System32\lsass.exe 2 rules

Top techniques:Kerberoasting T1558.003, OS Credential Dumping T1003, LSASS Memory T1003.001

Sample rules:

ends_with: \accesschk64.exe 2 rules

Top techniques:Local Groups T1069.001, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \at.exe 2 rules

Top techniques:At T1053.002, Exploit Public-Facing Application T1190, Web Shell T1505.003

Sample rules:

sigma Interactive AT Job
sigma Suspicious Process By Web Server Process

ends_with: \atexec_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \aurora-agent-64.exe 2 rules

Top techniques:LSASS Memory T1003.001, Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: \aurora-agent.exe 2 rules

Top techniques:LSASS Memory T1003.001, Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: \certreq.exe 2 rules

Top techniques:Ingress Tool Transfer T1105, Masquerading T1036

Sample rules:

ends_with: \chcp.com 2 rules

Top techniques:System Language Discovery T1614.001, Masquerading T1036

Sample rules:

sigma Console CodePage Lookup Via CHCP
sigma Suspicious CodePage Switch Via CHCP

ends_with: \cipher.exe 2 rules

Top techniques:Data Destruction T1485, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203

Sample rules:

ends_with: \client32.exe 2 rules

Sample rules:

ends_with: \cloudflared-windows-386.exe 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

ends_with: \cloudflared-windows-amd64.exe 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

ends_with: \cmdl32.exe 2 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, Indirect Command Execution T1202

Sample rules:

ends_with: \code-tunnel.exe 2 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

ends_with: \crackmapexec.exe 2 rules

Top techniques:LSASS Memory T1003.001, Windows Management Instrumentation T1047, Scheduled Task/Job T1053, PowerShell T1059.001, Windows Command Shell T1059.003, Brute Force T1110

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - CrackMapExec Execution

ends_with: \createdump.exe 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma CreateDump Process Dump
sigma Renamed CreateDump Utility Execution

ends_with: \csi.exe 2 rules

Top techniques:Software Deployment Tools T1072, System Binary Proxy Execution T1218, Trusted Developer Utilities Proxy Execution T1127

Sample rules:

sigma Suspicious Csi.exe Usage
sigma Suspicious Use of CSharp Interactive Console

ends_with: \cvtres.exe 2 rules

Top techniques:Process Injection T1055, Compile After Delivery T1027.004

Sample rules:

ends_with: \dcomexec_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \dctask64.exe 2 rules

Top techniques:Dynamic-link Library Injection T1055.001, Masquerading T1036, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \defrag.exe 2 rules

Top techniques:Process Injection T1055, Masquerading T1036

Sample rules:

ends_with: \dns.exe 2 rules

Top techniques:External Remote Services T1133

Sample rules:

sigma Unusual File Modification by dns.exe
sigma Unusual File Deletion by Dns.exe

ends_with: \dnscmd.exe 2 rules

Top techniques:Modify Registry T1112, DLL T1574.001

Sample rules:

ends_with: \dnx.exe 2 rules

Top techniques:Process Injection T1055, Compile After Delivery T1027.004, System Binary Proxy Execution T1218

Sample rules:

ends_with: \dotnet.exe 2 rules

Top techniques:Exploit Public-Facing Application T1190, Web Shell T1505.003, System Binary Proxy Execution T1218

Sample rules:

ends_with: \dpapi_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \dsacls.exe 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: \dsquery.exe 2 rules

Top techniques:Domain Trust Discovery T1482, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

ends_with: \dump64.exe 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: \extrac32.exe 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

ends_with: \findDelegation_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \fltMC.exe 2 rules

Top techniques:Indicator Removal T1070, Impair Defenses T1562, Disable Windows Event Logging T1562.002

Sample rules:

sigma Filter Driver Unloaded Via Fltmc.EXE
sigma Sysmon Driver Unloaded Via Fltmc.EXE

ends_with: \getPac_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \getST_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \getTGT_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \gmer.exe 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: \gpupdate.exe 2 rules

Top techniques:Process Injection T1055, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203

Sample rules:

ends_with: \hashcat.exe 2 rules

Top techniques:LSASS Memory T1003.001, Password Cracking T1110.002

Sample rules:

ends_with: \htran.exe 2 rules

Top techniques:LSASS Memory T1003.001, Proxy T1090

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Htran/NATBypass Execution

ends_with: \ie4uinit.exe 2 rules

Top techniques:System Binary Proxy Execution T1218, Rename Legitimate Utilities T1036.003

Sample rules:

ends_with: \ieexec.exe 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

ends_with: \ifmap_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \ipconfig.exe 2 rules

Top techniques:Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003, Masquerading T1036, Process Injection T1055

Sample rules:

ends_with: \javaw.exe 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

ends_with: \ksetup.exe 2 rules

Sample rules:

ends_with: \livek64.exe 2 rules

Sample rules:

sigma LiveKD Driver Creation
sigma LiveKD Driver Creation By Uncommon Process

ends_with: \lsm.exe 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Match Legitimate Resource Name or Location T1036.005, Masquerading T1036

Sample rules:

ends_with: \mimikatz_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \mobsync.exe 2 rules

Top techniques:Process Injection T1055, System Binary Proxy Execution T1218

Sample rules:

ends_with: \msaccess.exe 2 rules

Top techniques:Malicious File T1204.002, System Binary Proxy Execution T1218

Sample rules:

ends_with: \mscorsvw.exe 2 rules

Top techniques:PowerShell T1059.001, Distributed Component Object Model T1021.003

Sample rules:

ends_with: \msedge_proxy.exe 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: \msidb.exe 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

ends_with: \netview_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \nmapAnswerMachine_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \opdump_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \plink.exe 2 rules

Top techniques:Protocol Tunneling T1572, Masquerading T1036

Sample rules:

sigma Potential RDP Tunneling Via Plink
sigma Renamed Plink Execution

ends_with: \presentationhost.exe 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: \procmon.exe 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Disable or Modify Tools T1562.001

Sample rules:

ends_with: \procmon64.exe 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Disable or Modify Tools T1562.001

Sample rules:

ends_with: \psexec.exe 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Remote Services T1021, System Services T1569

Sample rules:

ends_with: \psexec_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \pypykatz.exe 2 rules

Top techniques:LSASS Memory T1003.001, Security Account Manager T1003.002

Sample rules:

ends_with: \quser.exe 2 rules

Top techniques:System Owner/User Discovery T1033, Local Account T1087.001, Remote System Discovery T1018, Account Discovery T1087, Web Shell T1505.003

Sample rules:

sigma Local Accounts Discovery
sigma Webshell Detection With Command Line Keywords

ends_with: \qwinsta.exe 2 rules

Top techniques:System Owner/User Discovery T1033, Local Account T1087.001, Exploit Public-Facing Application T1190, Web Shell T1505.003

Sample rules:

sigma Local Accounts Discovery
sigma Suspicious Process By Web Server Process

ends_with: \rdp_check_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \regini.exe 2 rules

Top techniques:Modify Registry T1112

Sample rules:

ends_with: \replace.exe 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

ends_with: \rfusclient.exe 2 rules

Sample rules:

ends_with: \ruby.exe 2 rules

Top techniques:Windows Remote Management T1021.006, Command and Scripting Interpreter T1059

Sample rules:

sigma HackTool - WinRM Access Via Evil-WinRM
sigma Ruby Inline Command Execution

ends_with: \rutserv.exe 2 rules

Sample rules:

ends_with: \sambaPipe_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \sdbinst.exe 2 rules

Top techniques:Application Shimming T1546.011

Sample rules:

ends_with: \sdelete64.exe 2 rules

Top techniques:Data Destruction T1485, Match Legitimate Resource Name or Location T1036.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \shutdown.exe 2 rules

Top techniques:System Shutdown/Reboot T1529

Sample rules:

ends_with: \sihost.exe 2 rules

Top techniques:Masquerading T1036

Sample rules:

ends_with: \smartscreen.exe 2 rules

Top techniques:Process Injection T1055, Masquerading T1036

Sample rules:

ends_with: \smbclient_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \smbserver_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \smss.exe 2 rules

Top techniques:Masquerading T1036

Sample rules:

ends_with: \sniff_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \sniffer_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \split_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \spoolsv.exe 2 rules

Top techniques:Process Injection T1055, Masquerading T1036

Sample rules:

ends_with: \sqlcmd.exe 2 rules

Top techniques:Data from Local System T1005

Sample rules:

ends_with: \sqlite.exe 2 rules

Top techniques:Data from Local System T1005, Steal Web Session Cookie T1539, Credentials from Web Browsers T1555.003

Sample rules:

ends_with: \sqlite3.exe 2 rules

Top techniques:Data from Local System T1005, Steal Web Session Cookie T1539, Credentials from Web Browsers T1555.003

Sample rules:

ends_with: \squirrel.exe 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: \tar.exe 2 rules

Top techniques:Archive Collected Data T1560, Archive via Utility T1560.001

Sample rules:

ends_with: \taskhost.exe 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Match Legitimate Resource Name or Location T1036.005, Masquerading T1036

Sample rules:

ends_with: \taskhostw.exe 2 rules

Top techniques:Inhibit System Recovery T1490, Masquerading T1036

Sample rules:

ends_with: \taskkill.exe 2 rules

Top techniques:Masquerading T1036, System Binary Proxy Execution T1218, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203

Sample rules:

ends_with: \taskmgr.exe 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, Masquerading T1036

Sample rules:

sigma Suspicious Spool Service Child Process
sigma Taskmgr as LOCAL_SYSTEM

ends_with: \teams.exe 2 rules

Sample rules:

ends_with: \thunderbird.exe 2 rules

Top techniques:Spearphishing Attachment T1566.001, Exfiltration Over Unencrypted Non-C2 Protocol T1048.003

Sample rules:

sigma Office Macro File Download
sigma Suspicious Outbound SMTP Connections

ends_with: \ticketer_windows.exe 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

ends_with: \tomcat\bin\tomcat8.exe 2 rules

Top techniques:Kerberoasting T1558.003, Pass the Ticket T1550.003, Steal or Forge Kerberos Tickets T1558

Sample rules:

ends_with: \tscon.exe 2 rules

Top techniques:Remote Desktop Software T1219.002

Sample rules:

sigma Suspicious TSCON Start as SYSTEM
sigma Potential RDP Session Hijacking Activity

ends_with: \update.exe 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: \userinit.exe 2 rules

Top techniques:Process Injection T1055, Masquerading T1036

Sample rules:

ends_with: \vssvc.exe 2 rules

Top techniques:Process Injection T1055, Inhibit System Recovery T1490

Sample rules:

ends_with: \w32tm.exe 2 rules

Top techniques:System Time Discovery T1124

Sample rules:

sigma Discovery of a System Time
sigma Use of W32tm as Timer

ends_with: \wab.exe 2 rules

Sample rules:

ends_with: \wabmig.exe 2 rules

Sample rules:

ends_with: \winPEASany.exe 2 rules

Top techniques:LSASS Memory T1003.001, Network Service Discovery T1046, System Information Discovery T1082, Account Discovery T1087

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - winPEAS Execution

ends_with: \winPEASany_ofs.exe 2 rules

Top techniques:LSASS Memory T1003.001, Network Service Discovery T1046, System Information Discovery T1082, Account Discovery T1087

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - winPEAS Execution

ends_with: \winPEASx64.exe 2 rules

Top techniques:LSASS Memory T1003.001, Network Service Discovery T1046, System Information Discovery T1082, Account Discovery T1087

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - winPEAS Execution

ends_with: \winPEASx64_ofs.exe 2 rules

Top techniques:LSASS Memory T1003.001, Network Service Discovery T1046, System Information Discovery T1082, Account Discovery T1087

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - winPEAS Execution

ends_with: \winPEASx86.exe 2 rules

Top techniques:LSASS Memory T1003.001, Network Service Discovery T1046, System Information Discovery T1082, Account Discovery T1087

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - winPEAS Execution

ends_with: \winPEASx86_ofs.exe 2 rules

Top techniques:LSASS Memory T1003.001, Network Service Discovery T1046, System Information Discovery T1082, Account Discovery T1087

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - winPEAS Execution

ends_with: \winrar.exe 2 rules

Top techniques:Archive via Utility T1560.001

Sample rules:

sigma Winrar Compressing Dump Files
sigma WinRAR Execution in Non-Standard Folder

ends_with: \workfolders.exe 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

ends_with: \wuauclt.exe 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, System Binary Proxy Execution T1218

Sample rules:

sigma Suspicious Spool Service Child Process
sigma Proxy Execution Via Wuauclt.EXE

ends_with: \wuaucltcore.exe 2 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005, DLL T1574.001

Sample rules:

ends_with: \xordump.exe 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - XORDump Execution

ends_with: driverquery.exe 2 rules

Sample rules:

sigma Potential Recon Activity Using DriverQuery.EXE
sigma DriverQuery.EXE Execution

ends_with: findstr.exe 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Credentials In Files T1552.001, NTFS File Attributes T1564.004

Sample rules:

ends_with: python.exe 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

sigma Python Inline Command Execution
sigma Python Spawning Pretty TTY on Windows

ends_with: python2.exe 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

sigma Python Inline Command Execution
sigma Python Spawning Pretty TTY on Windows

ends_with: python3.exe 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

sigma Python Inline Command Execution
sigma Python Spawning Pretty TTY on Windows

eq: "*\\appdata\\Roaming\\*" 2 rules

Top techniques:Screen Capture T1113

Sample rules:

splunk Suspicious Image Creation In Appdata Folder
splunk Suspicious WAV file in Appdata Folder

eq: "*\\cmd.exe" 2 rules

Top techniques:Indicator Removal T1070, PowerShell T1059.001, Malicious File T1204.002

Sample rules:

eq: "*\\rundll32.exe" 2 rules

Top techniques:Process Injection T1055

Sample rules:

splunk Rundll32 Create Remote Thread To A Process
splunk Rundll32 CreateRemoteThread In Browser

eq: "*\\spoolsv.exe" 2 rules

Top techniques:Print Processors T1547.012, Exploitation for Privilege Escalation T1068

Sample rules:

splunk Spoolsv Suspicious Loaded Modules
splunk Spoolsv Suspicious Process Access

eq: "*\\wermgr.exe" 2 rules

Top techniques:Application Layer Protocol T1071, Dynamic-link Library Injection T1055.001

Sample rules:

eq: - 2 rules

Sample rules:

sigma Execution Of Non-Existing File
sigma Execution of Suspicious File Type Extension

eq: <unknown process> 2 rules

Top techniques:Domain Trust Discovery T1482, Remote Desktop Protocol T1021.001

Sample rules:

eq: C:\Program Files\AVG\Antivirus\x86\RegSvr.exe 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: C:\Program Files\Avast Software\Avast\x86\RegSvr.exe 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: C:\Program Files\Windows Defender\MsMpEng.exe 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Disable or Modify Tools T1562.001

Sample rules:

eq: C:\WINDOWS\system32\msiexec.exe 2 rules

Top techniques:Hidden Files and Directories T1564.001, Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: C:\WINDOWS\system32\svchost.exe 2 rules

Top techniques:Component Object Model Hijacking T1546.015, Scheduled Task/Job T1053, Scheduled Task T1053.005

Sample rules:

eq: C:\WINDOWS\system32\wbem\scrcons.exe 2 rules

Top techniques:Windows Management Instrumentation Event Subscription T1546.003

Sample rules:

eq: C:\Windows\PSEXESVC.exe 2 rules

Sample rules:

sigma Renamed PsExec Service Execution
sigma PsExec Service Execution

eq: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

eq: C:\Windows\SysWOW64\explorer.exe 2 rules

Top techniques:File Deletion T1070.004

Sample rules:

eq: C:\Windows\SysWOW64\regsvr32.exe 2 rules

Top techniques:Regsvr32 T1218.010, Rundll32 T1218.011, Add-ins T1137.006

Sample rules:

eq: C:\Windows\SysWOW64\schtasks.exe 2 rules

Top techniques:Process Injection T1055, Scheduled Task T1053.005

Sample rules:

eq: C:\Windows\System32\OpenWith.exe 2 rules

Top techniques:Thread Execution Hijacking T1055.003, Modify Registry T1112

Sample rules:

eq: C:\Windows\System32\RuntimeBroker.exe 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Scheduled Task/Job T1053, Scheduled Task T1053.005

Sample rules:

eq: C:\Windows\System32\conhost.exe 2 rules

Top techniques:Windows Remote Management T1021.006, Windows Management Instrumentation Event Subscription T1546.003

Sample rules:

eq: C:\Windows\System32\dsac.exe 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

eq: C:\Windows\System32\regsvr32.exe 2 rules

Top techniques:Regsvr32 T1218.010, Rundll32 T1218.011, Add-ins T1137.006

Sample rules:

eq: C:\Windows\System32\schtasks.exe 2 rules

Top techniques:Process Injection T1055, Scheduled Task T1053.005

Sample rules:

eq: C:\Windows\System32\sdiagnhost.exe 2 rules

Top techniques:Distributed Component Object Model T1021.003, PowerShell T1059.001

Sample rules:

eq: C:\Windows\System32\spoolsv.exe 2 rules

Top techniques:Port Monitors T1547.010, Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: C:\Windows\System32\wsmprovhost.exe 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

eq: C:\Windows\UUS\arm64\wuaucltcore.exe 2 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005

Sample rules:

eq: C:\Windows\system32\lsass.exe 2 rules

Top techniques:LSASS Driver T1547.008, Windows Service T1543.003

Sample rules:

sigma DLL Load via LSASS
sigma ServiceDll Hijack

eq: C:\Windows\system32\msiexec.exe 2 rules

Top techniques:Security Support Provider T1547.005, Component Object Model Hijacking T1546.015

Sample rules:

eq: C:\Windows\system32\wevtutil.exe 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

eq: C:\Windows\syswow64\MsiExec.exe 2 rules

Top techniques:Security Support Provider T1547.005, Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: MemCompression 2 rules

Sample rules:

sigma Execution Of Non-Existing File
sigma Execution of Suspicious File Type Extension

eq: vmmem 2 rules

Sample rules:

sigma Execution Of Non-Existing File
sigma Execution of Suspicious File Type Extension

in: "*\\Users\\*" 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548

Sample rules:

in: "*\\Windows\\Tasks\\*" 2 rules

Top techniques:Ingress Tool Transfer T1105, Visual Basic T1059.005

Sample rules:

in: "*\\\\*" 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548

Sample rules:

in: "*\\cscript.exe" 2 rules

Top techniques:JavaScript T1059.007

Sample rules:

splunk MS Scripting Process Loading Ldap Module
splunk MS Scripting Process Loading WMI Module

in: "*\\program files*" 2 rules

Top techniques:CMSTP T1218.003

Sample rules:

splunk CMLUA Or CMSTPLUA UAC Bypass
splunk Wbemprox COM Object Execution

in: "*\\temp\\*" 2 rules

Top techniques:Scheduled Task/Job T1053, Visual Basic T1059.005

Sample rules:

in: "*\\users\\public\\*" 2 rules

Top techniques:Scheduled Task/Job T1053, Visual Basic T1059.005

Sample rules:

in: "*\\windows\\*" 2 rules

Top techniques:CMSTP T1218.003

Sample rules:

splunk CMLUA Or CMSTPLUA UAC Bypass
splunk Wbemprox COM Object Execution

in: "*\\wscript.exe" 2 rules

Top techniques:JavaScript T1059.007

Sample rules:

splunk MS Scripting Process Loading Ldap Module
splunk MS Scripting Process Loading WMI Module

match: :\$Recycle.bin 2 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

match: :\Program Files (x86)\Microsoft Office\ 2 rules

Top techniques:Malware T1587.001, Modify Registry T1112

Sample rules:

match: :\Program Files\Common Files\Microsoft Shared\ClickToRun\ 2 rules

Top techniques:Malware T1587.001, Modify Registry T1112

Sample rules:

match: :\ProgramData\Microsoft\Windows Defender\Platform\ 2 rules

Top techniques:Domain Trust Discovery T1482, Disable Windows Event Logging T1562.002

Sample rules:

sigma DNS Server Discovery Via LDAP Query
sigma HackTool - SysmonEnte Execution

match: C:\Program Files (x86)\Safari\ 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

match: C:\Program Files\Safari\ 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

match: C:\Program Files\Windows Defender Advanced Threat Protection\ 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

match: C:\Program Files\Windows Defender\ 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

match: C:\ProgramData\Microsoft\Windows Defender\Platform\ 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

match: C:\Users\Public\ 2 rules

Top techniques:Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

sigma Suspicious WindowsTerminal Child Processes
sigma WSL Child Process Anomaly

match: HotPotato 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

match: Juicy Potato 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

match: JuicyPotato 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

match: PetitPotam 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

match: RECYCLER.BIN\ 2 rules

Sample rules:

match: RECYCLERS.BIN\ 2 rules

Sample rules:

match: RottenPotato 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

match: \$Recycle.Bin\ 2 rules

Top techniques:Disable or Modify Tools T1562.001, OS Credential Dumping T1003, LSASS Memory T1003.001

Sample rules:

match: \$Recycle.bin 2 rules

Top techniques:Indirect Command Execution T1202

Sample rules:

sigma HackTool - LaZagne Execution
sigma Suspicious Service Binary Directory

match: \AppData\Local\Discord\ 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

match: \AppData\Local\Microsoft\WindowsApps\ 2 rules

Top techniques:Ingress Tool Transfer T1105, Hidden Window T1564.003, Masquerading T1036

Sample rules:

sigma File Download with Headless Browser
sigma System File Execution Location Anomaly

match: \AppData\Roaming\ 2 rules

Top techniques:LSASS Memory T1003.001, Disable or Modify Tools T1562.001, Visual Basic T1059.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

match: \Documents\ 2 rules

Top techniques:Disable or Modify Tools T1562.001, OS Credential Dumping T1003, LSASS Memory T1003.001

Sample rules:

match: \LocalPotato 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

match: \Microsoft Visual Studio\ 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

match: \ProgramData\ 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

match: \Public\ 2 rules

Top techniques:NTDS T1003.003, Security Account Manager T1003.002

Sample rules:

match: \Start Menu\Programs\Startup\ 2 rules

Top techniques:Disable or Modify Tools T1562.001, OS Credential Dumping T1003, LSASS Memory T1003.001

Sample rules:

match: \Temporary Internet 2 rules

Top techniques:Command and Scripting Interpreter T1059, Data Encrypted for Impact T1486, Disable or Modify Tools T1562.001

Sample rules:

match: \Temporary Internet Files\Content.Outlook\ 2 rules

Top techniques:Spearphishing Attachment T1566.001, Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Tor Browser\ 2 rules

Top techniques:Remote Desktop Software T1219.002

Sample rules:

match: \Users\Contacts\ 2 rules

Top techniques:Indirect Command Execution T1202

Sample rules:

sigma HackTool - LaZagne Execution
sigma Suspicious Service Binary Directory

match: \Users\Searches\ 2 rules

Top techniques:Indirect Command Execution T1202

Sample rules:

sigma HackTool - LaZagne Execution
sigma Suspicious Service Binary Directory

match: \Windows\Fonts\ 2 rules

Top techniques:Indirect Command Execution T1202

Sample rules:

sigma HackTool - LaZagne Execution
sigma Suspicious Service Binary Directory

match: \Windows\IME\ 2 rules

Top techniques:Indirect Command Execution T1202

Sample rules:

sigma HackTool - LaZagne Execution
sigma Suspicious Service Binary Directory

match: \avira_system_speedup.tmp 2 rules

Top techniques:Inhibit System Recovery T1490

Sample rules:

match: \goldenPac 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

match: \inetpub\wwwroot\ 2 rules

Top techniques:Disable or Modify Tools T1562.001, OS Credential Dumping T1003, LSASS Memory T1003.001

Sample rules:

match: \just_dce_ 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

match: \karmaSMB 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

match: \kintercept 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

match: \pwsh.exe 2 rules

Top techniques:PowerShell T1059.001, SMB/Windows Admin Shares T1021.002, Data from Network Shared Drive T1039, Exfiltration Over Alternative Protocol T1048

Sample rules:

match: \python 2 rules

Top techniques:Network Service Discovery T1046, Command Obfuscation T1027.010, Python T1059.006

Sample rules:

sigma Python Initiated Connection
sigma Python One-Liners with Base64 Decoding

match: \rpcdump 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

match: \samrdump 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

match: \secretsdump 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

match: \setup.exe 2 rules

Top techniques:Modify Registry T1112, Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \smbexec 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

match: \temp\is- 2 rules

Top techniques:Inhibit System Recovery T1490

Sample rules:

match: \wmiexec 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

match: \wmipersist 2 rules

Top techniques:LSASS Memory T1003.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma HackTool - Generic Process Access
sigma HackTool - Impacket Tools Execution

starts_with: C:\$WINDOWS.~BT\ 2 rules

Top techniques:Masquerading T1036, Direct Volume Access T1006

Sample rules:

starts_with: C:\$WinREAgent\Scratch\ 2 rules

Top techniques:Inhibit System Recovery T1490, Direct Volume Access T1006

Sample rules:

starts_with: C:\Program Files (x86)\CCleaner\ 2 rules

Top techniques:DLL T1574.001

Sample rules:

starts_with: C:\Program Files (x86)\Microsoft Visual Studio\ 2 rules

Top techniques:DLL T1574.001, PowerShell T1059.001

Sample rules:

starts_with: C:\Program Files (x86)\Microsoft\EdgeWebView\ 2 rules

Top techniques:Ingress Tool Transfer T1105, Hidden Window T1564.003, Registry Run Keys / Startup Folder T1547.001

Sample rules:

starts_with: C:\Program Files (x86)\QtWeb\ 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Program Files\CCleaner\ 2 rules

Top techniques:DLL T1574.001

Sample rules:

starts_with: C:\Program Files\Citrix\ 2 rules

Top techniques:PowerShell T1059.001, Distributed Component Object Model T1021.003

Sample rules:

sigma Suspicious WSMAN Provider Image Loads
sigma Alternate PowerShell Hosts Pipe

starts_with: C:\Program Files\Microsoft Security Client\ 2 rules

Top techniques:DLL T1574.001

Sample rules:

starts_with: C:\Program Files\Microsoft Visual Studio\ 2 rules

Top techniques:DLL T1574.001, PowerShell T1059.001

Sample rules:

starts_with: C:\Program Files\QtWeb\ 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

starts_with: C:\Users\' 2 rules

Top techniques:Data Encrypted for Impact T1486, Disable or Modify Tools T1562.001, Masquerading T1036

Sample rules:

starts_with: C:\Windows\Microsoft.NET\Framework 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Scheduled Task/Job T1053, Scheduled Task T1053.005

Sample rules:

starts_with: C:\Windows\SoftwareDistribution\ 2 rules

Top techniques:Masquerading T1036, Direct Volume Access T1006

Sample rules:

starts_with: C:\Windows\SystemApps\ 2 rules

Top techniques:GUI Input Capture T1056.002, Direct Volume Access T1006

Sample rules:

starts_with: C:\Windows\Temp\ 2 rules

Top techniques:Direct Volume Access T1006, Registry Run Keys / Startup Folder T1547.001

Sample rules:

starts_with: C:\Windows\Temp\{ 2 rules

Top techniques:Inhibit System Recovery T1490

Sample rules:

starts_with: C:\Windows\uus\ 2 rules

Top techniques:Masquerading T1036, Direct Volume Access T1006

Sample rules:

`TargetFilename` 169 entries

ends_with: .dll 21 rules

Top techniques:Ingress Tool Transfer T1105, DLL T1574.001, Malicious File T1204.002, System Binary Proxy Execution T1218, Remote Desktop Software T1219.002, Trusted Developer Utilities Proxy Execution T1127

Sample rules (showing 8 of 21):

ends_with: .exe 18 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Remote Desktop Software T1219.002, Trusted Developer Utilities Proxy Execution T1127, External Remote Services T1133, Remote Access Tools T1219

Sample rules (showing 8 of 18):

ends_with: .vbs 16 rules

Top techniques:Ingress Tool Transfer T1105, Exploit Public-Facing Application T1190, Web Shell T1505.003, Malicious File T1204.002, Trusted Developer Utilities Proxy Execution T1127, External Remote Services T1133

Sample rules (showing 8 of 16):

ends_with: .bat 15 rules

Sample rules (showing 8 of 15):

ends_with: .ps1 15 rules

Sample rules (showing 8 of 15):

ends_with: .vbe 13 rules

Top techniques:Ingress Tool Transfer T1105, Malicious File T1204.002, Trusted Developer Utilities Proxy Execution T1127, External Remote Services T1133, Remote Access Tools T1219, Lateral Tool Transfer T1570

Sample rules (showing 8 of 13):

ends_with: .hta 12 rules

Sample rules (showing 8 of 12):

starts_with: C:\Users\ 12 rules

Top techniques:Bypass User Account Control T1548.002, Visual Basic T1059.005, JavaScript T1059.007, Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557

Sample rules (showing 8 of 12):

match: \AppData\Local\Temp\ 11 rules

Top techniques:Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557, Spearphishing Attachment T1566.001, System Binary Proxy Execution T1218, Disable or Modify Tools T1562.001, LSASS Memory T1003.001

Sample rules (showing 8 of 11):

ends_with: .cmd 8 rules

Sample rules:

ends_with: .js 8 rules

Top techniques:Ingress Tool Transfer T1105, Trusted Developer Utilities Proxy Execution T1127, External Remote Services T1133, Remote Access Tools T1219, Lateral Tool Transfer T1570, Visual Basic T1059.005

Sample rules:

ends_with: .scr 8 rules

Top techniques:Malicious File T1204.002, Ingress Tool Transfer T1105, Remote Access Tools T1219, Lateral Tool Transfer T1570, Screensaver T1546.002, Rundll32 T1218.011

Sample rules:

ends_with: .sys 6 rules

Top techniques:Exploitation for Privilege Escalation T1068, Malicious File T1204.002, Command and Scripting Interpreter T1059

Sample rules:

ends_with: .wsf 6 rules

Top techniques:Malicious File T1204.002, Ingress Tool Transfer T1105, Trusted Developer Utilities Proxy Execution T1127, External Remote Services T1133, System Binary Proxy Execution T1218, Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: .aspx 5 rules

Top techniques:Web Shell T1505.003, Exploit Public-Facing Application T1190, Ingress Tool Transfer T1105, Trusted Developer Utilities Proxy Execution T1127, External Remote Services T1133

Sample rules:

ends_with: .docm 5 rules

Top techniques:Spearphishing Attachment T1566.001, Office Application Startup T1137, Malware T1587.001

Sample rules:

ends_with: .dotm 5 rules

Top techniques:Spearphishing Attachment T1566.001, Office Application Startup T1137, Malware T1587.001

Sample rules:

ends_with: .iso 5 rules

Top techniques:Spearphishing Attachment T1566.001, Masquerading T1036, Double File Extension T1036.007

Sample rules:

ends_with: .lnk 5 rules

Top techniques:Command and Scripting Interpreter T1059, Registry Run Keys / Startup Folder T1547.001, Double File Extension T1036.007

Sample rules:

ends_with: .xlsm 5 rules

Top techniques:Spearphishing Attachment T1566.001, Office Application Startup T1137, Malware T1587.001

Sample rules:

ends_with: .xltm 5 rules

Top techniques:Spearphishing Attachment T1566.001, Office Application Startup T1137, Malware T1587.001

Sample rules:

ends_with: .asp 4 rules

Top techniques:Web Shell T1505.003, Exploit Public-Facing Application T1190

Sample rules:

ends_with: .psm1 4 rules

Top techniques:Command and Scripting Interpreter T1059, Malicious File T1204.002, Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: .zip 4 rules

Top techniques:Ingress Tool Transfer T1105, Remote Access Tools T1219, Lateral Tool Transfer T1570, Command and Scripting Interpreter T1059, Double File Extension T1036.007, System Binary Proxy Execution T1218

Sample rules:

eq: "*\\temp\\*" 4 rules

Top techniques:Credentials from Web Browsers T1555.003, Data from Local System T1005, Screen Capture T1113

Sample rules:

starts_with: C:\Windows\Temp\ 4 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005, LSASS Memory T1003.001

Sample rules:

ends_with: .7z 3 rules

Top techniques:Ingress Tool Transfer T1105, Remote Access Tools T1219, Lateral Tool Transfer T1570, Command and Scripting Interpreter T1059, System Binary Proxy Execution T1218

Sample rules:

ends_with: .ashx 3 rules

Top techniques:Web Shell T1505.003, Exploit Public-Facing Application T1190

Sample rules:

ends_with: .chm 3 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

ends_with: .com 3 rules

Top techniques:Ingress Tool Transfer T1105, Remote Access Tools T1219, Lateral Tool Transfer T1570, Malicious File T1204.002

Sample rules:

ends_with: .dmp 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: .ocx 3 rules

Top techniques:Malicious File T1204.002, System Binary Proxy Execution T1218

Sample rules:

ends_with: .potm 3 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

sigma Office Macro File Creation
sigma Office Macro File Download
sigma Office Macro File Creation From Suspicious Process

ends_with: .pptm 3 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

sigma Office Macro File Creation
sigma Office Macro File Download
sigma Office Macro File Creation From Suspicious Process

ends_with: .rar 3 rules

Top techniques:Ingress Tool Transfer T1105, Remote Access Tools T1219, Lateral Tool Transfer T1570, Double File Extension T1036.007, System Binary Proxy Execution T1218

Sample rules:

ends_with: .vba 3 rules

Top techniques:Visual Basic T1059.005, JavaScript T1059.007, Spearphishing Attachment T1566.001, Malicious File T1204.002, Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: :Zone.Identifier 3 rules

Top techniques:File Deletion T1070.004

Sample rules:

in: "*\\Windows\\Temp\\*" 3 rules

Top techniques:Mshta T1218.005, Archive Collected Data T1560

Sample rules:

in: "*\\Windows\\servicing\\*" 3 rules

Top techniques:Masquerading T1036, Data Destruction T1485, AppDomainManager T1574.014

Sample rules:

match: .bat:Zone 3 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: .dll:Zone 3 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: .exe 3 rules

Top techniques:Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557, Visual Basic T1059.005, JavaScript T1059.007

Sample rules:

match: .exe:Zone 3 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: .hta:Zone 3 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: .ps1:Zone 3 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: .vbe:Zone 3 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: .vbs:Zone 3 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: .xll:Zone 3 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: :\Temp\ 3 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105

Sample rules:

match: :\Users\ 3 rules

Top techniques:JavaScript T1059.007, Ingress Tool Transfer T1105, User Execution T1204, Exfiltration to Cloud Storage T1567.002, Masquerading T1036

Sample rules:

match: \AppData\ 3 rules

Top techniques:JavaScript T1059.007, Ingress Tool Transfer T1105, User Execution T1204, Phishing T1566, Spearphishing Attachment T1566.001, Hijack Execution Flow T1574

Sample rules:

match: \Desktop\ 3 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Data Encrypted for Impact T1486, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

match: \Start Menu\Programs\Startup\ 3 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

match: \WindowsPowerShell\Modules\ 3 rules

Sample rules:

match: \Windows\Temp\ 3 rules

Top techniques:Web Shell T1505.003

Sample rules:

match: \lsass 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

starts_with: C:\Windows\System32\ 3 rules

Top techniques:Bypass User Account Control T1548.002, DLL T1574.001, System Script Proxy Execution T1216

Sample rules:

ends_with: .cer 2 rules

Top techniques:Private Keys T1552.004, Credentials from Password Stores T1555, Exploit Public-Facing Application T1190, Web Shell T1505.003

Sample rules:

ends_with: .cpl 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

ends_with: .dat 2 rules

Top techniques:Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

ends_with: .diagcab 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

sigma Creation of a Diagcab
sigma Legitimate Application Dropped Archive

ends_with: .docx 2 rules

Top techniques:Office Application Startup T1137, Malware T1587.001

Sample rules:

ends_with: .evtx 2 rules

Top techniques:Indicator Removal T1070, Disable Windows Event Logging T1562.002

Sample rules:

sigma EventLog EVTX File Deleted
sigma EVTX Created In Uncommon Location

ends_with: .jar 2 rules

Top techniques:Malicious File T1204.002, Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: .jse 2 rules

Top techniques:Visual Basic T1059.005, JavaScript T1059.007, Malicious File T1204.002, Registry Run Keys / Startup Folder T1547.001

Sample rules:

sigma WScript or CScript Dropper - File
sigma Suspicious Startup Folder Persistence

ends_with: .jsp 2 rules

Top techniques:Exploit Public-Facing Application T1190, Web Shell T1505.003

Sample rules:

ends_with: .key 2 rules

Top techniques:Private Keys T1552.004, Credentials from Password Stores T1555, Domain Account T1136.002, Windows Service T1543.003, Lateral Tool Transfer T1570

Sample rules:

ends_with: .log 2 rules

Top techniques:Indicator Removal T1070, File Deletion T1070.004

Sample rules:

sigma IIS WebServer Access Logs Deleted
sigma TeamViewer Log File Deleted

ends_with: .msi 2 rules

Top techniques:Malicious File T1204.002, Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: .pdf 2 rules

Top techniques:Malware T1587.001

Sample rules:

ends_with: .py 2 rules

Top techniques:Ingress Tool Transfer T1105, Trusted Developer Utilities Proxy Execution T1127, External Remote Services T1133, Command and Scripting Interpreter T1059

Sample rules:

sigma Suspicious File Created by ArcSOC.exe
sigma Suspicious File Created In PerfLogs

ends_with: .rdp 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

ends_with: .scf 2 rules

Top techniques:Malicious File T1204.002, System Binary Proxy Execution T1218

Sample rules:

ends_with: .sed 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: .svg 2 rules

Top techniques:Spearphishing Attachment T1566.001, Double File Extension T1036.007

Sample rules:

ends_with: .txt 2 rules

Top techniques:Masquerading T1036, Data Encrypted for Impact T1486

Sample rules:

ends_with: .wll 2 rules

Top techniques:Add-ins T1137.006, Malware T1587.001

Sample rules:

ends_with: .wsh 2 rules

Top techniques:Malicious File T1204.002, System Binary Proxy Execution T1218

Sample rules:

ends_with: .xll 2 rules

Top techniques:Add-ins T1137.006, Malware T1587.001

Sample rules:

ends_with: .xls 2 rules

Top techniques:Office Application Startup T1137, Malware T1587.001

Sample rules:

ends_with: .xlsx 2 rules

Top techniques:Office Application Startup T1137, Malware T1587.001

Sample rules:

ends_with: .xlt 2 rules

Top techniques:Office Application Startup T1137, Malware T1587.001

Sample rules:

ends_with: \Microsoft\Outlook\VbaProject.OTM 2 rules

Top techniques:Fallback Channels T1008, Office Application Startup T1137, Event Triggered Execution T1546

Sample rules:

sigma New Outlook Macro Created
sigma Suspicious Outlook Macro Created

ends_with: \WerFault.exe 2 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005, DLL T1574.001

Sample rules:

ends_with: \comctl32.dll 2 rules

Top techniques:Bypass User Account Control T1548.002

Sample rules:

ends_with: \dns.log 2 rules

Top techniques:External Remote Services T1133

Sample rules:

sigma Unusual File Modification by dns.exe
sigma Unusual File Deletion by Dns.exe

ends_with: \ntds.dit 2 rules

Top techniques:NTDS T1003.003, Security Account Manager T1003.002

Sample rules:

eq: "*:Zone.Identifier" 2 rules

Top techniques:Ingress Tool Transfer T1105, Mark-of-the-Web Bypass T1553.005

Sample rules:

splunk Download Files Using Telegram
splunk Windows Mark Of The Web Bypass

eq: "*\\appdata\\Roaming\\*" 2 rules

Top techniques:Screen Capture T1113

Sample rules:

splunk Suspicious Image Creation In Appdata Folder
splunk Suspicious WAV file in Appdata Folder

eq: "*\\spool\\drivers\\x64\\*" 2 rules

Top techniques:Print Processors T1547.012

Sample rules:

splunk Spoolsv Writing a DLL
splunk Spoolsv Writing a DLL - Sysmon

eq: C:\Windows\System32\drivers\LiveKdD.SYS 2 rules

Sample rules:

sigma LiveKD Driver Creation
sigma LiveKD Driver Creation By Uncommon Process

in: "*.dll" 2 rules

Top techniques:Rundll32 T1218.011, Data Destruction T1485

Sample rules:

in: "*.exe" 2 rules

Top techniques:Rundll32 T1218.011, Data Destruction T1485

Sample rules:

in: "*:\\Temp\\*" 2 rules

Top techniques:Masquerading T1036, Spearphishing Link T1566.002

Sample rules:

in: "*:\\Windows\\Temp\\*" 2 rules

Top techniques:Masquerading T1036, Spearphishing Link T1566.002

Sample rules:

in: "*Recycle.bin*" 2 rules

Top techniques:Masquerading T1036, AppDomainManager T1574.014

Sample rules:

in: "*\\AppData\\Local\\Temp\\*" 2 rules

Top techniques:Masquerading T1036, Archive Collected Data T1560

Sample rules:

in: "*\\HttpProxy\\OAB\\*" 2 rules

Top techniques:External Remote Services T1133, Exploit Public-Facing Application T1190, Web Shell T1505.003

Sample rules:

in: "*\\HttpProxy\\owa\\auth\\*" 2 rules

Top techniques:External Remote Services T1133, Exploit Public-Facing Application T1190, Web Shell T1505.003

Sample rules:

in: "*\\PerfLogs\\*" 2 rules

Top techniques:Masquerading T1036, AppDomainManager T1574.014

Sample rules:

in: "*\\ScreenConnect\\App_Extensions\\*" 2 rules

Top techniques:Exploit Public-Facing Application T1190

Sample rules:

in: "*\\Terminal Server Client\\Cache\\*.bmc" 2 rules

Top techniques:Remote Desktop Protocol T1021.001, File Deletion T1070.004

Sample rules:

splunk Windows RDP Bitmap Cache File Creation
splunk Windows RDP Cache File Deletion

in: "*\\Terminal Server Client\\Cache\\cache*.bin" 2 rules

Top techniques:Remote Desktop Protocol T1021.001, File Deletion T1070.004

Sample rules:

splunk Windows RDP Bitmap Cache File Creation
splunk Windows RDP Cache File Deletion

in: "*\\Users\\Administrator\\Music\\*" 2 rules

Top techniques:Masquerading T1036, AppDomainManager T1574.014

Sample rules:

in: "*\\Users\\Default\\*" 2 rules

Top techniques:Masquerading T1036, AppDomainManager T1574.014

Sample rules:

in: "*\\Windows\\Media\\*" 2 rules

Top techniques:Masquerading T1036, AppDomainManager T1574.014

Sample rules:

in: "*\\Windows\\PLA\\Reports\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\PLA\\Rules\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\PLA\\Templates\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\Registration\\CRMLog\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\SysWOW64\\Com\\dmp\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\SysWOW64\\Tasks\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\System32\\Com\\dmp\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\System32\\LogFiles\\WMI\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\System32\\Tasks\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\System32\\spool\\PRINTERS\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\System32\\spool\\SERVERS\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\System32\\spool\\drivers\\color\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\Tasks\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\Windows\\repair\\*" 2 rules

Top techniques:Masquerading T1036, AppDomainManager T1574.014

Sample rules:

in: "*\\Windows\\tracing\\*" 2 rules

Top techniques:Mshta T1218.005

Sample rules:

in: "*\\inetpub\\wwwroot\\aspnet_client\\*" 2 rules

Top techniques:External Remote Services T1133, Exploit Public-Facing Application T1190, Web Shell T1505.003

Sample rules:

match: .cmd:Zone 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: .dmp 2 rules

Top techniques:Security Account Manager T1003.002, LSASS Memory T1003.001

Sample rules:

sigma HackTool - QuarksPwDump Dump File
sigma LSASS Process Memory Dump Files

match: .doc. 2 rules

Top techniques:Double File Extension T1036.007

Sample rules:

match: .docm:Zone 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

match: .docx. 2 rules

Top techniques:Double File Extension T1036.007

Sample rules:

match: .jpg. 2 rules

Top techniques:Double File Extension T1036.007

Sample rules:

match: .lnk:Zone 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: .one:Zone 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: .pdf. 2 rules

Top techniques:Double File Extension T1036.007

Sample rules:

match: .ppt. 2 rules

Top techniques:Double File Extension T1036.007

Sample rules:

match: .pptm:Zone 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

match: .pptx. 2 rules

Top techniques:Double File Extension T1036.007

Sample rules:

match: .xls. 2 rules

Top techniques:Double File Extension T1036.007

Sample rules:

match: .xlsm:Zone 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

match: .xlsx. 2 rules

Top techniques:Double File Extension T1036.007

Sample rules:

match: :\ProgramData\ 2 rules

Top techniques:System Binary Proxy Execution T1218, Ingress Tool Transfer T1105

Sample rules:

match: :\Users\Public\ 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, User Execution T1204

Sample rules:

match: C:\$WINDOWS.~BT\ 2 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005

Sample rules:

match: C:\$WinREAgent\ 2 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005

Sample rules:

match: C:\PerfLogs\ 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Command and Scripting Interpreter T1059

Sample rules:

match: C:\Users\Public\ 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Command and Scripting Interpreter T1059

Sample rules:

match: C:\Windows\SoftwareDistribution\ 2 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005

Sample rules:

match: C:\Windows\SysWOW64\ 2 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005

Sample rules:

match: C:\Windows\System32\ 2 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005

Sample rules:

match: C:\Windows\WinSxS\ 2 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005

Sample rules:

match: C:\Windows\uus\ 2 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005

Sample rules:

match: \AppData\Local\ 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

match: \AppData\Roaming\ 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

match: \Microsoft\Excel\XLSTART 2 rules

Top techniques:Office Application Startup T1137, Malware T1587.001

Sample rules:

match: \Microsoft\Word\STARTUP 2 rules

Top techniques:Office Application Startup T1137, Malware T1587.001

Sample rules:

match: \Office 2 rules

Top techniques:Office Application Startup T1137, Malware T1587.001

Sample rules:

match: \PowerShell\7\Modules\ 2 rules

Sample rules:

match: \Program Files 2 rules

Top techniques:Office Application Startup T1137, Malware T1587.001

Sample rules:

match: \STARTUP 2 rules

Top techniques:Office Application Startup T1137, Malware T1587.001

Sample rules:

match: \Users\ 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Hijack Execution Flow T1574, DLL T1574.001, Data Encrypted for Impact T1486

Sample rules:

match: \Users\Public\ 2 rules

Sample rules:

match: \XLSTART 2 rules

Top techniques:Office Application Startup T1137, Malware T1587.001

Sample rules:

match: \hive_sam_ 2 rules

Top techniques:Credentials In Files T1552.001, Security Account Manager T1003.002

Sample rules:

match: \inetpub\wwwroot\ 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Web Shell T1505.003

Sample rules:

match: __PSScriptPolicyTest_ 2 rules

Sample rules:

regex_match: "(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$" 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

starts_with: C:\$WINDOWS.~BT\NewOS\ 2 rules

Top techniques:Shortcut Modification T1547.009, Registry Run Keys / Startup Folder T1547.001

Sample rules:

sigma Desktop.INI Created by Uncommon Process
sigma Startup Folder File Write

starts_with: C:\PerfLogs\ 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

starts_with: C:\Windows\SysWOW64\ 2 rules

Top techniques:DLL T1574.001, System Script Proxy Execution T1216

Sample rules:

starts_with: C:\Windows\System32\winevt\Logs\ 2 rules

Top techniques:Indicator Removal T1070, Disable Windows Event Logging T1562.002

Sample rules:

sigma EventLog EVTX File Deleted
sigma EVTX Created In Uncommon Location

starts_with: C:\Windows\WinSxS\ 2 rules

Top techniques:DLL T1574.001

Sample rules:

`Hashes` 142 entries

match: IMPHASH=0E2216679CA6E1094D63322E3412D650 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, LSASS Memory T1003.001

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - HandleKatz LSASS Dumper Execution

match: IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - UACMe Akagi Execution

match: IMPHASH=330768A4F172E10ACB6287B87289D83B 3 rules

Top techniques:NTFS File Attributes T1564.004, Disable Windows Event Logging T1562.002, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma HackTool - SharpEvtMute DLL Load
sigma Hacktool Execution - Imphash

match: IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, LSASS Memory T1003.001

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - HandleKatz LSASS Dumper Execution

match: IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - UACMe Akagi Execution

match: IMPHASH=3DE09703C8E79ED2CA3F01074719906B 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - UACMe Akagi Execution

match: IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - UACMe Akagi Execution

match: IMPHASH=5834ED4291BDEB928270428EBBAF7604 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - UACMe Akagi Execution

match: IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - UACMe Akagi Execution

match: IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - UACMe Akagi Execution

match: IMPHASH=767637C23BB42CD5D7397CF58B0BE688 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - UACMe Akagi Execution

match: IMPHASH=7D010C6BB6A3726F327F7E239166D127 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - UACMe Akagi Execution

match: IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - UACMe Akagi Execution

match: IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, LSASS Memory T1003.001

Sample rules:

match: IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, Bypass User Account Control T1548.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash
sigma HackTool - UACMe Akagi Execution

match: IMPHASH=E96A73C7BF33A464C510EDE582318BF2 3 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002, LSASS Memory T1003.001

Sample rules:

match: IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=03866661686829d806989e2fc5a72606 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=0588081AB0E63BA785938467E1B10CCA 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=09D278F9DE118EF09163C6140255C690 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=12ce1c0f3f5837ecc18a3782408fa975 2 rules

Top techniques:Domain Account T1087.002, Remote System Discovery T1018, Domain Groups T1069.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind.EXE Execution
sigma Renamed AdFind Execution

match: IMPHASH=13F08707F759AF6003837A150A371BA1 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00 2 rules

Top techniques:Windows Management Instrumentation T1047, Visual Basic T1059.005, JavaScript T1059.007, XSL Script Processing T1220

Sample rules:

match: IMPHASH=17244E8B6B8227E57FE709CCAD421420 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=1781F06048A7E58B323F0B9259BE798B 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=17B461A082950FC6332228572138B80C 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=19584675D94829987952432E018D5056 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E 2 rules

Top techniques:Windows Management Instrumentation T1047, Visual Basic T1059.005, JavaScript T1059.007, XSL Script Processing T1220

Sample rules:

match: IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA 2 rules

Top techniques:Dynamic-link Library Injection T1055.001, Masquerading T1036, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

match: IMPHASH=21aa085d54992511b9f115355e468782 2 rules

Top techniques:Domain Account T1087.002, Remote System Discovery T1018, Domain Groups T1069.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind.EXE Execution
sigma Renamed AdFind Execution

match: IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=25CE42B079282632708FC846129E98A5 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Windows Service T1543.003

Sample rules:

sigma Malicious Driver Load
sigma Vulnerable Driver Load

match: IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=32089B8851BBF8BC2D014E9F37288C83 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=37777A96245A3C74EB217308F3546F4C 2 rules

Top techniques:Windows Management Instrumentation T1047, Visual Basic T1059.005, JavaScript T1059.007, XSL Script Processing T1220

Sample rules:

match: IMPHASH=3A19059BD7688CB88E70005F18EFC439 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=3AD59991CCF1D67339B319B15A41B35D 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=40445337761D80CF465136FAFB1F63E6 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Windows Service T1543.003

Sample rules:

sigma Malicious Driver Load
sigma Vulnerable Driver Load

match: IMPHASH=49b639b4acbecc49d72a01f357aa4930 2 rules

Top techniques:Domain Account T1087.002, Remote System Discovery T1018, Domain Groups T1069.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind.EXE Execution
sigma Renamed AdFind Execution

match: IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=4DA924CF622D039D58BCE71CDF05D242 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=4fbf3f084fbbb2470b80b2013134df35 2 rules

Top techniques:Domain Account T1087.002, Remote System Discovery T1018, Domain Groups T1069.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind.EXE Execution
sigma Renamed AdFind Execution

match: IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=563233BFA169ACC7892451F71AD5850A 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=59223B5F52D8799D38E0754855CBDF42 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=6118619783FC175BC7EBECFF0769B46E 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=680dad9e300346e05a85023965867201 2 rules

Top techniques:Domain Account T1087.002, Remote System Discovery T1018, Domain Groups T1069.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind.EXE Execution
sigma Renamed AdFind Execution

match: IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD 2 rules

Top techniques:Dynamic-link Library Injection T1055.001, Masquerading T1036, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

match: IMPHASH=713C29B396B907ED71A72482759ED757 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=730073214094CD328547BF1F72289752 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=819B19D53CA6736448F9325A85736792 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=81E75D8F1D276C156653D3D8813E4A43 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=87575CB7A0E0700EB37F2E3668671A08 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=8B114550386E31895DFAB371E741123D 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=96DF3A3731912449521F6F8D183279B1 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=9D68781980370E00E0BD939EE5E6C141 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206 2 rules

Top techniques:Windows Management Instrumentation T1047, Visual Basic T1059.005, JavaScript T1059.007, XSL Script Processing T1220

Sample rules:

match: IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=B12619881D79C3ACADF45E752A58554A 2 rules

Top techniques:Windows Management Instrumentation T1047, Visual Basic T1059.005, JavaScript T1059.007, XSL Script Processing T1220

Sample rules:

match: IMPHASH=B18A1401FF8F444056D29450FBC0A6CE 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=CB567F9498452721D77A451374955F5F 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=E6F9D5152DA699934B30DAAB206471F6 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=F1039CED4B91572AB7847D26032E6BBF 2 rules

Top techniques:Dynamic-link Library Injection T1055.001, Masquerading T1036, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

match: IMPHASH=F9A28C458284584A93B14216308D31BD 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3 2 rules

Top techniques:Dynamic-link Library Injection T1055.001, Masquerading T1036, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

match: IMPHASH=FFDD59E0318B85A3E480874D9796D872 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=bf6223a49e45d99094406777eb6004ba 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: IMPHASH=d144de8117df2beceaba2201ad304764 2 rules

Top techniques:Domain Account T1087.002, Remote System Discovery T1018, Domain Groups T1069.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind.EXE Execution
sigma Renamed AdFind Execution

match: IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d 2 rules

Top techniques:NTFS File Attributes T1564.004, OS Credential Dumping T1003, Tool T1588.002

Sample rules:

sigma HackTool Named File Stream Created
sigma Hacktool Execution - Imphash

match: SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

match: SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d 2 rules

Top techniques:Internal Proxy T1090.001

Sample rules:

sigma Cloudflared Quick Tunnel Execution
sigma Renamed Cloudflared.EXE Execution

`OriginalFileName` 130 entries

eq: pwsh.dll 72 rules

Top techniques:PowerShell T1059.001, Disable or Modify Tools T1562.001, Obfuscated Files or Information T1027, Modify Registry T1112, Command and Scripting Interpreter T1059, Ingress Tool Transfer T1105

Sample rules (showing 8 of 72):

eq: PowerShell.EXE 64 rules

Top techniques:PowerShell T1059.001, Disable or Modify Tools T1562.001, Obfuscated Files or Information T1027, Command and Scripting Interpreter T1059, Windows Management Instrumentation T1047, Ingress Tool Transfer T1105

Sample rules (showing 8 of 64):

eq: wmic.exe 33 rules

Top techniques:Windows Management Instrumentation T1047, System Information Discovery T1082, Malicious File T1204.002, Regsvr32 T1218.010, Account Discovery T1087, Visual Basic T1059.005

Sample rules (showing 8 of 33):

eq: Cmd.Exe 32 rules

Top techniques:Windows Command Shell T1059.003, File Deletion T1070.004, Command and Scripting Interpreter T1059, Change Default File Association T1546.001, Exploitation for Client Execution T1203, Malicious File T1204.002

Sample rules (showing 8 of 32):

eq: reg.exe 29 rules

Top techniques:Disable or Modify Tools T1562.001, Modify Registry T1112, Registry Run Keys / Startup Folder T1547.001, Indicator Blocking T1562.006, Control Panel T1218.002, Event Triggered Execution T1546

Sample rules (showing 8 of 29):

eq: RUNDLL32.EXE 28 rules

Top techniques:Rundll32 T1218.011, Exploitation for Client Execution T1203, Exfiltration Over Unencrypted Non-C2 Protocol T1048.003, DLL T1574.001, NTFS File Attributes T1564.004, Windows Credential Manager T1555.004

Sample rules (showing 8 of 28):

eq: net.exe 16 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Service Stop T1489, Local Account T1136.001, Remote System Discovery T1018, Local Account T1087.001, Domain Account T1087.002

Sample rules (showing 8 of 16):

eq: net1.exe 16 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Service Stop T1489, Local Account T1136.001, Remote System Discovery T1018, Local Account T1087.001, Domain Account T1087.002

Sample rules (showing 8 of 16):

eq: cscript.exe 15 rules

Top techniques:System Binary Proxy Execution T1218, Exploitation for Client Execution T1203, Visual Basic T1059.005, Command and Scripting Interpreter T1059, Indirect Command Execution T1202, DLL T1574.001

Sample rules (showing 8 of 15):

eq: wscript.exe 15 rules

Sample rules (showing 8 of 15):

eq: netsh.exe 14 rules

Sample rules (showing 8 of 14):

eq: schtasks.exe 14 rules

Top techniques:Scheduled Task T1053.005, PowerShell T1059.001, Match Legitimate Resource Name or Location T1036.005, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047

Sample rules (showing 8 of 14):

eq: CertUtil.exe 13 rules

Top techniques:Obfuscated Files or Information T1027, Ingress Tool Transfer T1105, Install Root Certificate T1553.004, System Binary Proxy Execution T1218, Phishing T1566, Spearphishing Attachment T1566.001

Sample rules (showing 8 of 13):

eq: curl.exe 11 rules

Sample rules (showing 8 of 11):

eq: FINDSTR.EXE 10 rules

Top techniques:Credentials In Files T1552.001, Group Policy Preferences T1552.006, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, NTFS File Attributes T1564.004, Security Software Discovery T1518.001

Sample rules (showing 8 of 10):

eq: REGSVR32.EXE 10 rules

Top techniques:Regsvr32 T1218.010, Mshta T1218.005, Hijack Execution Flow T1574, Rundll32 T1218.011, Command and Scripting Interpreter T1059

Sample rules (showing 8 of 10):

eq: sc.exe 10 rules

Top techniques:Disable or Modify Tools T1562.001, Windows Service T1543.003, Services Registry Permissions Weakness T1574.011, Service Stop T1489, OS Credential Dumping T1003, Automated Collection T1119

Sample rules (showing 8 of 10):

eq: bitsadmin.exe 9 rules

Top techniques:BITS Jobs T1197, Rename Legitimate Utilities T1036.003, Ingress Tool Transfer T1105, Mshta T1218.005, Phishing T1566, Spearphishing Attachment T1566.001

Sample rules (showing 8 of 9):

eq: odbcconf.exe 9 rules

Top techniques:Odbcconf T1218.008, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules (showing 8 of 9):

eq: whoami.exe 9 rules

Top techniques:System Owner/User Discovery T1033, Local Account T1087.001, Remote System Discovery T1018, Account Discovery T1087, Web Shell T1505.003

Sample rules (showing 8 of 9):

sigma Renamed Whoami Execution
sigma Local Accounts Discovery
sigma Webshell Detection With Command Line Keywords
sigma Enumerate All Information With Whoami.EXE
sigma Whoami.EXE Execution From Privileged Process
sigma Group Membership Reconnaissance Via Whoami.EXE
sigma Whoami.EXE Execution With Output Option
sigma Whoami.EXE Execution Anomaly

eq: powershell_ise.EXE 8 rules

Top techniques:Ingress Tool Transfer T1105, PowerShell T1059.001, Disable or Modify Tools T1562.001, Command and Scripting Interpreter T1059, Malicious File T1204.002, Rename Legitimate Utilities T1036.003

Sample rules:

eq: powershell.exe 8 rules

Top techniques:Modify Registry T1112, Indirect Command Execution T1202, System Binary Proxy Execution T1218, Domain Accounts T1078.002, Account Manipulation T1098, Indicator Removal T1070

Sample rules:

eq: MSHTA.EXE 7 rules

Top techniques:Mshta T1218.005, Native API T1106, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002

Sample rules:

eq: CertOC.exe 6 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002

Sample rules:

sigma File Download via CertOC.EXE
sigma File Download From IP Based URL Via CertOC.EXE
sigma DLL Loaded via CertOC.EXE
sigma Suspicious DLL Loaded via CertOC.EXE
sigma Suspicious Microsoft OneNote Child Process
sigma Suspicious Microsoft Office Child Process

eq: FIND.EXE 6 rules

Top techniques:Group Policy Preferences T1552.006, Security Software Discovery T1518.001, Steganography T1027.003, Masquerading T1036, Indirect Command Execution T1202

Sample rules:

eq: PowerShell_ISE.EXE 6 rules

Top techniques:PowerShell T1059.001, Disable or Modify Tools T1562.001, Command Obfuscation T1027.010, Msiexec T1218.007, Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

eq: RegAsm.exe 6 rules

Top techniques:Regsvcs/Regasm T1218.009, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

eq: WBADMIN.EXE 6 rules

Top techniques:Inhibit System Recovery T1490, NTDS T1003.003, Indicator Removal T1070

Sample rules:

eq: msdt.exe 6 rules

Top techniques:Indirect Command Execution T1202, Masquerading T1036, System Binary Proxy Execution T1218, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047

Sample rules:

eq: mshta.exe 6 rules

Top techniques:Exploitation for Client Execution T1203, Indirect Command Execution T1202, System Binary Proxy Execution T1218, DLL T1574.001, JavaScript T1059.007, Deobfuscate/Decode Files or Information T1140

Sample rules:

eq: powershell_ise.exe 6 rules

Top techniques:Indirect Command Execution T1202, System Binary Proxy Execution T1218, Domain Accounts T1078.002, Account Manipulation T1098, Indicator Removal T1070, PowerShell T1059.001

Sample rules:

eq: HH.exe 5 rules

Top techniques:Compiled HTML File T1218.001, Windows Management Instrumentation T1047, Regsvr32 T1218.010, Phishing T1566, Spearphishing Attachment T1566.001, PowerShell T1059.001

Sample rules:

sigma HH.EXE Execution
sigma Remote CHM File Download/Execution Via HH.EXE
sigma Suspicious HH.EXE Execution
sigma Suspicious Microsoft OneNote Child Process
sigma Suspicious Microsoft Office Child Process

eq: InstallUtil.exe 5 rules

Sample rules:

eq: RegSvcs.exe 5 rules

Top techniques:Regsvcs/Regasm T1218.009, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

eq: msiexec.exe 5 rules

Top techniques:Msiexec T1218.007, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

eq: CMSTP.EXE 4 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010, CMSTP T1218.003

Sample rules:

sigma Suspicious Microsoft OneNote Child Process
sigma Suspicious Microsoft Office Child Process
sigma LOLBIN Execution From Abnormal Drive
sigma Bypass UAC via CMSTP

eq: REGEDIT.EXE 4 rules

Top techniques:Query Registry T1012, Modify Registry T1112

Sample rules:

sigma Exports Critical Registry Keys To a File
sigma Exports Registry Key To a File
sigma Imports Registry Key From a File
sigma Imports Registry Key From an ADS

eq: WinWord.exe 4 rules

Top techniques:Indirect Command Execution T1202, Rename Legitimate Utilities T1036.003

Sample rules:

eq: XCOPY.EXE 4 rules

Sample rules:

eq: appcmd.exe 4 rules

Top techniques:Disable Windows Event Logging T1562.002, OS Credential Dumping T1003, Web Shell T1505.003

Sample rules:

eq: mstsc.exe 4 rules

Top techniques:Remote Desktop Software T1219.002, Remote Desktop Protocol T1021.001

Sample rules:

eq: regsvr32.exe 4 rules

Top techniques:Exploitation for Client Execution T1203, Indirect Command Execution T1202, System Binary Proxy Execution T1218, DLL T1574.001, Rename Legitimate Utilities T1036.003

Sample rules:

eq: robocopy.exe 4 rules

Sample rules:

eq: wevtutil.exe 4 rules

Top techniques:Account Discovery T1087, Rename Legitimate Utilities T1036.003, Clear Windows Event Logs T1070.001, Disable Windows Event Logging T1562.002, Unsecured Credentials T1552, Remote System Discovery T1018

Sample rules:

eq: winget.exe 4 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

eq: 7z.exe 3 rules

Top techniques:Archive via Utility T1560.001, Rename Legitimate Utilities T1036.003

Sample rules:

eq: 7za.exe 3 rules

Top techniques:Archive via Utility T1560.001, Rename Legitimate Utilities T1036.003

Sample rules:

eq: AddInUtil.exe 3 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

eq: Bash.exe 3 rules

Top techniques:Indirect Command Execution T1202, Mshta T1218.005

Sample rules:

eq: CONHOST.EXE 3 rules

Top techniques:PowerShell T1059.001, Windows Command Shell T1059.003, Hidden Window T1564.003, Rename Legitimate Utilities T1036.003, Bypass User Account Control T1548.002

Sample rules:

eq: Excel.exe 3 rules

Top techniques:Indirect Command Execution T1202, Rename Legitimate Utilities T1036.003

Sample rules:

eq: IEExec.exe 3 rules

Top techniques:Ingress Tool Transfer T1105, Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

eq: POWERPNT.EXE 3 rules

Top techniques:Indirect Command Execution T1202, Rename Legitimate Utilities T1036.003

Sample rules:

eq: PingCastle.exe 3 rules

Top techniques:Active Scanning T1595, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

eq: RUNDLL32.exe 3 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010, Rundll32 T1218.011

Sample rules:

eq: ScriptRunner.exe 3 rules

Sample rules:

sigma Use of Scriptrunner.exe
sigma Suspicious Microsoft OneNote Child Process
sigma Suspicious Microsoft Office Child Process

eq: VSSADMIN.EXE 3 rules

Top techniques:OS Credential Dumping T1003, Security Account Manager T1003.002, NTDS T1003.003, Indicator Removal T1070, Inhibit System Recovery T1490, Remote System Discovery T1018

Sample rules:

eq: WerFault.exe 3 rules

Top techniques:Bypass User Account Control T1548.002, LSASS Memory T1003.001, Masquerading T1036

Sample rules:

eq: cmd.exe 3 rules

Top techniques:Windows Command Shell T1059.003, Indirect Command Execution T1202, System Binary Proxy Execution T1218, Indicator Removal T1070

Sample rules:

eq: diskshadow.exe 3 rules

Top techniques:System Binary Proxy Execution T1218, Indicator Removal T1070, Inhibit System Recovery T1490

Sample rules:

eq: psexesvc.exe 3 rules

Top techniques:Rename Legitimate Utilities T1036.003

Sample rules:

eq: wget.exe 3 rules

Sample rules:

eq: ATTRIB.EXE 2 rules

Top techniques:Hidden Files and Directories T1564.001

Sample rules:

eq: AdExp 2 rules

Top techniques:Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

eq: AdFind.exe 2 rules

Top techniques:Domain Account T1087.002, Remote System Discovery T1018, Domain Groups T1069.002, Domain Trust Discovery T1482

Sample rules:

sigma PUA - AdFind.EXE Execution
sigma Renamed AdFind Execution

eq: AgentExecutor.exe 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

eq: Cmd.EXE 2 rules

Top techniques:PowerShell T1059.001, Obfuscated Files or Information T1027

Sample rules:

eq: DSACLS.EXE 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

eq: DumpMinitool.arm64.exe 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma DumpMinitool Execution
sigma Suspicious DumpMinitool Execution

eq: DumpMinitool.exe 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma DumpMinitool Execution
sigma Suspicious DumpMinitool Execution

eq: DumpMinitool.x86.exe 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma DumpMinitool Execution
sigma Suspicious DumpMinitool Execution

eq: FX_VER_INTERNALNAME_STR 2 rules

Top techniques:LSASS Memory T1003.001, Masquerading T1036

Sample rules:

sigma CreateDump Process Dump
sigma Renamed CreateDump Utility Execution

eq: IE4UINIT.EXE 2 rules

Top techniques:System Binary Proxy Execution T1218, Rename Legitimate Utilities T1036.003

Sample rules:

eq: MMC.exe 2 rules

Top techniques:Group Policy Modification T1484.001, Right-to-Left Override T1036.002, Malicious File T1204.002, MMC T1218.014

Sample rules:

eq: Microsoft.Workflow.Compiler.exe 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

eq: MpCmdRun.exe 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218, Disable or Modify Tools T1562.001

Sample rules:

eq: Msxsl.exe 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

eq: NirCmd.exe 2 rules

Top techniques:Service Execution T1569.002, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

sigma PUA - NirCmd Execution
sigma Renamed NirCmd.EXE Execution

eq: PowerShell.Exe 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

eq: PresentationHost.exe 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

eq: REGINI.EXE 2 rules

Top techniques:Modify Registry T1112

Sample rules:

eq: REGSVR32.exe 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

eq: RstrtMgr.dll 2 rules

Top techniques:Data Encrypted for Impact T1486, Disable or Modify Tools T1562.001

Sample rules:

eq: WorkFolders.exe 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

eq: \msiexec.exe 2 rules

Top techniques:Msiexec T1218.007, Match Legitimate Resource Name or Location T1036.005

Sample rules:

eq: bcdedit.exe 2 rules

Top techniques:Inhibit System Recovery T1490, Indicator Removal T1070, Bootkit T1542.003

Sample rules:

eq: bsdtar 2 rules

Top techniques:Archive Collected Data T1560, Archive via Utility T1560.001

Sample rules:

eq: cmdkey.exe 2 rules

Top techniques:Cached Domain Credentials T1003.005

Sample rules:

eq: csi.exe 2 rules

Top techniques:Software Deployment Tools T1072, System Binary Proxy Execution T1218, Trusted Developer Utilities Proxy Execution T1127

Sample rules:

sigma Suspicious Csi.exe Usage
sigma Suspicious Use of CSharp Interactive Console

eq: drvqry.exe 2 rules

Sample rules:

sigma Potential Recon Activity Using DriverQuery.EXE
sigma DriverQuery.EXE Execution

eq: dsquery.exe 2 rules

Top techniques:Domain Trust Discovery T1482, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

eq: esentutl.exe 2 rules

Top techniques:Data from Local System T1005, Credentials from Web Browsers T1555.003

Sample rules:

sigma Esentutl Steals Browser Information
sigma Potential Browser Data Stealing

eq: finger.exe 2 rules

Top techniques:Ingress Tool Transfer T1105, Rename Legitimate Utilities T1036.003

Sample rules:

eq: fltMC.exe 2 rules

Top techniques:Indicator Removal T1070, Impair Defenses T1562, Disable Windows Event Logging T1562.002

Sample rules:

sigma Filter Driver Unloaded Via Fltmc.EXE
sigma Sysmon Driver Unloaded Via Fltmc.EXE

eq: fsutil.exe 2 rules

Top techniques:Peripheral Device Discovery T1120, Indicator Removal T1070, Data Destruction T1485

Sample rules:

sigma Fsutil Drive Enumeration
sigma Fsutil Suspicious Invocation

eq: ftp.exe 2 rules

Top techniques:Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

eq: gpg.exe 2 rules

Top techniques:Data Encrypted for Impact T1486

Sample rules:

sigma Portable Gpg.EXE Execution
sigma Renamed Gpg.EXE Execution

eq: javaw.exe 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

eq: ksetup.exe 2 rules

Sample rules:

eq: ldifde.exe 2 rules

Top techniques:Ingress Tool Transfer T1105, System Binary Proxy Execution T1218

Sample rules:

eq: livekd.exe 2 rules

Sample rules:

sigma Potential Memory Dumping Activity Via LiveKD
sigma Kernel Memory Dump Via LiveKD

eq: msedge_proxy.exe 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

eq: msteams.exe 2 rules

Sample rules:

eq: nltestrk.exe 2 rules

Top techniques:System Network Configuration Discovery T1016, Domain Trust Discovery T1482, Remote System Discovery T1018

Sample rules:

sigma Nltest.EXE Execution
sigma Potential Recon Activity Via Nltest.EXE

eq: node.exe 2 rules

Top techniques:JavaScript T1059.007

Sample rules:

eq: pcalua.exe 2 rules

Top techniques:Phishing T1566, Spearphishing Attachment T1566.001, Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

eq: procdump 2 rules

Top techniques:LSASS Memory T1003.001, Rename Legitimate Utilities T1036.003

Sample rules:

eq: psexec.c 2 rules

Top techniques:Rename Legitimate Utilities T1036.003, Remote Services T1021, System Services T1569

Sample rules:

eq: psservice.exe 2 rules

Top techniques:Service Stop T1489, Disable or Modify Tools T1562.001, Windows Service T1543.003

Sample rules:

sigma Suspicious Windows Service Tampering
sigma Sysinternals PsService Execution

eq: pssuspend.exe 2 rules

Top techniques:Windows Service T1543.003, Disable or Modify Tools T1562.001

Sample rules:

eq: quser.exe 2 rules

Top techniques:System Owner/User Discovery T1033, Local Account T1087.001, Remote System Discovery T1018, Account Discovery T1087, Web Shell T1505.003

Sample rules:

sigma Local Accounts Discovery
sigma Webshell Detection With Command Line Keywords

eq: sdbinst.exe 2 rules

Top techniques:Application Shimming T1546.011

Sample rules:

eq: sdelete.exe 2 rules

Top techniques:Data Destruction T1485

Sample rules:

eq: sysinfo.exe 2 rules

Top techniques:System Information Discovery T1082, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

eq: tasklist.exe 2 rules

Top techniques:OS Credential Dumping T1003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Web Shell T1505.003

Sample rules:

eq: toolbox-cmd.exe 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

in: "EQNEDT32.EXE" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "Excel.exe" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "Graph.exe" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "MSACCESS.EXE" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "MSPUB.EXE" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "OUTLOOK.EXE" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "OneNote.exe" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "OneNoteIm.exe" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "OneNoteM.exe" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "POWERPNT.EXE" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "VISIO.EXE" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "WinProj.exe" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "WinWord.exe" 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

match: client32.exe 2 rules

Sample rules:

`ParentImage` 113 entries

ends_with: \powershell.exe 16 rules

Top techniques:PowerShell T1059.001, System Binary Proxy Execution T1218, Visual Basic T1059.005, System Script Proxy Execution T1216, NTDS T1003.003, Browser Extensions T1176.001

Sample rules (showing 8 of 16):

ends_with: \pwsh.exe 16 rules

Top techniques:PowerShell T1059.001, System Binary Proxy Execution T1218, Visual Basic T1059.005, System Script Proxy Execution T1216, NTDS T1003.003, Browser Extensions T1176.001

Sample rules (showing 8 of 16):

ends_with: \cscript.exe 14 rules

Top techniques:System Binary Proxy Execution T1218, Visual Basic T1059.005, PowerShell T1059.001, NTDS T1003.003, Spearphishing Attachment T1566.001, Browser Extensions T1176.001

Sample rules (showing 8 of 14):

ends_with: \wscript.exe 14 rules

Top techniques:System Binary Proxy Execution T1218, Visual Basic T1059.005, PowerShell T1059.001, NTDS T1003.003, Spearphishing Attachment T1566.001, Browser Extensions T1176.001

Sample rules (showing 8 of 14):

ends_with: \cmd.exe 13 rules

Top techniques:Windows Command Shell T1059.003, System Binary Proxy Execution T1218, Hidden Files and Directories T1564.001, Browser Extensions T1176.001, System Language Discovery T1614.001, Network Share Discovery T1135

Sample rules (showing 8 of 13):

ends_with: \rundll32.exe 12 rules

Top techniques:System Binary Proxy Execution T1218, PowerShell T1059.001, Rundll32 T1218.011, Spearphishing Attachment T1566.001, Browser Extensions T1176.001, Command and Scripting Interpreter T1059

Sample rules (showing 8 of 12):

ends_with: \explorer.exe 11 rules

Top techniques:Malicious Copy and Paste T1204.004, Command and Scripting Interpreter T1059, Distributed Component Object Model T1021.003, Windows Management Instrumentation T1047, File and Directory Discovery T1083, Indirect Command Execution T1202

Sample rules (showing 8 of 11):

ends_with: \regsvr32.exe 11 rules

Top techniques:Command and Scripting Interpreter T1059, System Binary Proxy Execution T1218, PowerShell T1059.001, Spearphishing Attachment T1566.001, Browser Extensions T1176.001, Masquerading T1036

Sample rules (showing 8 of 11):

ends_with: \mshta.exe 10 rules

Top techniques:Visual Basic T1059.005, Mshta T1218.005, System Binary Proxy Execution T1218, PowerShell T1059.001, Spearphishing Attachment T1566.001, Browser Extensions T1176.001

Sample rules (showing 8 of 10):

ends_with: \svchost.exe 8 rules

Top techniques:Exfiltration Over Unencrypted Non-C2 Protocol T1048.003, Command and Scripting Interpreter T1059, Distributed Component Object Model T1021.003, Mshta T1218.005, Indirect Command Execution T1202

Sample rules:

ends_with: \w3wp.exe 8 rules

Top techniques:Web Shell T1505.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, NTDS T1003.003, IIS Components T1505.004

Sample rules:

sigma NTDS.DIT Creation By Uncommon Parent Process
sigma Suspicious IIS Module Registration
sigma Suspicious PowerShell Parent Process
sigma Chopper Webshell Process Pattern
sigma Webshell Hacking Activity Patterns
sigma Webshell Detection With Command Line Keywords
sigma Suspicious Process By Web Server Process
sigma Webshell Tool Reconnaissance Activity

ends_with: \java.exe 7 rules

Top techniques:Web Shell T1505.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Exploitation of Remote Services T1210, Exploit Public-Facing Application T1190

Sample rules:

sigma Suspicious Processes Spawned by Java.EXE
sigma Shell Process Spawned by Java.EXE
sigma Suspicious SysAidServer Child
sigma Webshell Hacking Activity Patterns
sigma Webshell Detection With Command Line Keywords
sigma Suspicious Process By Web Server Process
sigma Webshell Tool Reconnaissance Activity

ends_with: \services.exe 7 rules

Top techniques:Command and Scripting Interpreter T1059, Distributed Component Object Model T1021.003, Windows Management Instrumentation T1047, Token Impersonation/Theft T1134.001, Create Process with Token T1134.002, PowerShell T1059.001

Sample rules:

ends_with: \httpd.exe 6 rules

Top techniques:Web Shell T1505.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, NTDS T1003.003, PowerShell T1059.001

Sample rules:

ends_with: \nginx.exe 6 rules

Top techniques:Web Shell T1505.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, NTDS T1003.003, PowerShell T1059.001

Sample rules:

ends_with: \php-cgi.exe 6 rules

Top techniques:Web Shell T1505.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, NTDS T1003.003, PowerShell T1059.001

Sample rules:

match: \tomcat 6 rules

Top techniques:Web Shell T1505.003, NTDS T1003.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Exploit Public-Facing Application T1190

Sample rules:

ends_with: \dllhost.exe 5 rules

Top techniques:Command and Scripting Interpreter T1059, Bypass User Account Control T1548.002

Sample rules:

sigma Unusual Parent Process For Cmd.EXE
sigma Potential CobaltStrike Process Patterns
sigma ImagingDevices Unusual Parent/Child Processes
sigma UAC Bypass via ICMLuaUtil
sigma Wab/Wabmig Unusual Parent Or Child Processes

ends_with: \javaw.exe 5 rules

Sample rules:

sigma Suspicious SysAidServer Child
sigma Webshell Hacking Activity Patterns
sigma Webshell Detection With Command Line Keywords
sigma Suspicious Process By Web Server Process
sigma Webshell Tool Reconnaissance Activity

eq: - 5 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005, Command and Scripting Interpreter T1059, Rename Legitimate Utilities T1036.003, System Owner/User Discovery T1033, System Binary Proxy Execution T1218

Sample rules:

ends_with: \caddy.exe 4 rules

Top techniques:Web Shell T1505.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Exploit Public-Facing Application T1190

Sample rules:

ends_with: \chrome.exe 4 rules

Top techniques:PowerShell T1059.001, Malicious Copy and Paste T1204.004

Sample rules:

ends_with: \outlook.exe 4 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Command and Scripting Interpreter T1059, Indirect Command Execution T1202

Sample rules:

ends_with: \spoolsv.exe 4 rules

Top techniques:Command and Scripting Interpreter T1059, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203, Abuse Elevation Control Mechanism T1548

Sample rules:

ends_with: \wsl.exe 4 rules

Top techniques:System Binary Proxy Execution T1218, Indirect Command Execution T1202, Masquerading T1036

Sample rules:

sigma Potential Suspicious Mofcomp Execution
sigma Suspicious MSDT Parent Process
sigma WSL Child Process Anomaly
sigma WSL Kali-Linux Usage

match: -tomcat- 4 rules

Top techniques:Web Shell T1505.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087, Exploit Public-Facing Application T1190

Sample rules:

match: :\Windows\Temp\ 4 rules

Top techniques:Indicator Removal T1070, Impair Defenses T1562, Disable Windows Event Logging T1562.002, Command and Scripting Interpreter T1059

Sample rules:

match: \AppData\Local\Temp\ 4 rules

Top techniques:Indicator Removal T1070, Impair Defenses T1562, Disable Windows Event Logging T1562.002, Msiexec T1218.007, Scheduled Task T1053.005, PowerShell T1059.001

Sample rules:

sigma Filter Driver Unloaded Via Fltmc.EXE
sigma Msiexec Quiet Installation
sigma Suspicious Schtasks Execution AppData Folder
sigma UAC Bypass Using DismHost

ends_with: \EXCEL.EXE 3 rules

Top techniques:Malicious File T1204.002, Windows Management Instrumentation T1047, Regsvr32 T1218.010

Sample rules:

ends_with: \MSPUB.exe 3 rules

Top techniques:Malicious File T1204.002, Windows Management Instrumentation T1047, Regsvr32 T1218.010

Sample rules:

ends_with: \MsMpEng.exe 3 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005, Rename Legitimate Utilities T1036.003, Process Injection T1055, Process Hollowing T1055.012

Sample rules:

ends_with: \POWERPNT.exe 3 rules

Top techniques:Malicious File T1204.002, Windows Management Instrumentation T1047, Regsvr32 T1218.010

Sample rules:

ends_with: \VISIO.exe 3 rules

Top techniques:Malicious File T1204.002, Windows Management Instrumentation T1047, Regsvr32 T1218.010

Sample rules:

ends_with: \WINWORD.EXE 3 rules

Top techniques:Malicious File T1204.002, Windows Management Instrumentation T1047, Regsvr32 T1218.010

Sample rules:

ends_with: \WebEx\WebexHost.exe 3 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

sigma Use Short Name Path in Image
sigma Use NTFS Short Name in Command Line
sigma Use NTFS Short Name in Image

ends_with: \WindowsTerminal.exe 3 rules

Top techniques:PowerShell T1059.001

Sample rules:

ends_with: \WmiPrvSE.exe 3 rules

Top techniques:Windows Management Instrumentation T1047, PowerShell T1059.001

Sample rules:

ends_with: \csrss.exe 3 rules

Top techniques:Command and Scripting Interpreter T1059, Abuse Elevation Control Mechanism T1548, Masquerading T1036

Sample rules:

sigma Unusual Parent Process For Cmd.EXE
sigma Abused Debug Privilege by Arbitrary Parent Processes
sigma Suspicious Process Parents

ends_with: \firefox.exe 3 rules

Top techniques:PowerShell T1059.001, Malicious Copy and Paste T1204.004

Sample rules:

sigma Mstsc.EXE Execution From Uncommon Parent
sigma Suspicious PowerShell Parent Process
sigma Suspicious FileFix Execution Pattern

ends_with: \lsass.exe 3 rules

Top techniques:Command and Scripting Interpreter T1059, Abuse Elevation Control Mechanism T1548

Sample rules:

ends_with: \mmc.exe 3 rules

Top techniques:Distributed Component Object Model T1021.003, Windows Management Instrumentation T1047, Abuse Elevation Control Mechanism T1548

Sample rules:

ends_with: \msedge.exe 3 rules

Top techniques:Malicious Copy and Paste T1204.004

Sample rules:

ends_with: \onenote.exe 3 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Compiled HTML File T1218.001, Phishing T1566

Sample rules:

ends_with: \powershell_ise.exe 3 rules

Top techniques:Trusted Developer Utilities Proxy Execution T1127, Regsvr32 T1218.010, System Owner/User Discovery T1033

Sample rules:

ends_with: \smss.exe 3 rules

Top techniques:Command and Scripting Interpreter T1059, PowerShell T1059.001, Trusted Developer Utilities Proxy Execution T1127, Abuse Elevation Control Mechanism T1548

Sample rules:

ends_with: \sqlservr.exe 3 rules

Top techniques:Exploit Public-Facing Application T1190, Web Shell T1505.003, PowerShell T1059.001

Sample rules:

ends_with: \thor\thor64.exe 3 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

sigma Use Short Name Path in Image
sigma Use NTFS Short Name in Command Line
sigma Use NTFS Short Name in Image

ends_with: \userinit.exe 3 rules

Top techniques:Command and Scripting Interpreter T1059, Process Injection T1055, Logon Script (Windows) T1037.001

Sample rules:

sigma Conhost Spawned By Uncommon Parent Process
sigma Suspicious Userinit Child Process
sigma Uncommon Userinit Child Process

ends_with: \winlogon.exe 3 rules

Top techniques:Accessibility Features T1546.008, Command and Scripting Interpreter T1059, Abuse Elevation Control Mechanism T1548

Sample rules:

ends_with: \wmiprvse.exe 3 rules

Top techniques:Windows Management Instrumentation T1047, Registry Run Keys / Startup Folder T1547.001, Distributed Component Object Model T1021.003, PowerShell T1059.001, Visual Basic T1059.005, System Binary Proxy Execution T1218

Sample rules:

ends_with: \ws_tomcatservice.exe 3 rules

Top techniques:Web Shell T1505.003, Remote System Discovery T1018, System Owner/User Discovery T1033, Account Discovery T1087

Sample rules:

eq: C:\Windows\System32\msiexec.exe 3 rules

Top techniques:PowerShell T1059.001, Email Collection T1114, Clear Windows Event Logs T1070.001, Disable Windows Event Logging T1562.002

Sample rules:

eq: C:\Windows\System32\svchost.exe 3 rules

Top techniques:Rundll32 T1218.011, Bypass User Account Control T1548.002, Windows Management Instrumentation Event Subscription T1546.003

Sample rules:

sigma Rundll32 Internet Connection
sigma Explorer NOUACCHECK Flag
sigma WMI Persistence - Script Event Consumer

match: \AppData\Local\ 3 rules

Top techniques:Indirect Command Execution T1202

Sample rules:

ends_with: \AppData\Local\Programs\Microsoft VS Code\Code.exe 2 rules

Top techniques:PowerShell T1059.001, Command and Scripting Interpreter T1059

Sample rules:

sigma Non Interactive PowerShell Process Spawned
sigma Python Inline Command Execution

ends_with: \DllHost.exe 2 rules

Top techniques:Bypass User Account Control T1548.002, CMSTP T1218.003

Sample rules:

ends_with: \Dropbox.exe 2 rules

Top techniques:Disable or Modify System Firewall T1562.004, Windows Service T1543.003

Sample rules:

sigma Firewall Rule Deleted Via Netsh.EXE
sigma New Service Creation Using Sc.EXE

ends_with: \EQNEDT32.EXE 2 rules

Top techniques:Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

ends_with: \GoogleUpdate.exe 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

ends_with: \MSACCESS.EXE 2 rules

Top techniques:Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

ends_with: \Microsoft.Management.Services.IntuneWindowsAgent.exe 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: \ONENOTE.EXE 2 rules

Top techniques:Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

ends_with: \bginfo.exe 2 rules

Top techniques:Visual Basic T1059.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \bginfo64.exe 2 rules

Top techniques:Visual Basic T1059.005, Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \brave.exe 2 rules

Top techniques:Malicious Copy and Paste T1204.004

Sample rules:

ends_with: \code.exe 2 rules

Top techniques:Indirect Command Execution T1202, System Binary Proxy Execution T1218, Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

ends_with: \conhost.exe 2 rules

Top techniques:Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

ends_with: \eventvwr.exe 2 rules

Top techniques:Bypass User Account Control T1548.002, Masquerading T1036

Sample rules:

ends_with: \excel.exe 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Distributed Component Object Model T1021.003

Sample rules:

ends_with: \gup.exe 2 rules

Top techniques:Compromise Software Supply Chain T1195.002, Adversary-in-the-Middle T1557

Sample rules:

ends_with: \iexplore.exe 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

ends_with: \microsoftedge.exe 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

ends_with: \msiexec.exe 2 rules

Top techniques:Rundll32 T1218.011, Application Shimming T1546.011

Sample rules:

ends_with: \ngen.exe 2 rules

Top techniques:Match Legitimate Resource Name or Location T1036.005, Rename Legitimate Utilities T1036.003

Sample rules:

ends_with: \pcwrun.exe 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: \provlaunch.exe 2 rules

Top techniques:System Binary Proxy Execution T1218

Sample rules:

ends_with: \python.exe 2 rules

Top techniques:Command and Scripting Interpreter T1059

Sample rules:

ends_with: \rpcnet.exe 2 rules

Top techniques:Process Injection T1055, Match Legitimate Resource Name or Location T1036.005

Sample rules:

sigma Suspect Svchost Activity
sigma Uncommon Svchost Parent Process

ends_with: \slui.exe 2 rules

Top techniques:Command and Scripting Interpreter T1059, Bypass User Account Control T1548.002

Sample rules:

sigma Unusual Parent Process For Cmd.EXE
sigma UAC Bypass Using ChangePK and SLUI

ends_with: \sqlagent.exe 2 rules

Top techniques:PowerShell T1059.001, Trusted Developer Utilities Proxy Execution T1127

Sample rules:

ends_with: \vivaldi.exe 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

ends_with: \wermgr.exe 2 rules

Top techniques:Command and Scripting Interpreter T1059, Masquerading T1036, Process Injection T1055

Sample rules:

sigma Unusual Parent Process For Cmd.EXE
sigma Suspicious Child Process Of Wermgr.EXE

ends_with: \wininit.exe 2 rules

Top techniques:Command and Scripting Interpreter T1059, Abuse Elevation Control Mechanism T1548

Sample rules:

ends_with: \wordpad.exe 2 rules

Top techniques:Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

ends_with: \wordview.exe 2 rules

Top techniques:Windows Management Instrumentation T1047, Malicious File T1204.002, Regsvr32 T1218.010

Sample rules:

ends_with: \wslhost.exe 2 rules

Top techniques:Indirect Command Execution T1202, System Binary Proxy Execution T1218

Sample rules:

sigma WSL Child Process Anomaly
sigma WSL Kali-Linux Usage

ends_with: \wsmprovhost.exe 2 rules

Top techniques:Windows Remote Management T1021.006, PowerShell T1059.001, Exploit Public-Facing Application T1190

Sample rules:

eq: "*\\explorer.exe" 2 rules

Top techniques:PowerShell T1059.001, Malicious File T1204.002

Sample rules:

eq: C:\ProgramData\chocolatey\choco.exe 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005

Sample rules:

eq: C:\Windows\SysWOW64\msiexec.exe 2 rules

Top techniques:PowerShell T1059.001, Clear Windows Event Logs T1070.001, Disable Windows Event Logging T1562.002

Sample rules:

eq: C:\Windows\System32\inetsrv\w3wp.exe 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005

Sample rules:

eq: C:\Windows\System32\lxss\wslhost.exe 2 rules

Top techniques:Remote Desktop Protocol T1021.001, Remote Desktop Software T1219.002

Sample rules:

eq: C:\Windows\System32\sdiagnhost.exe 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005

Sample rules:

eq: C:\Windows\System32\services.exe 2 rules

Top techniques:Bypass User Account Control T1548.002

Sample rules:

eq: C:\Windows\explorer.exe 2 rules

Top techniques:PowerShell T1059.001, NTFS File Attributes T1564.004

Sample rules:

sigma Hidden Powershell in Link File Pattern
sigma Use NTFS Short Name in Image

in: "*\\ProgramData\\*" 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548

Sample rules:

in: "*\\Temp\\*" 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548

Sample rules:

in: "*\\Users\\*" 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548

Sample rules:

in: "*\\\\*" 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548

Sample rules:

match: :\Users\Public\ 2 rules

Top techniques:Command and Scripting Interpreter T1059, Hide Artifacts T1564

Sample rules:

match: :\Windows\SysWOW64\ 2 rules

Top techniques:Masquerading T1036, Command and Scripting Interpreter T1059

Sample rules:

match: :\Windows\System32\ 2 rules

Top techniques:Masquerading T1036, Command and Scripting Interpreter T1059

Sample rules:

match: C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\ 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: \AppData\ 2 rules

Top techniques:NTDS T1003.003

Sample rules:

match: \PerfLogs\ 2 rules

Top techniques:NTDS T1003.003

Sample rules:

match: \Public\ 2 rules

Top techniques:NTDS T1003.003

Sample rules:

match: \Temp\ 2 rules

Top techniques:NTDS T1003.003

Sample rules:

match: \Users\Public\ 2 rules

Sample rules:

sigma Potential Recon Activity Using DriverQuery.EXE
sigma DriverQuery.EXE Execution

match: \Windows\Temp\ 2 rules

Sample rules:

sigma Potential Recon Activity Using DriverQuery.EXE
sigma DriverQuery.EXE Execution

match: \apache 2 rules

Top techniques:NTDS T1003.003

Sample rules:

match: \gc_worker.exe 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

starts_with: C:\Program Files (x86)\ 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005

Sample rules:

starts_with: C:\Program Files\ 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005

Sample rules:

`Details` 96 entries

eq: "0x00000001" 42 rules

Top techniques:Modify Registry T1112, Disable or Modify Tools T1562.001, Office Application Startup T1137, Hidden Files and Directories T1564.001, Bypass User Account Control T1548.002, Inhibit System Recovery T1490

Sample rules (showing 8 of 42):

splunk Disable Registry Tool
splunk Disable Show Hidden Files
splunk Disable UAC Remote Restriction
splunk Disable Windows Behavior Monitoring
splunk Disabling CMD Application
splunk Disabling ControlPanel
splunk Disabling FolderOptions Windows Feature
splunk Disabling NoRun Windows App

eq: DWORD (0x00000000) 38 rules

Top techniques:Disable or Modify Tools T1562.001, Modify Registry T1112, Impair Defenses T1562, Disable or Modify System Firewall T1562.004, Hidden Files and Directories T1564.001, Bypass User Account Control T1548.002

Sample rules (showing 8 of 38):

eq: DWORD (0x00000001) 37 rules

Top techniques:Modify Registry T1112, Disable or Modify Tools T1562.001, Office Application Startup T1137, Registry Run Keys / Startup Folder T1547.001, Internal Defacement T1491.001, Inhibit System Recovery T1490

Sample rules (showing 8 of 37):

eq: "0x00000000" 27 rules

Top techniques:Disable or Modify Tools T1562.001, Modify Registry T1112, Abuse Elevation Control Mechanism T1548, Hidden Files and Directories T1564.001, Bypass User Account Control T1548.002, Data Destruction T1485

Sample rules (showing 8 of 27):

splunk Allow Operation with Consent Admin
splunk Disable AMSI Through Registry
splunk Disable ETW Through Registry
splunk Disable Show Hidden Files
splunk Disabling Remote User Account Control
splunk Hide User Account From Sign-In Screen
splunk Windows Disable Memory Crash Dump
splunk Windows Disable Shutdown Button Through Registry

eq: (Empty) 24 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Modify Registry T1112, Bypass User Account Control T1548.002, AppInit DLLs T1546.010, Change Default File Association T1546.001, System Binary Proxy Execution T1218

Sample rules (showing 8 of 24):

sigma New DLL Added to AppInit_DLLs Registry Key
sigma Shell Open Registry Keys Manipulation
sigma Atbroker Registry Change
sigma Classes Autorun Keys Modification
sigma Common Autorun Keys Modification
sigma CurrentControlSet Autorun Keys Modification
sigma CurrentVersion Autorun Keys Modification
sigma CurrentVersion NT Autorun Keys Modification

eq: 0x00000001 12 rules

Top techniques:Modify Registry T1112, Disable or Modify Tools T1562.001, OS Credential Dumping T1003, Browser Session Hijacking T1185, Service Stop T1489

Sample rules (showing 8 of 12):

splunk Disable Defender AntiVirus Registry
splunk Disable Defender BlockAtFirstSeen Feature
splunk Disable Defender Enhanced Notification
splunk Enable WDigest UseLogonCredential Registry
splunk Windows Chrome Auto-Update Disabled via Registry
splunk Windows Modify Registry Configure BitLocker
splunk Windows Modify Registry DisableRemoteDesktopAntiAlias
splunk Windows Modify Registry DisableSecuritySettings

eq: DWORD (0x00000002) 9 rules

Top techniques:Modify Registry T1112, Disable or Modify Tools T1562.001, Office Application Startup T1137, LSASS Memory T1003.001, Dynamic Data Exchange T1559.002, Impair Defenses T1562

Sample rules (showing 8 of 9):

match: \AppData\Local\Temp\ 9 rules

Top techniques:Disable or Modify Tools T1562.001, Registry Run Keys / Startup Folder T1547.001, Netsh Helper DLL T1546.007, OS Credential Dumping T1003, Image File Execution Options Injection T1546.012, Change Default File Association T1546.001

Sample rules (showing 8 of 9):

eq: 0x00000000 8 rules

Top techniques:Disable or Modify Tools T1562.001, Modify Registry T1112, Trusted Developer Utilities Proxy Execution T1127, Indicator Blocking T1562.006, Browser Session Hijacking T1185, LSA Secrets T1003.004

Sample rules:

splunk Disable Defender MpEngine Registry
splunk Disable Defender Spynet Reporting
splunk Disable Defender Submit Samples Consent Feature
splunk ETW Registry Disabled
splunk Windows Chrome Auto-Update Disabled via Registry
splunk Windows LSA Secrets NoLMhash Registry
splunk Windows Modify Registry AuthenticationLevelOverride
splunk Windows Modify Registry Disable Restricted Admin

match: powershell 8 rules

Top techniques:Service Execution T1569.002, SMB/Windows Admin Shares T1021.002, Windows Service T1543.003, Indirect Command Execution T1202, Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: \Users\Public\ 5 rules

Top techniques:Disable or Modify Tools T1562.001, Modify Registry T1112, Component Object Model Hijacking T1546.015, Change Default File Association T1546.001, Bypass User Account Control T1548.002

Sample rules:

eq: 0 4 rules

Top techniques:Modify Registry T1112, Impair Defenses T1562, Indicator Blocking T1562.006

Sample rules:

eq: Binary Data 4 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Inhibit System Recovery T1490, Modify Registry T1112, Bypass User Account Control T1548.002

Sample rules:

match: %tmp% 4 rules

Top techniques:Image File Execution Options Injection T1546.012, Component Object Model Hijacking T1546.015, Registry Run Keys / Startup Folder T1547.001, Change Default File Association T1546.001, Bypass User Account Control T1548.002

Sample rules:

match: :\Users\ 4 rules

Top techniques:Disable or Modify Tools T1562.001, Netsh Helper DLL T1546.007, Component Object Model Hijacking T1546.015, Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: :\Users\Public\ 4 rules

Top techniques:Disable or Modify Tools T1562.001, Netsh Helper DLL T1546.007, OS Credential Dumping T1003, Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: :\Windows\Temp\ 4 rules

Top techniques:Disable or Modify Tools T1562.001, Netsh Helper DLL T1546.007, OS Credential Dumping T1003, Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Contacts\ 4 rules

Top techniques:Disable or Modify Tools T1562.001, Netsh Helper DLL T1546.007, Component Object Model Hijacking T1546.015, Change Default File Association T1546.001, Bypass User Account Control T1548.002

Sample rules:

match: \Windows\Temp\ 4 rules

Top techniques:Disable or Modify Tools T1562.001, Image File Execution Options Injection T1546.012, Component Object Model Hijacking T1546.015, Change Default File Association T1546.001, Bypass User Account Control T1548.002

Sample rules:

match: cscript 4 rules

Top techniques:Malicious Copy and Paste T1204.004, Image File Execution Options Injection T1546.012, Malicious Link T1204.001

Sample rules:

match: mshta 4 rules

Top techniques:Malicious Copy and Paste T1204.004, Image File Execution Options Injection T1546.012, Malicious Link T1204.001

Sample rules:

match: pwsh 4 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001, Service Execution T1569.002, PowerShell T1059.001

Sample rules:

match: rundll32 4 rules

Top techniques:Malicious Copy and Paste T1204.004, Image File Execution Options Injection T1546.012, Malicious Link T1204.001

Sample rules:

match: wscript 4 rules

Top techniques:Malicious Copy and Paste T1204.004, Image File Execution Options Injection T1546.012, Malicious Link T1204.001

Sample rules:

ends_with: .dll 3 rules

Top techniques:Port Monitors T1547.010, Winlogon Helper DLL T1547.004

Sample rules:

eq: "Binary Data" 3 rules

Top techniques:Modify Registry T1112

Sample rules:

match: # 3 rules

Top techniques:Malicious Copy and Paste T1204.004, Command Obfuscation T1027.010

Sample rules:

match: %temp% 3 rules

Top techniques:Image File Execution Options Injection T1546.012, Component Object Model Hijacking T1546.015, Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: .dll 3 rules

Top techniques:Netsh Helper DLL T1546.007, Image File Execution Options Injection T1546.012, Scheduled Task T1053.005

Sample rules:

match: :\Perflogs\ 3 rules

Top techniques:Disable or Modify Tools T1562.001, Netsh Helper DLL T1546.007, Component Object Model Hijacking T1546.015

Sample rules:

match: \Desktop\ 3 rules

Top techniques:Disable or Modify Tools T1562.001, Image File Execution Options Injection T1546.012, Component Object Model Hijacking T1546.015

Sample rules:

match: \Favorites\ 3 rules

Top techniques:Disable or Modify Tools T1562.001, Netsh Helper DLL T1546.007, Component Object Model Hijacking T1546.015

Sample rules:

match: \Favourites\ 3 rules

Top techniques:Disable or Modify Tools T1562.001, Netsh Helper DLL T1546.007, Component Object Model Hijacking T1546.015

Sample rules:

match: \Pictures\ 3 rules

Top techniques:Netsh Helper DLL T1546.007, Component Object Model Hijacking T1546.015, Change Default File Association T1546.001, Bypass User Account Control T1548.002

Sample rules:

match: \Temporary Internet 3 rules

Top techniques:Disable or Modify Tools T1562.001, Netsh Helper DLL T1546.007, Component Object Model Hijacking T1546.015

Sample rules:

match: cmd 3 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: regsvr32 3 rules

Top techniques:Malicious Copy and Paste T1204.004, Image File Execution Options Injection T1546.012, Malicious Link T1204.001

Sample rules:

ends_with: .exe" /burn.runonce 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: %%systemroot%%\system32\ntdsa.dll 2 rules

Top techniques:LSASS Driver T1547.008, Windows Service T1543.003

Sample rules:

sigma DLL Load via LSASS
sigma ServiceDll Hijack

eq: 1 2 rules

Top techniques:Credentials in Registry T1552.002, Modify Registry T1112

Sample rules:

splunk Auto Admin Logon Registry Entry
splunk Windows Modify Registry NoChangingWallPaper

eq: DWORD (0x00000004) 2 rules

Top techniques:Disable or Modify Tools T1562.001, Modify Registry T1112

Sample rules:

eq: DWORD (0x00000009) 2 rules

Top techniques:Disable or Modify Tools T1562.001, Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: cpwmon64_v40.dll 2 rules

Top techniques:Port Monitors T1547.010, Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: {472083B0-C522-11CF-8763-00608CC02F24} 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: {472083B1-C522-11CF-8763-00608CC02F24} 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: {807583E5-5146-11D5-A672-00B0D022E945} 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

sigma Classes Autorun Keys Modification
sigma Common Autorun Keys Modification

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: %AppData% 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Change Default File Association T1546.001, Bypass User Account Control T1548.002

Sample rules:

match: %comspec% 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: .bat 2 rules

Top techniques:Image File Execution Options Injection T1546.012, Scheduled Task T1053.005

Sample rules:

match: .exe 2 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Windows Service T1543.003, Service Execution T1569.002, Scheduled Task T1053.005

Sample rules:

match: .hta 2 rules

Top techniques:Image File Execution Options Injection T1546.012, Scheduled Task T1053.005

Sample rules:

match: 0x00000001 2 rules

Top techniques:Fallback Channels T1008, Office Application Startup T1137, Event Triggered Execution T1546

Sample rules:

match: :\ProgramData\ 2 rules

Top techniques:OS Credential Dumping T1003, Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: :\Temp\ 2 rules

Top techniques:OS Credential Dumping T1003, Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: Invoke- 2 rules

Top techniques:Image File Execution Options Injection T1546.012, PowerShell T1059.001

Sample rules:

match: \AppData\Roaming\ 2 rules

Top techniques:Disable or Modify Tools T1562.001, OS Credential Dumping T1003

Sample rules:

match: \Downloads\ 2 rules

Top techniques:Image File Execution Options Injection T1546.012, Component Object Model Hijacking T1546.015

Sample rules:

match: \Microsoft\Windows\Start Menu\Programs\Startup\ 2 rules

Top techniques:Component Object Model Hijacking T1546.015

Sample rules:

match: \PerfLogs\ 2 rules

Top techniques:Disable or Modify Tools T1562.001, Change Default File Association T1546.001, Bypass User Account Control T1548.002

Sample rules:

match: account 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: anti-bot 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: bitsadmin 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: botcheck 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: captcha 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: certutil 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: challenge 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: confirmation 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: curl 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: finger 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: fraud 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: http 2 rules

Top techniques:Malicious Copy and Paste T1204.004, PowerShell T1059.001

Sample rules:

match: human 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: identification 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: identificator 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: identity 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: iex 2 rules

Top techniques:Image File Execution Options Injection T1546.012, PowerShell T1059.001

Sample rules:

match: robot 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: schtasks 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: validation 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: verification 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: verify 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: wget 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Malicious Link T1204.001

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

match: 2 rules

Top techniques:Command Obfuscation T1027.010, Malicious Copy and Paste T1204.004

Sample rules:

starts_with: C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\ 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

`TargetObject` 73 entries

ends_with: \EulaAccepted 4 rules

Top techniques:Tool T1588.002

Sample rules:

match: \Active Directory Explorer 3 rules

Top techniques:Tool T1588.002

Sample rules:

match: \Handle 3 rules

Top techniques:Tool T1588.002

Sample rules:

match: \LiveKd 3 rules

Top techniques:Tool T1588.002

Sample rules:

match: \ProcDump 3 rules

Top techniques:Tool T1588.002

Sample rules:

match: \Process Explorer 3 rules

Top techniques:Tool T1588.002

Sample rules:

match: \PsExec 3 rules

Top techniques:Tool T1588.002

Sample rules:

match: \PsLoglist 3 rules

Top techniques:Tool T1588.002

Sample rules:

match: \PsPasswd 3 rules

Top techniques:Tool T1588.002

Sample rules:

match: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ 3 rules

Top techniques:Impair Defenses T1562

Sample rules:

match: \Services\ 3 rules

Top techniques:Disable or Modify Tools T1562.001, Service Execution T1569.002, Windows Service T1543.003

Sample rules:

sigma Sysmon Driver Altitude Change
sigma PowerShell as a Service in Registry
sigma ServiceDll Hijack

match: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Software\Microsoft\Windows\CurrentVersion\Run 3 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 3 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: (Default) 2 rules

Top techniques:Image File Execution Options Injection T1546.012

Sample rules:

ends_with: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel 2 rules

Top techniques:Modify Registry T1112

Sample rules:

ends_with: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun 2 rules

Top techniques:Modify Registry T1112

Sample rules:

ends_with: \(Default) 2 rules

Top techniques:Hidden Files and Directories T1564.001, Component Object Model Hijacking T1546.015

Sample rules:

ends_with: \ChannelAccess 2 rules

Top techniques:Disable Windows Event Logging T1562.002, Modify Registry T1112, Registry Run Keys / Startup Folder T1547.001

Sample rules:

ends_with: \DeviceGuard\EnableVirtualizationBasedSecurity 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

ends_with: \DeviceGuard\LsaCfgFlags 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

ends_with: \Driver 2 rules

Top techniques:OS Credential Dumping T1003

Sample rules:

sigma New ODBC Driver Registered
sigma Potentially Suspicious ODBC Driver Registered

ends_with: \Enabled 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

ends_with: \ImagePath 2 rules

Top techniques:Modify Registry T1112, Service Execution T1569.002

Sample rules:

sigma Service Binary in Suspicious Folder
sigma PowerShell as a Service in Registry

ends_with: \Lsa\LsaCfgFlags 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

ends_with: \Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1 2 rules

Top techniques:Malicious Copy and Paste T1204.004, Command Obfuscation T1027.010

Sample rules:

ends_with: \Start 2 rules

Top techniques:Modify Registry T1112

Sample rules:

ends_with: \URL 2 rules

Top techniques:Modify Registry T1112

Sample rules:

match: ControlSet 2 rules

Top techniques:Modify Registry T1112, Disable or Modify Tools T1562.001, Windows Service T1543.003

Sample rules:

sigma NetNTLM Downgrade Attack - Registry
sigma ServiceDll Hijack

match: Ime File 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: Index 2 rules

Top techniques:Impair Defenses T1562

Sample rules:

match: SYSTEM\ 2 rules

Top techniques:Modify Registry T1112, Disable or Modify Tools T1562.001

Sample rules:

sigma Registry Entries For Azorult Malware
sigma NetNTLM Downgrade Attack - Registry

match: Software\Microsoft\Office\ 2 rules

Top techniques:Modify Registry T1112, Add-ins T1137.006

Sample rules:

match: \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Control\Keyboard Layouts\ 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: \Directory\Shellex\CopyHookHandlers 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Directory\Shellex\DragDropHandlers 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Drivers32 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Explorer\Browser Helper Objects 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Explorer\SharedTaskScheduler 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Explorer\ShellExecuteHooks 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Explorer\ShellIconOverlayIdentifiers 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Explorer\ShellServiceObjects 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Folder\ShellEx\DragDropHandlers 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Folder\ShellEx\ExtShellFolderViews 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Image File Execution Options 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Image File Execution Options\ 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Image File Execution Options Injection T1546.012

Sample rules:

match: \Microsoft\Office\ 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\ 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Add-ins T1137.006

Sample rules:

match: \Microsoft\Office\Outlook\Addins\Avast.AsOutExt\ 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Add-ins T1137.006

Sample rules:

match: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\ 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

match: \RunOnceEx\ 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \RunOnce\ 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \RunServicesOnce\ 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \RunServices\ 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Run\ 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \SDelete 2 rules

Top techniques:Tool T1588.002

Sample rules:

match: \SOFTWARE\Microsoft\NetSh 2 rules

Top techniques:Netsh Helper DLL T1546.007

Sample rules:

match: \SOFTWARE\Microsoft\Office\ 2 rules

Top techniques:Disable or Modify Tools T1562.001, Office Application Startup T1137

Sample rules:

match: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ 2 rules

Top techniques:Application Shimming T1546.011

Sample rules:

match: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ 2 rules

Top techniques:Application Shimming T1546.011

Sample rules:

match: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ 2 rules

Sample rules:

match: \SOFTWARE\ODBC\ODBCINST.INI\ 2 rules

Top techniques:OS Credential Dumping T1003

Sample rules:

sigma New ODBC Driver Registered
sigma Potentially Suspicious ODBC Driver Registered

match: \SYSTEM\CurrentControlSet\Services\EventLog\ 2 rules

Top techniques:Modify Registry T1112, Registry Run Keys / Startup Folder T1547.001, Disable Windows Event Logging T1562.002

Sample rules:

match: \Security\Trusted Documents\TrustRecords 2 rules

Top techniques:Spearphishing Attachment T1566.001, Modify Registry T1112

Sample rules:

match: \ShellEx\ContextMenuHandlers 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \ShellEx\PropertySheetHandlers 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \ShellServiceObjectDelayLoad 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

match: \Software\Winternals\BGInfo\UserFields\ 2 rules

Top techniques:Modify Registry T1112

Sample rules:

match: \Windows\Appinit_Dlls 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001

Sample rules:

`ScriptBlockText` 67 entries

match: New-Object 6 rules

Top techniques:PowerShell T1059.001, Credentials from Password Stores T1555, Exfiltration Over Unencrypted Non-C2 Protocol T1048.003, Clear Command History T1070.003

Sample rules:

sigma Dump Credentials from Windows Credential Manager With PowerShell
sigma PowerShell ICMP Exfiltration
sigma Powershell MsXml COM Object
sigma Suspicious PowerShell Invocations - Specific
sigma Suspicious IO.FileStream
sigma Powershell XML Execute Command

eq: "*[adsisearcher]*" 4 rules

Top techniques:Domain Account T1087.002, Domain Groups T1069.002

Sample rules:

splunk AdsiSearcher Account Discovery
splunk Domain Group Discovery with Adsisearcher
splunk Windows Linked Policies In ADSI Discovery
splunk Windows Root Domain linked policies Discovery

eq: "*-ComputerName*" 3 rules

Top techniques:Windows Remote Management T1021.006, Windows Management Instrumentation T1047

Sample rules:

eq: "*Get-DomainComputer*" 3 rules

Top techniques:Remote System Discovery T1018

Sample rules:

eq: "*Get-NetComputer*" 3 rules

Top techniques:Remote System Discovery T1018, Domain Account T1087.002

Sample rules:

eq: "*Get-NetUser*" 3 rules

Top techniques:Account Discovery T1087, Local Account T1087.001

Sample rules:

eq: "*SELECT*" 3 rules

Top techniques:Gather Victim Host Information T1592, Hardware T1592.001

Sample rules:

splunk Recon AVProduct Through Pwh or WMI
splunk Windows Gather Victim Host Information Camera
splunk WMI Recon Running Process Or Services

match: -Path 3 rules

Top techniques:File and Directory Permissions Modification T1222, File and Directory Discovery T1083, Mark-of-the-Web Bypass T1553.005

Sample rules:

sigma PowerShell Script Change Permission Via Set-Acl - PsScript
sigma Powershell Directory Enumeration
sigma Suspicious Unblock-File

match: Get-ChildItem 3 rules

Top techniques:Automated Collection T1119, Browser Information Discovery T1217, File and Directory Discovery T1083

Sample rules:

match: Invoke-RestMethod 3 rules

Top techniques:Automated Exfiltration T1020, Web Protocols T1071.001, PowerShell T1059.001

Sample rules:

match: Invoke-WebRequest 3 rules

Top techniques:Automated Exfiltration T1020, Web Protocols T1071.001, PowerShell T1059.001

Sample rules:

match: Out-File 3 rules

Top techniques:System Owner/User Discovery T1033, Automated Exfiltration T1020

Sample rules:

match: Start-Process 3 rules

Top techniques:NTFS File Attributes T1564.004, Windows Command Shell T1059.003, Rename Legitimate Utilities T1036.003

Sample rules:

sigma Powershell Store File In Alternate Data Stream
sigma Powershell Execute Batch Script
sigma Suspicious Start-Process PassThru

match: iwr 3 rules

Top techniques:Automated Exfiltration T1020, Web Protocols T1071.001, PowerShell T1059.001

Sample rules:

match: powershell 3 rules

Top techniques:PowerShell T1059.001, Obfuscated Files or Information T1027, Hidden Window T1564.003

Sample rules:

eq: "*Get-DomainUser*" 2 rules

Top techniques:AS-REP Roasting T1558.004, Domain Account T1087.002

Sample rules:

eq: "*findAll()*" 2 rules

Top techniques:Domain Groups T1069.002, Domain Account T1087.002

Sample rules:

splunk Domain Group Discovery with Adsisearcher
splunk Windows Linked Policies In ADSI Discovery

eq: "*namespace root\\directory\\ldap*" 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002

Sample rules:

eq: *Get-WmiObject* 2 rules

Top techniques:Remote System Discovery T1018, Domain Groups T1069.002

Sample rules:

in: "*pwdlastset*" 2 rules

Top techniques:Account Discovery T1087, Domain Account T1087.002

Sample rules:

in: "*samaccountname*" 2 rules

Top techniques:Account Discovery T1087, Domain Account T1087.002

Sample rules:

match: -Filter \* 2 rules

Top techniques:System Owner/User Discovery T1033

Sample rules:

match: -Recurse 2 rules

Top techniques:Automated Collection T1119, Browser Information Discovery T1217

Sample rules:

match: irm 2 rules

Top techniques:Web Protocols T1071.001, PowerShell T1059.001

Sample rules:

match: | Select 2 rules

Top techniques:System Owner/User Discovery T1033

Sample rules:

match: && 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: (Get-PSReadlineOption).HistorySavePath 2 rules

Top techniques:Clear Command History T1070.003, Indicator Removal T1070

Sample rules:

sigma Clear PowerShell History - PowerShell
sigma Clearing Windows Console History

match: (New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1') 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: -AclObject 2 rules

Top techniques:File and Directory Permissions Modification T1222

Sample rules:

match: -ComputerName 2 rules

Top techniques:PowerShell T1059.001, Non-Standard Port T1571

Sample rules:

sigma PowerShell Remote Session Creation
sigma Testing Usage of Uncommonly Used Port

match: -FeatureName 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: -Filter 2 rules

Top techniques:System Owner/User Discovery T1033, Domain Groups T1069.002

Sample rules:

match: -ImagePath 2 rules

Top techniques:Mark-of-the-Web Bypass T1553.005

Sample rules:

sigma Suspicious Invoke-Item From Mount-DiskImage
sigma Suspicious Mount-DiskImage

match: -Online 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: -SecurityDescriptorSddl 2 rules

Top techniques:Services Registry Permissions Weakness T1574.011

Sample rules:

match: -sd 2 rules

Top techniques:Services Registry Permissions Weakness T1574.011

Sample rules:

match: Add-Content 2 rules

Top techniques:System Owner/User Discovery T1033

Sample rules:

match: AdjustTokenPrivileges 2 rules

Top techniques:PowerShell T1059.001, Native API T1106

Sample rules:

match: DumpCerts 2 rules

Top techniques:PowerShell T1059.001, OS Credential Dumping T1003

Sample rules:

match: DumpCreds 2 rules

Top techniques:PowerShell T1059.001, OS Credential Dumping T1003

Sample rules:

match: Find-GPOLocation 2 rules

Top techniques:PowerShell T1059.001, Permission Groups Discovery T1069, Local Groups T1069.001, Domain Groups T1069.002, Account Discovery T1087, Local Account T1087.001

Sample rules:

match: Get-ADReplAccount 2 rules

Top techniques:PowerShell T1059.001, DCSync T1003.006

Sample rules:

match: Get-Keystrokes 2 rules

Top techniques:Keylogging T1056.001, PowerShell T1059.001, Permission Groups Discovery T1069, Local Groups T1069.001, Domain Groups T1069.002, Account Discovery T1087

Sample rules:

sigma Powershell Keylogging
sigma Malicious PowerShell Commandlets - ScriptBlock

match: Get-WmiObject 2 rules

Top techniques:System Checks T1497.001, Inhibit System Recovery T1490

Sample rules:

match: Invoke-ACLScanner 2 rules

Top techniques:PowerShell T1059.001, Permission Groups Discovery T1069, Local Groups T1069.001, Domain Groups T1069.002, Account Discovery T1087, Local Account T1087.001

Sample rules:

match: Invoke-DNSExfiltrator 2 rules

Top techniques:Exfiltration Over Alternative Protocol T1048, PowerShell T1059.001, Permission Groups Discovery T1069, Local Groups T1069.001, Domain Groups T1069.002, Account Discovery T1087

Sample rules:

sigma Powershell DNSExfiltration
sigma Malicious PowerShell Commandlets - ScriptBlock

match: Invoke-UserHunter 2 rules

Top techniques:PowerShell T1059.001, Permission Groups Discovery T1069, Local Groups T1069.001, Domain Groups T1069.002, Account Discovery T1087, Local Account T1087.001

Sample rules:

match: Microsoft.PowerShell.Core\Export-ModuleMember 2 rules

Top techniques:Scheduled Task T1053.005, Network Share Connection Removal T1070.005

Sample rules:

sigma Powershell Create Scheduled Task
sigma PowerShell Deleted Mounted Share

match: Mount-DiskImage 2 rules

Top techniques:Mark-of-the-Web Bypass T1553.005

Sample rules:

sigma Suspicious Invoke-Item From Mount-DiskImage
sigma Suspicious Mount-DiskImage

match: New-LocalUser 2 rules

Top techniques:PowerShell T1059.001, Local Account T1136.001, Account Manipulation T1098

Sample rules:

sigma PowerShell Create Local User
sigma Powershell LocalAccount Manipulation

match: Remove-Item 2 rules

Top techniques:Clear Command History T1070.003, Indicator Removal T1070

Sample rules:

sigma Clear PowerShell History - PowerShell
sigma Clearing Windows Console History

match: Remove-Update 2 rules

Top techniques:PowerShell T1059.001, Permission Groups Discovery T1069, Local Groups T1069.001, Domain Groups T1069.002, Account Discovery T1087, Local Account T1087.001

Sample rules:

match: Set-Acl 2 rules

Top techniques:File and Directory Permissions Modification T1222

Sample rules:

match: Set-Content 2 rules

Top techniques:System Owner/User Discovery T1033

Sample rules:

match: Set-Service 2 rules

Top techniques:Services Registry Permissions Weakness T1574.011

Sample rules:

match: Win32_ShadowCopy 2 rules

Top techniques:NTDS T1003.003, Inhibit System Recovery T1490

Sample rules:

match: bypass 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: foreach 2 rules

Top techniques:Automated Exfiltration T1020, File and Directory Discovery T1083

Sample rules:

match: gwmi 2 rules

Top techniques:System Checks T1497.001, Inhibit System Recovery T1490

Sample rules:

match: gwmi 2 rules

Top techniques:Local Groups T1069.001, Windows Management Instrumentation T1047

Sample rules:

match: iex 2 rules

Top techniques:PowerShell T1059.001, Obfuscated Files or Information T1027

Sample rules:

match: ls 2 rules

Top techniques:File and Directory Discovery T1083, Credentials In Files T1552.001

Sample rules:

sigma Powershell Sensitive File Discovery
sigma Extracting Information with PowerShell

match: new-object 2 rules

Top techniques:PowerShell T1059.001, Obfuscated Files or Information T1027

Sample rules:

match: rm 2 rules

Top techniques:Clear Command History T1070.003, Indicator Removal T1070

Sample rules:

sigma Clear PowerShell History - PowerShell
sigma Clearing Windows Console History

match: rundll32 2 rules

Top techniques:PowerShell T1059.001, Obfuscated Files or Information T1027

Sample rules:

match: shell32.dll 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: shellexec_rundll 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

`EventID` 61 entries

eq: 4104 108 rules

Top techniques:PowerShell T1059.001, Domain Account T1087.002, Remote System Discovery T1018, Domain Groups T1069.002, Steal or Forge Authentication Certificates T1649, AS-REP Roasting T1558.004

Sample rules (showing 8 of 108):

eq: 7 35 rules

Top techniques:DLL T1574.001, CMSTP T1218.003, Spearphishing Attachment T1566.001, JavaScript T1059.007, Dynamic-link Library Injection T1055.001, Print Processors T1547.012

Sample rules (showing 8 of 35):

splunk CMLUA Or CMSTPLUA UAC Bypass
splunk Loading Of Dynwrapx Module
splunk MS Scripting Process Loading Ldap Module
splunk MS Scripting Process Loading WMI Module
splunk MSI Module Loaded by Non-System Binary
splunk Spoolsv Suspicious Loaded Modules
splunk Sunburst Correlation DLL and Network Event
splunk UAC Bypass MMC Load Unsigned Dll

eq: 5136 22 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Group Policy Modification T1484.001, Account Manipulation T1098, Rogue Domain Controller T1207, Disable or Modify Tools T1562.001

Sample rules (showing 8 of 22):

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Deny ACL Modification
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification
splunk Windows AD DCShadow Privileges ACL Addition
splunk Windows AD Domain Replication ACL Addition
splunk Windows AD Domain Root ACL Deletion
splunk Windows AD Domain Root ACL Modification

eq: 4663 16 rules

Top techniques:Query Registry T1012, Credentials from Web Browsers T1555.003, Credentials In Files T1552.001, Exploit Public-Facing Application T1190, Security Account Manager T1003.002, Unsecured Credentials T1552

Sample rules (showing 8 of 16):

eq: 22 15 rules

Top techniques:DNS T1071.004, Visual Basic T1059.005, IP Addresses T1590.005, Gather Victim Network Information T1590, Exploitation for Client Execution T1203, System Binary Proxy Execution T1218

Sample rules (showing 8 of 15):

splunk Local LLM Framework DNS Query
splunk Sunburst Correlation DLL and Network Event
splunk Windows AI Platform DNS Query
splunk Windows BitLockerToGo with Network Activity
splunk Windows DNS Query Request To TinyUrl
splunk Windows Visual Basic Commandline Compiler DNSQuery
splunk Rundll32 DNSQuery
splunk Suspicious Process DNS Query Known Abuse Web Services

eq: 10 14 rules

Top techniques:LSASS Memory T1003.001, Token Impersonation/Theft T1134.001, Portable Executable Injection T1055.002, Pass the Ticket T1550.003, Exploitation for Privilege Escalation T1068, Disable or Modify Tools T1562.001

Sample rules (showing 8 of 14):

eq: 7045 12 rules

Top techniques:Service Execution T1569.002, Windows Service T1543.003, Create or Modify System Process T1543, Masquerading T1036, Rootkit T1014, Exploitation for Privilege Escalation T1068

Sample rules (showing 8 of 12):

splunk Clop Ransomware Known Service Name
splunk Malicious Powershell Executed As A Service
splunk Randomly Generated Windows Service Name
splunk Windows Bluetooth Service Installed From Uncommon Location
splunk Windows Driver Load Non-Standard Path
splunk Windows KrbRelayUp Service Creation
splunk Windows Service Create RemComSvc
splunk Windows Service Create SliverC2

eq: 11 10 rules

Top techniques:LSASS Memory T1003.001, Malicious File T1204.002, Data Encrypted for Impact T1486, Rundll32 T1218.011, Domain Account T1087.002, Print Processors T1547.012

Sample rules (showing 8 of 10):

splunk Creation of lsass Dump with Taskmgr
splunk Drop IcedID License dat
splunk Ransomware Notes bulk creation
splunk Rundll32 Process Creating Exe Dll Files
splunk SchCache Change By App Connect And Create ADSI Object
splunk Spoolsv Writing a DLL - Sysmon
splunk Sqlite Module In Temp Folder
splunk Wermgr Process Create Executable File

eq: 4768 10 rules

Top techniques:Password Spraying T1110.003, Use Alternate Authentication Material T1550, Email Addresses T1589.002, OS Credential Dumping T1003, Domain Accounts T1078.002, Steal or Forge Kerberos Tickets T1558

Sample rules (showing 8 of 10):

eq: 4698 8 rules

Top techniques:Scheduled Task T1053.005, Scheduled Task/Job T1053

Sample rules:

splunk Randomly Generated Scheduled Task Name
splunk Schedule Task with HTTP Command Arguments
splunk Schedule Task with Rundll32 Command Trigger
splunk Short Lived Scheduled Task
splunk Windows Hidden Schedule Task Settings
splunk Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
splunk WinEvent Scheduled Task Created to Spawn Shell
splunk WinEvent Scheduled Task Created Within Public Path

eq: 8 8 rules

Top techniques:Process Injection T1055, Portable Executable Injection T1055.002, LSASS Memory T1003.001, Dynamic-link Library Injection T1055.001

Sample rules:

splunk Create Remote Thread In Shell Application
splunk Create Remote Thread into LSASS
splunk Powershell Remote Thread To Known Windows Process
splunk Rundll32 Create Remote Thread To A Process
splunk Rundll32 CreateRemoteThread In Browser
splunk Windows Process Injection Of Wermgr to Known Browser
splunk Windows Process Injection Remote Thread
splunk Windows Process Injection With Public Source Path

eq: 4624 6 rules

Top techniques:Valid Accounts T1078, Exploit Public-Facing Application T1190, Steal or Forge Kerberos Tickets T1558, Credential Stuffing T1110.004, Security Account Manager T1003.002, Remote Desktop Protocol T1021.001

Sample rules:

eq: 4625 6 rules

Top techniques:Password Spraying T1110.003, Exploit Public-Facing Application T1190, Credential Stuffing T1110.004

Sample rules:

eq: 4769 6 rules

Top techniques:Kerberoasting T1558.003, Valid Accounts T1078, Golden Ticket T1558.001, Domain Accounts T1078.002, Network Share Discovery T1135

Sample rules:

in: "23" 6 rules

Top techniques:Data Destruction T1485, File Deletion T1070.004, Clear Command History T1070.003

Sample rules:

splunk Excessive File Deletion In WinDefender Folder
splunk Windows ConsoleHost History File Deletion
splunk Windows Data Destruction Recursive Exec Files Deletion
splunk Windows Default Rdp File Deletion
splunk Windows High File Deletion Frequency
splunk Windows RDP Cache File Deletion

in: "26" 6 rules

Top techniques:Data Destruction T1485, File Deletion T1070.004, Clear Command History T1070.003

Sample rules:

splunk Excessive File Deletion In WinDefender Folder
splunk Windows ConsoleHost History File Deletion
splunk Windows Data Destruction Recursive Exec Files Deletion
splunk Windows Default Rdp File Deletion
splunk Windows High File Deletion Frequency
splunk Windows RDP Cache File Deletion

in: 17 6 rules

Top techniques:Application Layer Protocol T1071, Process Injection T1055, Inter-Process Communication T1559, SMB/Windows Admin Shares T1021.002

Sample rules:

splunk Trickbot Named Pipe
splunk Windows Anonymous Pipe Activity
splunk Windows App Layer Protocol Qakbot NamedPipe
splunk Windows App Layer Protocol Wermgr Connect To NamedPipe
splunk Windows Application Layer Protocol RMS Radmin Tool Namedpipe
splunk Windows Suspicious Named Pipe

in: 18 6 rules

Top techniques:Application Layer Protocol T1071, Process Injection T1055, Inter-Process Communication T1559, SMB/Windows Admin Shares T1021.002

Sample rules:

splunk Trickbot Named Pipe
splunk Windows Anonymous Pipe Activity
splunk Windows App Layer Protocol Qakbot NamedPipe
splunk Windows App Layer Protocol Wermgr Connect To NamedPipe
splunk Windows Application Layer Protocol RMS Radmin Tool Namedpipe
splunk Windows Suspicious Named Pipe

eq: 3 4 rules

Top techniques:Regsvcs/Regasm T1218.009, Mail Protocols T1071.003

Sample rules:

eq: 4662 4 rules

Top techniques:Domain Account T1087.002, DCSync T1003.006

Sample rules:

eq: 4742 4 rules

Top techniques:SID-History Injection T1134.005, Exploitation of Remote Services T1210, Rogue Domain Controller T1207

Sample rules:

splunk Detect Computer Changed with Anonymous Account
splunk Windows AD Cross Domain SID History Addition
splunk Windows AD Domain Controller Promotion
splunk Windows AD Same Domain SID History Addition

eq: 4776 4 rules

Top techniques:Password Spraying T1110.003

Sample rules:

eq: 5145 4 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Transfer Data to Cloud Account T1537, Forced Authentication T1187, Network Share Discovery T1135

Sample rules:

eq: 6 4 rules

Top techniques:Windows Service T1543.003, Rootkit T1014, Exploitation for Privilege Escalation T1068

Sample rules:

splunk Windows Drivers Loaded by Signature
splunk Windows Suspicious Driver Loaded Path
splunk Windows Vulnerable Driver Loaded
splunk XMRIG Driver Loaded

eq: 1 3 rules

Top techniques:Remote Access Tools T1219, Indicator Removal T1070, Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548

Sample rules:

eq: 15 3 rules

Top techniques:NTFS File Attributes T1564.004, Ingress Tool Transfer T1105

Sample rules:

splunk Download Files Using Telegram
splunk Windows Alternate DataStream - Base64 Content
splunk Windows Alternate DataStream - Executable Content

eq: 15457 3 rules

Top techniques:SQL Stored Procedures T1505.001

Sample rules:

eq: 17 3 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Process Injection T1055, Inter-Process Communication T1559

Sample rules:

eq: 18 3 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Process Injection T1055, Inter-Process Communication T1559

Sample rules:

eq: 4648 3 rules

Top techniques:Password Spraying T1110.003, Exploit Public-Facing Application T1190

Sample rules:

eq: 4738 3 rules

Top techniques:SID-History Injection T1134.005, AS-REP Roasting T1558.004

Sample rules:

eq: 5137 3 rules

Top techniques:Rogue Domain Controller T1207, Domain Accounts T1078.002, Group Policy Modification T1484.001, DNS T1071.004, Forced Authentication T1187, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

splunk Windows AD Short Lived Server Object
splunk Windows Group Policy Object Created
splunk Windows Short Lived DNS Record

eq: 7040 3 rules

Top techniques:Disable or Modify Tools T1562.001, Service Stop T1489

Sample rules:

splunk Windows Event For Service Disabled
splunk Windows Excessive Disabled Services Event
splunk Windows Service Stop Win Updates

in: 1126 3 rules

Top techniques:Command and Scripting Interpreter T1059, Spearphishing Attachment T1566.001, Spearphishing Link T1566.002

Sample rules:

splunk Windows Defender ASR Audit Events
splunk Windows Defender ASR Block Events
splunk Windows Defender ASR Rules Stacking

in: 4727 3 rules

Top techniques:Local Account T1136.001, Domain Account T1136.002, Account Manipulation T1098, Impair Defenses T1562

Sample rules:

in: 4728 3 rules

Top techniques:Account Manipulation T1098, Impair Defenses T1562

Sample rules:

splunk Windows AD add Self to Group
splunk Windows AD Privileged Group Modification
splunk Windows Increase in User Modification Activity

in: 5007 3 rules

Top techniques:Modify Registry T1112, Command and Scripting Interpreter T1059, Spearphishing Attachment T1566.001, Spearphishing Link T1566.002

Sample rules:

splunk Windows Defender ASR Registry Modification
splunk Windows Defender ASR Rule Disabled
splunk Windows Defender ASR Rules Stacking

eq: 23 2 rules

Top techniques:Mark-of-the-Web Bypass T1553.005, File Deletion T1070.004

Sample rules:

splunk Windows Mark Of The Web Bypass
splunk Windows Rdp AutomaticDestinations Deletion

eq: 4719 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

eq: 4732 2 rules

Top techniques:Local Account T1136.001, Account Manipulation T1098

Sample rules:

splunk Detect New Local Admin account
splunk Windows DnsAdmins New Member Added

eq: 4741 2 rules

Top techniques:Steal or Forge Kerberos Tickets T1558

Sample rules:

splunk Windows Computer Account Created by Computer Account
splunk Windows Computer Account With SPN

eq: 4771 2 rules

Top techniques:Password Spraying T1110.003

Sample rules:

eq: 4781 2 rules

Top techniques:Domain Accounts T1078.002

Sample rules:

splunk Suspicious Computer Account Name Change
splunk Suspicious Ticket Granting Ticket Request

eq: 5 2 rules

Top techniques:Data Encrypted for Impact T1486, Service Stop T1489

Sample rules:

splunk High Process Termination Frequency
splunk Windows Processes Killed By Industroyer2 Malware

eq: 5140 2 rules

Top techniques:Network Share Discovery T1135

Sample rules:

eq: 7036 2 rules

Top techniques:Service Execution T1569.002, Inhibit System Recovery T1490

Sample rules:

eq: 9 2 rules

Top techniques:Disk Structure Wipe T1561.002

Sample rules:

in: 1121 2 rules

Top techniques:Command and Scripting Interpreter T1059, Spearphishing Attachment T1566.001, Spearphishing Link T1566.002

Sample rules:

splunk Windows Defender ASR Block Events
splunk Windows Defender ASR Rules Stacking

in: 1122 2 rules

Top techniques:Command and Scripting Interpreter T1059, Spearphishing Attachment T1566.001, Spearphishing Link T1566.002

Sample rules:

splunk Windows Defender ASR Audit Events
splunk Windows Defender ASR Rules Stacking

in: 1125 2 rules

Top techniques:Command and Scripting Interpreter T1059, Spearphishing Attachment T1566.001, Spearphishing Link T1566.002

Sample rules:

splunk Windows Defender ASR Audit Events
splunk Windows Defender ASR Rules Stacking

in: 1129 2 rules

Top techniques:Command and Scripting Interpreter T1059, Spearphishing Attachment T1566.001, Spearphishing Link T1566.002

Sample rules:

splunk Windows Defender ASR Block Events
splunk Windows Defender ASR Rules Stacking

in: 1131 2 rules

Top techniques:Command and Scripting Interpreter T1059, Spearphishing Attachment T1566.001, Spearphishing Link T1566.002

Sample rules:

splunk Windows Defender ASR Block Events
splunk Windows Defender ASR Rules Stacking

in: 1132 2 rules

Top techniques:Command and Scripting Interpreter T1059, Spearphishing Attachment T1566.001, Spearphishing Link T1566.002

Sample rules:

splunk Windows Defender ASR Audit Events
splunk Windows Defender ASR Rules Stacking

in: 1133 2 rules

Top techniques:Command and Scripting Interpreter T1059, Spearphishing Attachment T1566.001, Spearphishing Link T1566.002

Sample rules:

splunk Windows Defender ASR Block Events
splunk Windows Defender ASR Rules Stacking

in: 1134 2 rules

Top techniques:Command and Scripting Interpreter T1059, Spearphishing Attachment T1566.001, Spearphishing Link T1566.002

Sample rules:

splunk Windows Defender ASR Audit Events
splunk Windows Defender ASR Rules Stacking

in: 4698 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

in: 4700 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

in: 4702 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

in: 4731 2 rules

Top techniques:Account Manipulation T1098, Impair Defenses T1562, Local Account T1136.001, Domain Account T1136.002

Sample rules:

in: 4738 2 rules

Top techniques:SID-History Injection T1134.005, Account Manipulation T1098, Impair Defenses T1562

Sample rules:

in: 4887 2 rules

Top techniques:Steal or Forge Authentication Certificates T1649, Use Alternate Authentication Material T1550

Sample rules:

`ImageLoaded` 60 entries

starts_with: C:\Windows\WinSxS\ 9 rules

Top techniques:DLL T1574.001

Sample rules (showing 8 of 9):

starts_with: C:\Windows\SysWOW64\ 8 rules

Top techniques:DLL T1574.001, Process Injection T1055, System Binary Proxy Execution T1218

Sample rules:

starts_with: C:\Windows\System32\ 8 rules

Top techniques:DLL T1574.001, Process Injection T1055, System Binary Proxy Execution T1218

Sample rules:

starts_with: C:\Program Files (x86)\ 6 rules

Top techniques:DLL T1574.001

Sample rules:

sigma Potential 7za.DLL Sideloading
sigma Potential DLL Sideloading Of DBGCORE.DLL
sigma Potential DLL Sideloading Of DBGHELP.DLL
sigma Potential Goopdate.DLL Sideloading
sigma Potential JLI.dll Side-Loading
sigma Potential Wazuh Security Platform DLL Sideloading

starts_with: C:\Program Files\ 6 rules

Top techniques:DLL T1574.001

Sample rules:

sigma Potential 7za.DLL Sideloading
sigma Potential DLL Sideloading Of DBGCORE.DLL
sigma Potential DLL Sideloading Of DBGHELP.DLL
sigma Potential Goopdate.DLL Sideloading
sigma Potential JLI.dll Side-Loading
sigma Potential Wazuh Security Platform DLL Sideloading

ends_with: \dbgcore.dll 4 rules

Top techniques:DLL T1574.001, LSASS Memory T1003.001, OS Credential Dumping T1003, Disable or Modify Tools T1562.001

Sample rules:

ends_with: \dbghelp.dll 4 rules

Top techniques:DLL T1574.001, LSASS Memory T1003.001, OS Credential Dumping T1003, Disable or Modify Tools T1562.001

Sample rules:

ends_with: .dll 3 rules

Top techniques:CMSTP T1218.003, Distributed Component Object Model T1021.003, System Binary Proxy Execution T1218, Regsvr32 T1218.010, Rundll32 T1218.011

Sample rules:

ends_with: \vbscript.dll 3 rules

Top techniques:Windows Management Instrumentation Event Subscription T1546.003, Visual Basic T1059.005, MMC T1218.014, XSL Script Processing T1220

Sample rules:

eq: "*.dll" 3 rules

Top techniques:Print Processors T1547.012, MMC T1218.014, Bypass User Account Control T1548.002, Ingress Tool Transfer T1105

Sample rules:

splunk Spoolsv Suspicious Loaded Modules
splunk UAC Bypass MMC Load Unsigned Dll
splunk Windows DLL Module Loaded in Temp Dir

match: \ProgramData\ 3 rules

Top techniques:CMSTP T1218.003, DLL T1574.001, Distributed Component Object Model T1021.003, System Binary Proxy Execution T1218

Sample rules:

starts_with: C:\Program Files (x86)\Windows Kits\ 3 rules

Top techniques:DLL T1574.001

Sample rules:

sigma Potential DLL Sideloading Of DbgModel.DLL
sigma Potential Iviewers.DLL Sideloading
sigma Potential Rcdll.DLL Sideloading

ends_with: \RstrtMgr.dll 2 rules

Top techniques:Data Encrypted for Impact T1486, Disable or Modify Tools T1562.001

Sample rules:

ends_with: \amsi.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \credui.dll 2 rules

Top techniques:GUI Input Capture T1056.002, DLL T1574.001

Sample rules:

ends_with: \cryptbase.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \cryptsp.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \dismcore.dll 2 rules

Top techniques:DLL T1574.001, Bypass User Account Control T1548.002

Sample rules:

ends_with: \edputil.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \iphlpapi.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \jscript.dll 2 rules

Top techniques:Visual Basic T1059.005, MMC T1218.014, XSL Script Processing T1220

Sample rules:

sigma MMC Loading Script Engines DLLs
sigma WMIC Loading Scripting Libraries

ends_with: \kprocesshacker.sys 2 rules

Top techniques:Create or Modify System Process T1543, Exploitation for Privilege Escalation T1068, Windows Service T1543.003

Sample rules:

sigma PUA - Process Hacker Driver Load
sigma Vulnerable Driver Load By Name

ends_with: \mfdetours.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

sigma Potential Mfdetours.DLL Sideloading
sigma Unsigned Mfdetours.DLL Sideloading

ends_with: \mscoree.dll 2 rules

Top techniques:DLL T1574.001, Process Injection T1055

Sample rules:

ends_with: \profapi.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \sspicli.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \ttdrecord.dll 2 rules

Top techniques:LSASS Memory T1003.001, System Binary Proxy Execution T1218, DLL T1574.001

Sample rules:

ends_with: \version.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \vssapi.dll 2 rules

Top techniques:Inhibit System Recovery T1490, DLL T1574.001

Sample rules:

ends_with: \vsstrace.dll 2 rules

Top techniques:Inhibit System Recovery T1490, DLL T1574.001

Sample rules:

ends_with: \wininet.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \winsta.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \wldp.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

ends_with: \wtsapi32.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

eq: "*\\taskschd.dll" 2 rules

Top techniques:Spearphishing Attachment T1566.001, Scheduled Task/Job T1053

Sample rules:

splunk Windows Office Product Loading Taskschd DLL
splunk Windows Scheduled Task DLL Module Loaded

in: "*:\\windows\\system32\\*" 2 rules

Top techniques:DLL T1574.001

Sample rules:

in: "*:\\windows\\syswow64\\*" 2 rules

Top techniques:DLL T1574.001

Sample rules:

in: "*\\fastprox.dll" 2 rules

Top techniques:JavaScript T1059.007, CMSTP T1218.003

Sample rules:

splunk MS Scripting Process Loading WMI Module
splunk Wbemprox COM Object Execution

in: "*\\wbemcomn.dll" 2 rules

Top techniques:JavaScript T1059.007, CMSTP T1218.003

Sample rules:

splunk MS Scripting Process Loading WMI Module
splunk Wbemprox COM Object Execution

in: "*\\wbemprox.dll" 2 rules

Top techniques:JavaScript T1059.007, CMSTP T1218.003

Sample rules:

splunk MS Scripting Process Loading WMI Module
splunk Wbemprox COM Object Execution

match: :\Perflogs\ 2 rules

Top techniques:Command and Scripting Interpreter T1059, Distributed Component Object Model T1021.003, System Binary Proxy Execution T1218

Sample rules:

match: :\Program Files (x86)\Windows Kits\10\bin\ 2 rules

Top techniques:DLL T1574.001

Sample rules:

sigma Potential Mfdetours.DLL Sideloading
sigma Unsigned Mfdetours.DLL Sideloading

match: :\Users\ 2 rules

Top techniques:Command and Scripting Interpreter T1059, DLL T1574.001

Sample rules:

match: :\Users\Public\ 2 rules

Top techniques:Command and Scripting Interpreter T1059, Distributed Component Object Model T1021.003, System Binary Proxy Execution T1218

Sample rules:

match: :\Windows\Temp\ 2 rules

Top techniques:DLL T1574.001, Distributed Component Object Model T1021.003, System Binary Proxy Execution T1218

Sample rules:

sigma Potential ShellDispatch.DLL Sideloading
sigma BaaUpdate.exe Suspicious DLL Load

match: C:\Debuggers\dbghelp.dll 2 rules

Top techniques:DLL T1574.001

Sample rules:

match: \AppData\Local\Temp\ 2 rules

Top techniques:DLL T1574.001, Distributed Component Object Model T1021.003, System Binary Proxy Execution T1218

Sample rules:

sigma Potential ShellDispatch.DLL Sideloading
sigma BaaUpdate.exe Suspicious DLL Load

match: \AppData\local\Google\Chrome\Application\ 2 rules

Top techniques:DLL T1574.001

Sample rules:

match: \Contacts\ 2 rules

Top techniques:Command and Scripting Interpreter T1059, Distributed Component Object Model T1021.003, System Binary Proxy Execution T1218

Sample rules:

match: \Favorites\ 2 rules

Top techniques:Command and Scripting Interpreter T1059, Distributed Component Object Model T1021.003, System Binary Proxy Execution T1218

Sample rules:

match: \Favourites\ 2 rules

Top techniques:Command and Scripting Interpreter T1059, Distributed Component Object Model T1021.003, System Binary Proxy Execution T1218

Sample rules:

match: \Pictures\ 2 rules

Top techniques:Command and Scripting Interpreter T1059, Distributed Component Object Model T1021.003, System Binary Proxy Execution T1218

Sample rules:

match: \Temp\ 2 rules

Top techniques:Windows Service T1543.003, Malicious File T1204.002

Sample rules:

match: \Temporary Internet 2 rules

Top techniques:Command and Scripting Interpreter T1059, Distributed Component Object Model T1021.003, System Binary Proxy Execution T1218

Sample rules:

match: \Windows\Temp\ 2 rules

Top techniques:CMSTP T1218.003, Command and Scripting Interpreter T1059

Sample rules:

match: opera\Opera Installer Temp\opera_package 2 rules

Top techniques:DLL T1574.001

Sample rules:

starts_with: C:\Program Files\Windows Kits\ 2 rules

Top techniques:DLL T1574.001

Sample rules:

starts_with: C:\ProgramData\Microsoft\Windows Defender\Platform\ 2 rules

Top techniques:DLL T1574.001

Sample rules:

starts_with: C:\Windows\SoftwareDistribution\ 2 rules

Top techniques:DLL T1574.001

Sample rules:

starts_with: C:\Windows\SystemTemp\ 2 rules

Top techniques:DLL T1574.001

Sample rules:

`QueryName` 58 entries

ends_with: .hiddenservice.net 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.ca 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.cab 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.casa 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.city 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.direct 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.dog 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.glass 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.gq 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.ink 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.it 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.link 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.lt 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.lu 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.nu 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.pet 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.plus 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.rip 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.sh 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.to 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .onion.top 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .s1.tor-gateways.de 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .s2.tor-gateways.de 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .s3.tor-gateways.de 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .s4.tor-gateways.de 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .s5.tor-gateways.de 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .t2w.pw 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .tor2web.ae.org 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .tor2web.blutmagie.de 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .tor2web.com 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .tor2web.fi 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .tor2web.io 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .tor2web.org 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .tor2web.xyz 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: .torlink.co 2 rules

Top techniques:Multi-hop Proxy T1090.003

Sample rules:

sigma Query Tor Onion Address - DNS Client
sigma DNS Query Tor .Onion Address - Sysmon

ends_with: remoteassistance.support.services.microsoft.com 2 rules

Top techniques:Web Protocols T1071.001, Exploitation of Remote Services T1210, Remote Desktop Software T1219.002

Sample rules:

in: "*api.ip.sb" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "*api.ipify.org" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "*b.barracudacentral.org" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "*cbl.abuseat.org" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "*discord*" 2 rules

Top techniques:Visual Basic T1059.005

Sample rules:

in: "*dnsbl-1.uceprotect.net" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "*icanhazip.com" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "*ip.anysrc.com" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "*ipecho.net" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "*ipinfo.io" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "*spam.dnsbl.sorbs.net" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "*wtfismyip.com" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "*zen.spamhaus.org" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "ident.me" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

in: "www.myexternalip.com" 2 rules

Top techniques:IP Addresses T1590.005

Sample rules:

match: .anonfiles.com 2 rules

Top techniques:Exfiltration to Cloud Storage T1567.002

Sample rules:

match: .stage.123456. 2 rules

Top techniques:DNS T1071.004

Sample rules:

match: ufile.io 2 rules

Top techniques:Exfiltration to Cloud Storage T1567.002

Sample rules:

sigma DNS Query To Ufile.io - DNS Client
sigma DNS Query To Ufile.io

match: userstorage.mega.co.nz 2 rules

Top techniques:Exfiltration to Cloud Storage T1567.002

Sample rules:

starts_with: aaa.stage. 2 rules

Top techniques:DNS T1071.004

Sample rules:

starts_with: post.1 2 rules

Top techniques:DNS T1071.004

Sample rules:

`process_name` 51 entries

in: "EQNEDT32.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "Graph.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "excel.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "msaccess.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "mspub.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "onenote.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "onenoteim.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "onenotem.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "outlook.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "powerpnt.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "visio.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "winproj.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "winword.exe" 5 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Windows Office Product Dropped Cab or Inf File
splunk Windows Office Product Dropped Uncommon File
splunk Windows Office Product Loaded MSHTML Module
splunk Windows Office Product Loading Taskschd DLL
splunk Windows Office Product Loading VBE7 DLL

in: "pwsh.exe" 4 rules

Top techniques:External Remote Services T1133, Exploit Public-Facing Application T1190, NTFS File Attributes T1564.004, Windows Remote Management T1021.006, Visual Basic T1059.005

Sample rules:

eq: C:\Windows\System32\svchost.exe 3 rules

Top techniques:Timestomp T1070.006, Disable or Modify Tools T1562.001, LSASS Memory T1003.001

Sample rules:

eq: powershell.exe 3 rules

Top techniques:PowerShell T1059.001, Malicious File T1204.002, SQL Stored Procedures T1505.001

Sample rules:

eq: powershell_ise.exe 3 rules

Top techniques:PowerShell T1059.001, Malicious File T1204.002, SQL Stored Procedures T1505.001

Sample rules:

eq: pwsh.exe 3 rules

Top techniques:PowerShell T1059.001, Malicious File T1204.002, SQL Stored Procedures T1505.001

Sample rules:

eq: rundll32.exe 3 rules

Top techniques:Rundll32 T1218.011, Exfiltration Over Unencrypted Non-C2 Protocol T1048.003

Sample rules:

in: "cacls.exe" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001

Sample rules:

in: "cmd.exe" 3 rules

Top techniques:External Remote Services T1133, Exploit Public-Facing Application T1190, Windows Remote Management T1021.006, Visual Basic T1059.005

Sample rules:

in: "cscript.exe" 3 rules

Top techniques:External Remote Services T1133, Exploit Public-Facing Application T1190, NTFS File Attributes T1564.004, Visual Basic T1059.005

Sample rules:

in: "icacls.exe" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001

Sample rules:

in: "wordpad.exe" 3 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "wordview.exe" 3 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

in: "wscript.exe" 3 rules

Top techniques:External Remote Services T1133, Exploit Public-Facing Application T1190, NTFS File Attributes T1564.004, Visual Basic T1059.005

Sample rules:

in: "xcacls.exe" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001

Sample rules:

ends_with: \procexp.exe 2 rules

Top techniques:LSASS Memory T1003.001, Disable or Modify Tools T1562.001

Sample rules:

ends_with: \procexp64.exe 2 rules

Top techniques:LSASS Memory T1003.001, Disable or Modify Tools T1562.001

Sample rules:

ends_with: \procmon.exe 2 rules

Top techniques:LSASS Memory T1003.001, Disable or Modify Tools T1562.001

Sample rules:

ends_with: \procmon64.exe 2 rules

Top techniques:LSASS Memory T1003.001, Disable or Modify Tools T1562.001

Sample rules:

ends_with: \thor.exe 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: \thor64.exe 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: \wmiprvse.exe 2 rules

Top techniques:LSASS Memory T1003.001, Windows Management Instrumentation T1047, Service Execution T1569.002

Sample rules:

eq: *.exe 2 rules

Top techniques:Screen Capture T1113

Sample rules:

splunk Suspicious Image Creation In Appdata Folder
splunk Suspicious WAV file in Appdata Folder

eq: C:\Windows\System32\wbem\WmiPrvSE.exe 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

eq: cmd.exe 2 rules

Top techniques:PowerShell T1059.001, Malicious File T1204.002, SQL Stored Procedures T1505.001

Sample rules:

splunk Windows Explorer.exe Spawning PowerShell or Cmd
splunk Windows Sqlservr Spawning Shell

eq: outlook.exe 2 rules

Top techniques:Spearphishing Attachment T1566.001, Phishing T1566

Sample rules:

splunk Detect Outlook exe writing a zip file
splunk Windows Phishing Outlook Drop Dll In FORM Dir

eq: spoolsv.exe 2 rules

Top techniques:Print Processors T1547.012

Sample rules:

splunk Spoolsv Writing a DLL
splunk Spoolsv Writing a DLL - Sysmon

in: "*powershell*" 2 rules

Top techniques:Windows Remote Management T1021.006, Visual Basic T1059.005

Sample rules:

in: "mshta.exe" 2 rules

Top techniques:External Remote Services T1133, Exploit Public-Facing Application T1190, NTFS File Attributes T1564.004

Sample rules:

in: "powershell.exe" 2 rules

Top techniques:External Remote Services T1133, Exploit Public-Facing Application T1190, NTFS File Attributes T1564.004

Sample rules:

in: "powershell_ise.exe" 2 rules

Top techniques:External Remote Services T1133, Exploit Public-Facing Application T1190, NTFS File Attributes T1564.004

Sample rules:

match: :\Program Files (x86)\ 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

match: :\Program Files\ 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

match: Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe 2 rules

Top techniques:Query Registry T1012

Sample rules:

match: Microsoft.Identity.Health.Adfs.InsightsService.exe 2 rules

Top techniques:Query Registry T1012

Sample rules:

match: Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe 2 rules

Top techniques:Query Registry T1012

Sample rules:

match: Microsoft.Identity.Health.Adfs.PshSurrogate.exe 2 rules

Top techniques:Query Registry T1012

Sample rules:

match: Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe 2 rules

Top techniques:Query Registry T1012

Sample rules:

ne: "-" 2 rules

Top techniques:Password Spraying T1110.003

Sample rules:

`DestinationHostname` 33 entries

ends_with: mega.co.nz 4 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001, Exfiltration to Cloud Storage T1567.002

Sample rules:

ends_with: mega.nz 4 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001, Exfiltration to Cloud Storage T1567.002

Sample rules:

ends_with: trycloudflare.com 4 rules

Top techniques:Ingress Tool Transfer T1105, Exfiltration Over Web Service T1567, Protocol Tunneling T1572, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: anonfiles.com 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: cdn.discordapp.com 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: ddns.net 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: gofile.io 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: hastebin.com 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: mediafire.com 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: pages.dev 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: paste.ee 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: pastebin.com 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: pastebin.pl 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: pastetext.net 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: privatlab.com 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: privatlab.net 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: send.exploit.in 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: sendspace.com 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: storage.googleapis.com 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: temp.sh 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: transfer.sh 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: ufile.io 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: w3spaces.com 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: workers.dev 3 rules

Top techniques:Ingress Tool Transfer T1105, Web Service T1102, Dead Drop Resolver T1102.001

Sample rules:

ends_with: .githubusercontent.com 2 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: dl.dropboxusercontent.com 2 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: ghostbin.co 2 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: github.com 2 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: glitch.me 2 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: onrender.com 2 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: pixeldrain.com 2 rules

Top techniques:Web Service T1102, Dead Drop Resolver T1102.001, Ingress Tool Transfer T1105

Sample rules:

ends_with: storjshare.io 2 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

ends_with: supabase.co 2 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

`GrantedAccess` 33 entries

in: "0x1fffff" 4 rules

Top techniques:Portable Executable Injection T1055.002, LSASS Memory T1003.001, Windows Management Instrumentation T1047

Sample rules:

splunk Windows Possible Credential Dumping
splunk Windows Process Injection into Commonly Abused Processes
splunk Windows Process Injection into Notepad
splunk Windows WMI Impersonate Token

eq: 0x1fffff 3 rules

Top techniques:Native API T1106, Disable or Modify Tools T1562.001, Bypass User Account Control T1548.002, Exploitation for Privilege Escalation T1068

Sample rules:

sigma HackTool - CobaltStrike BOF Injection Pattern
sigma UAC Bypass Using WOW64 Logger DLL Hijack
splunk Spoolsv Suspicious Process Access

ends_with: 0x14C2 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 18 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 1A 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 30 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 38 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 3A 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 50 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 58 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 5A 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 70 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 78 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 7A 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 90 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 98 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: 9A 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: B0 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: B8 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: BA 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: D0 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: D8 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: DA 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: F0 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: F8 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: FA 3 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

eq: 0x1FFFFF 3 rules

Top techniques:LSASS Memory T1003.001, Extra Window Memory Injection T1055.011

Sample rules:

in: "0x40" 3 rules

Top techniques:Portable Executable Injection T1055.002, LSASS Memory T1003.001

Sample rules:

splunk Windows Possible Credential Dumping
splunk Windows Process Injection into Commonly Abused Processes
splunk Windows Process Injection into Notepad

eq: 0x14c0 2 rules

Top techniques:LSASS Memory T1003.001, OS Credential Dumping T1003

Sample rules:

sigma Suspicious LSASS Access Via MalSecLogon
elastic Suspicious LSASS Access via MalSecLogon

eq: 0x40 2 rules

Top techniques:LSASS Memory T1003.001, OS Credential Dumping T1003

Sample rules:

ends_with: 10 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

ends_with: FF 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

eq: 0x1040 2 rules

Top techniques:Token Impersonation/Theft T1134.001

Sample rules:

`Contents` 33 entries

match: .githubusercontent.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: anonfiles.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: cdn.discordapp.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: ddns.net 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: dl.dropboxusercontent.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: ghostbin.co 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: github.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: glitch.me 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: gofile.io 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: hastebin.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: mediafire.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: mega.nz 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: onrender.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: pages.dev 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: paste.ee 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: pastebin.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: pastebin.pl 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: pastetext.net 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: pixeldrain.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: privatlab.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: privatlab.net 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: send.exploit.in 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: sendspace.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: storage.googleapis.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: storjshare.io 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: supabase.co 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: temp.sh 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: transfer.sh 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: trycloudflare.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: ufile.io 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: w3spaces.com 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

match: workers.dev 2 rules

Top techniques:NTFS File Attributes T1564.004

Sample rules:

starts_with: [ZoneTransfer] ZoneId=3 2 rules

Sample rules:

`TargetImage` 29 entries

ends_with: \lsass.exe 13 rules

Top techniques:LSASS Memory T1003.001, Native API T1106, Windows Remote Management T1021.006, PowerShell T1059.001, Disable or Modify Tools T1562.001

Sample rules (showing 8 of 13):

eq: *lsass.exe 6 rules

Top techniques:LSASS Memory T1003.001, Disable or Modify Tools T1562.001

Sample rules:

splunk Access LSASS Memory for Dump Creation
splunk Create Remote Thread into LSASS
splunk Detect Credential Dumping through LSASS access
splunk Windows Hunting System Account Targeting Lsass
splunk Windows Non-System Account Targeting Lsass
splunk Windows Terminating Lsass Process

wildcard: ?:\WINDOWS\system32\lsass.exe 4 rules

Top techniques:OS Credential Dumping T1003, LSASS Memory T1003.001, Native API T1106, Process Injection T1055

Sample rules:

elastic Suspicious LSASS Access via MalSecLogon
elastic Suspicious Lsass Process Access
elastic Potential Credential Access via LSASS Memory Dump
elastic Suspicious Process Access via Direct System Call

in: "*\\chrome.exe" 3 rules

Top techniques:Process Injection T1055, Portable Executable Injection T1055.002, Dynamic-link Library Injection T1055.001

Sample rules:

in: "*\\firefox.exe" 3 rules

Top techniques:Process Injection T1055, Portable Executable Injection T1055.002, Dynamic-link Library Injection T1055.001

Sample rules:

in: "*\\spoolsv.exe" 3 rules

Top techniques:Process Injection T1055, Exploitation for Privilege Escalation T1068, Portable Executable Injection T1055.002

Sample rules:

ends_with: \calc.exe 2 rules

Top techniques:Thread Execution Hijacking T1055.003, Extra Window Memory Injection T1055.011

Sample rules:

ends_with: \calculator.exe 2 rules

Top techniques:Thread Execution Hijacking T1055.003, Extra Window Memory Injection T1055.011

Sample rules:

ends_with: \mspaint.exe 2 rules

Top techniques:Thread Execution Hijacking T1055.003, Extra Window Memory Injection T1055.011

Sample rules:

ends_with: \notepad.exe 2 rules

Top techniques:Thread Execution Hijacking T1055.003, Extra Window Memory Injection T1055.011

Sample rules:

ends_with: \ping.exe 2 rules

Top techniques:Thread Execution Hijacking T1055.003, Extra Window Memory Injection T1055.011

Sample rules:

ends_with: \wordpad.exe 2 rules

Top techniques:Thread Execution Hijacking T1055.003, Extra Window Memory Injection T1055.011

Sample rules:

ends_with: \write.exe 2 rules

Top techniques:Thread Execution Hijacking T1055.003, Extra Window Memory Injection T1055.011

Sample rules:

eq: "*.exe" 2 rules

Top techniques:Process Injection T1055, Portable Executable Injection T1055.002

Sample rules:

eq: C:\Windows\System32\conhost.exe 2 rules

Top techniques:Process Injection T1055

Sample rules:

eq: System 2 rules

Top techniques:Process Injection T1055

Sample rules:

in: "*\\CalculatorApp.exe" 2 rules

Top techniques:Portable Executable Injection T1055.002

Sample rules:

in: "*\\SysWOW64\\winlogon.exe*" 2 rules

Top techniques:Token Impersonation/Theft T1134.001

Sample rules:

in: "*\\calc.exe" 2 rules

Top techniques:Portable Executable Injection T1055.002

Sample rules:

in: "*\\cmd.exe" 2 rules

Top techniques:Process Injection T1055, Portable Executable Injection T1055.002

Sample rules:

splunk Create Remote Thread In Shell Application
splunk Windows Process Injection Remote Thread

in: "*\\explorer.exe" 2 rules

Top techniques:Process Injection T1055, Portable Executable Injection T1055.002

Sample rules:

in: "*\\iexplore.exe" 2 rules

Top techniques:Process Injection T1055, Dynamic-link Library Injection T1055.001

Sample rules:

in: "*\\microsoftedgecp.exe" 2 rules

Top techniques:Process Injection T1055, Dynamic-link Library Injection T1055.001

Sample rules:

in: "*\\notepad.exe" 2 rules

Top techniques:Portable Executable Injection T1055.002

Sample rules:

in: "*\\svchost.exe" 2 rules

Top techniques:Process Injection T1055, Portable Executable Injection T1055.002

Sample rules:

in: "*\\system32\\winlogon.exe*" 2 rules

Top techniques:Token Impersonation/Theft T1134.001

Sample rules:

in: "*\\win32calc.exe" 2 rules

Top techniques:Portable Executable Injection T1055.002

Sample rules:

starts_with: C:\Program Files (x86)\ 2 rules

Top techniques:Process Injection T1055

Sample rules:

starts_with: C:\Program Files\ 2 rules

Top techniques:Process Injection T1055

Sample rules:

`ServiceName` 26 entries

ends_with: $ 2 rules

Top techniques:Kerberoasting T1558.003

Sample rules:

eq: "*$" 2 rules

Top techniques:Golden Ticket T1558.001, Valid Accounts T1078, Network Share Discovery T1135

Sample rules:

eq: PSEXESVC 2 rules

Top techniques:Service Execution T1569.002, SMB/Windows Admin Shares T1021.002, Lateral Tool Transfer T1570

Sample rules:

match: AmmyyAdmin 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: AnyDesk 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: Atera 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: BASupportExpressSrvcUpdater 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: BASupportExpressStandaloneService 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: GoToAssist 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: GoToMyPC 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: LMIGuardianSvc 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: LogMeIn 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: Parsec 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: RManService 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: RPCPerformanceService 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: RPCService 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: SSUService 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: SplashtopRemoteService 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: TeamViewer 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: TightVNC 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: Zoho 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: chromoting 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: jumpcloud 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: monblanking 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

match: vncserver 2 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002

Sample rules:

ne: "*$" 2 rules

Top techniques:Kerberoasting T1558.003

Sample rules:

`aceAccessRights` 19 entries

in: "Full control" 4 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Deny ACL Modification
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: "All extended rights" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: "All validated writes" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: "Create all child objects" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: "Delete all child objects" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: "Delete subtree" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: "Delete" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: "Modify owner" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: "Modify permissions" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: "Write all properties" 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: CC 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: CR 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: DC 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: DT 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: SD 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: SW 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: WD 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: WO 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

in: WP 3 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484, Event Triggered Execution T1546

Sample rules:

splunk Windows AD AdminSDHolder ACL Modified
splunk Windows AD Dangerous Group ACL Modification
splunk Windows AD Dangerous User ACL Modification

`file_name` 17 entries

in: "*.exe" 7 rules

Top techniques:Masquerading T1036, Remote Access Tools T1219, Local Groups T1069.001, Spearphishing Attachment T1566.001, AppDomainManager T1574.014, Replication Through Removable Media T1091

Sample rules:

in: "*.dll" 6 rules

Top techniques:Masquerading T1036, Local Groups T1069.001, Spearphishing Attachment T1566.001, AppDomainManager T1574.014, Replication Through Removable Media T1091

Sample rules:

in: "*.js" 5 rules

Top techniques:Masquerading T1036, Local Groups T1069.001, Spearphishing Attachment T1566.001, Replication Through Removable Media T1091

Sample rules:

splunk Executables Or Script Creation In Suspicious Path
splunk Executables Or Script Creation In Temp Path
splunk Windows Admin Permission Discovery
splunk Windows Office Product Dropped Uncommon File
splunk Windows Replication Through Removable Media

in: "*.pif" 5 rules

Top techniques:Masquerading T1036, Local Groups T1069.001, Spearphishing Attachment T1566.001, Replication Through Removable Media T1091

Sample rules:

splunk Executables Or Script Creation In Suspicious Path
splunk Executables Or Script Creation In Temp Path
splunk Windows Admin Permission Discovery
splunk Windows Office Product Dropped Uncommon File
splunk Windows Replication Through Removable Media

in: "*.vbe" 5 rules

Top techniques:Masquerading T1036, Local Groups T1069.001, Spearphishing Attachment T1566.001, Replication Through Removable Media T1091

Sample rules:

splunk Executables Or Script Creation In Suspicious Path
splunk Executables Or Script Creation In Temp Path
splunk Windows Admin Permission Discovery
splunk Windows Office Product Dropped Uncommon File
splunk Windows Replication Through Removable Media

in: "*.vbs" 5 rules

Top techniques:Masquerading T1036, Local Groups T1069.001, Spearphishing Attachment T1566.001, Replication Through Removable Media T1091

Sample rules:

splunk Executables Or Script Creation In Suspicious Path
splunk Executables Or Script Creation In Temp Path
splunk Windows Admin Permission Discovery
splunk Windows Office Product Dropped Uncommon File
splunk Windows Replication Through Removable Media

in: "*.ashx" 4 rules

Top techniques:Exploit Public-Facing Application T1190, External Remote Services T1133, Web Shell T1505.003

Sample rules:

splunk ConnectWise ScreenConnect Path Traversal
splunk ConnectWise ScreenConnect Path Traversal Windows SACL
splunk Detect Exchange Web Shell
splunk Windows MOVEit Transfer Writing ASPX

in: "*.bat" 4 rules

Top techniques:Masquerading T1036, Local Groups T1069.001, Replication Through Removable Media T1091

Sample rules:

splunk Executables Or Script Creation In Suspicious Path
splunk Executables Or Script Creation In Temp Path
splunk Windows Admin Permission Discovery
splunk Windows Replication Through Removable Media

in: "*.cmd" 4 rules

Top techniques:Masquerading T1036, Local Groups T1069.001, Replication Through Removable Media T1091

Sample rules:

splunk Executables Or Script Creation In Suspicious Path
splunk Executables Or Script Creation In Temp Path
splunk Windows Admin Permission Discovery
splunk Windows Replication Through Removable Media

in: "*.com" 4 rules

Top techniques:Masquerading T1036, Local Groups T1069.001, Replication Through Removable Media T1091

Sample rules:

splunk Executables Or Script Creation In Suspicious Path
splunk Executables Or Script Creation In Temp Path
splunk Windows Admin Permission Discovery
splunk Windows Replication Through Removable Media

in: "*.sys" 4 rules

Top techniques:Masquerading T1036, Local Groups T1069.001, Replication Through Removable Media T1091

Sample rules:

splunk Executables Or Script Creation In Suspicious Path
splunk Executables Or Script Creation In Temp Path
splunk Windows Admin Permission Discovery
splunk Windows Replication Through Removable Media

eq: "*.dll" 3 rules

Top techniques:Print Processors T1547.012, DLL T1574.001, Phishing T1566

Sample rules:

splunk Spoolsv Writing a DLL
splunk Windows Known Abused DLL Created
splunk Windows Phishing Outlook Drop Dll In FORM Dir

in: "*.aspx" 3 rules

Top techniques:Exploit Public-Facing Application T1190, External Remote Services T1133, Web Shell T1505.003

Sample rules:

splunk ConnectWise ScreenConnect Path Traversal
splunk ConnectWise ScreenConnect Path Traversal Windows SACL
splunk Detect Exchange Web Shell

in: "*.ps1" 3 rules

Top techniques:Masquerading T1036, Spearphishing Attachment T1566.001

Sample rules:

in: "*.dat" 2 rules

Top techniques:Screen Capture T1113, Local Groups T1069.001

Sample rules:

splunk Remcos RAT File Creation in Remcos Folder
splunk Windows Admin Permission Discovery

in: "*.lnk" 2 rules

Top techniques:Local Groups T1069.001, Replication Through Removable Media T1091

Sample rules:

splunk Windows Admin Permission Discovery
splunk Windows Replication Through Removable Media

in: "*.msc" 2 rules

Top techniques:Masquerading T1036

Sample rules:

`DestinationPort` 16 entries

eq: 443 7 rules

Top techniques:Ingress Tool Transfer T1105, Exploitation for Client Execution T1203, Remote Desktop Protocol T1021.001, Protocol Tunneling T1572, Rundll32 T1218.011, MSBuild T1127.001

Sample rules:

eq: 80 6 rules

Top techniques:Ingress Tool Transfer T1105, Exploitation for Client Execution T1203, Remote Desktop Protocol T1021.001, Protocol Tunneling T1572, MSBuild T1127.001

Sample rules:

ne: 0 6 rules

Top techniques:Process Injection T1055, Rundll32 T1218.011, Exfiltration Over Unencrypted Non-C2 Protocol T1048.003, Bootkit T1542.003

Sample rules:

eq: 587 4 rules

Top techniques:Exploitation for Client Execution T1203, Exfiltration Over Unencrypted Non-C2 Protocol T1048.003

Sample rules:

eq: 3389 3 rules

Top techniques:Remote Desktop Protocol T1021.001, Internal Proxy T1090.001, External Proxy T1090.002, Password Guessing T1110.001

Sample rules:

eq: 88 3 rules

Top techniques:Kerberoasting T1558.003, Pass the Ticket T1550.003, Steal or Forge Kerberos Tickets T1558, Use Alternate Authentication Material T1550

Sample rules:

eq: 445 3 rules

Top techniques:Ingress Tool Transfer T1105

Sample rules:

eq: 465 3 rules

Top techniques:Exfiltration Over Unencrypted Non-C2 Protocol T1048.003

Sample rules:

eq: 993 3 rules

Top techniques:Exploitation for Client Execution T1203

Sample rules:

eq: 995 3 rules

Top techniques:Exploitation for Client Execution T1203

Sample rules:

eq: 9389 2 rules

Top techniques:Account Discovery T1087, Local Groups T1069.001, Domain Groups T1069.002, Local Account T1087.001, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

eq: 139 2 rules

Sample rules:

eq: 143 2 rules

Top techniques:Exploitation for Client Execution T1203

Sample rules:

eq: 25 2 rules

Top techniques:Exploitation for Client Execution T1203, Exfiltration Over Unencrypted Non-C2 Protocol T1048.003

Sample rules:

eq: 5985 2 rules

Top techniques:PowerShell T1059.001, Windows Remote Management T1021.006

Sample rules:

eq: 5986 2 rules

Top techniques:PowerShell T1059.001, Windows Remote Management T1021.006

Sample rules:

`Properties` 15 entries

in: "*Manage Replication Topology*" 2 rules

Top techniques:DCSync T1003.006

Sample rules:

in: "*Remove Replica In Domain*" 2 rules

Top techniques:DCSync T1003.006

Sample rules:

in: "*Replicating Directory Changes All*" 2 rules

Top techniques:DCSync T1003.006

Sample rules:

in: "*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*" 2 rules

Top techniques:DCSync T1003.006

Sample rules:

in: "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*" 2 rules

Top techniques:DCSync T1003.006

Sample rules:

in: "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*" 2 rules

Top techniques:DCSync T1003.006

Sample rules:

match: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 2 rules

Top techniques:DCSync T1003.006

Sample rules:

sigma Active Directory Replication from Non Machine Account
sigma Mimikatz DC Sync

match: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 2 rules

Top techniques:DCSync T1003.006

Sample rules:

sigma Active Directory Replication from Non Machine Account
sigma Mimikatz DC Sync

match: 89e95b76-444d-4c62-991a-0facbeda640c 2 rules

Top techniques:DCSync T1003.006

Sample rules:

sigma Active Directory Replication from Non Machine Account
sigma Mimikatz DC Sync

wildcard: *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* 2 rules

Top techniques:OS Credential Dumping T1003, DCSync T1003.006, Valid Accounts T1078, Domain Accounts T1078.002

Sample rules:

elastic FirstTime Seen Account Performing DCSync
elastic Potential Credential Access via DCSync

wildcard: *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* 2 rules

Top techniques:OS Credential Dumping T1003, DCSync T1003.006, Valid Accounts T1078, Domain Accounts T1078.002

Sample rules:

elastic FirstTime Seen Account Performing DCSync
elastic Potential Credential Access via DCSync

wildcard: *89e95b76-444d-4c62-991a-0facbeda640c* 2 rules

Top techniques:OS Credential Dumping T1003, DCSync T1003.006, Valid Accounts T1078, Domain Accounts T1078.002

Sample rules:

elastic FirstTime Seen Account Performing DCSync
elastic Potential Credential Access via DCSync

wildcard: *DS-Replication-Get-Changes* 2 rules

Top techniques:OS Credential Dumping T1003, DCSync T1003.006, Valid Accounts T1078, Domain Accounts T1078.002

Sample rules:

elastic FirstTime Seen Account Performing DCSync
elastic Potential Credential Access via DCSync

wildcard: *DS-Replication-Get-Changes-All* 2 rules

Top techniques:OS Credential Dumping T1003, DCSync T1003.006, Valid Accounts T1078, Domain Accounts T1078.002

Sample rules:

elastic FirstTime Seen Account Performing DCSync
elastic Potential Credential Access via DCSync

wildcard: *DS-Replication-Get-Changes-In-Filtered-Set* 2 rules

Top techniques:OS Credential Dumping T1003, DCSync T1003.006, Valid Accounts T1078, Domain Accounts T1078.002

Sample rules:

elastic FirstTime Seen Account Performing DCSync
elastic Potential Credential Access via DCSync

`SubcategoryGuid` 15 entries

eq: {0CCE9210-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE9211-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE9212-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE9215-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE9217-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE921B-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE922B-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE922F-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE9230-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE9235-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE9236-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE9237-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE923F-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE9240-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

eq: {0CCE9242-69AE-11D9-BED3-505054503030} 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

`dest_ip` 14 entries

cidr_match: 127.0.0.0/8 13 rules

Top techniques:Rundll32 T1218.011, Non-Standard Port T1571, System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, CMSTP T1218.003, Web Protocols T1071.001

Sample rules (showing 8 of 13):

cidr_match: ::1/128 13 rules

Top techniques:Rundll32 T1218.011, Non-Standard Port T1571, System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, CMSTP T1218.003, Web Protocols T1071.001

Sample rules (showing 8 of 13):

cidr_match: 10.0.0.0/8 12 rules

Top techniques:Rundll32 T1218.011, Non-Standard Port T1571, System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, CMSTP T1218.003, Web Protocols T1071.001

Sample rules (showing 8 of 12):

cidr_match: 169.254.0.0/16 12 rules

Top techniques:Rundll32 T1218.011, Non-Standard Port T1571, System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, CMSTP T1218.003, Web Protocols T1071.001

Sample rules (showing 8 of 12):

cidr_match: 172.16.0.0/12 12 rules

Top techniques:Rundll32 T1218.011, Non-Standard Port T1571, System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, CMSTP T1218.003, Web Protocols T1071.001

Sample rules (showing 8 of 12):

cidr_match: 192.168.0.0/16 12 rules

Top techniques:Rundll32 T1218.011, Non-Standard Port T1571, System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, CMSTP T1218.003, Web Protocols T1071.001

Sample rules (showing 8 of 12):

cidr_match: fc00::/7 12 rules

Top techniques:Rundll32 T1218.011, Non-Standard Port T1571, System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, CMSTP T1218.003, Web Protocols T1071.001

Sample rules (showing 8 of 12):

cidr_match: fe80::/10 12 rules

Top techniques:Rundll32 T1218.011, Non-Standard Port T1571, System Binary Proxy Execution T1218, Ingress Tool Transfer T1105, CMSTP T1218.003, Web Protocols T1071.001

Sample rules (showing 8 of 12):

cidr_match: 51.103.0.0/16 3 rules

Top techniques:Exploitation for Client Execution T1203, Rundll32 T1218.011, System Binary Proxy Execution T1218

Sample rules:

cidr_match: 20.184.0.0/13 2 rules

Top techniques:Exploitation for Client Execution T1203, System Binary Proxy Execution T1218

Sample rules:

cidr_match: 20.192.0.0/10 2 rules

Top techniques:Exploitation for Client Execution T1203, System Binary Proxy Execution T1218

Sample rules:

cidr_match: 51.10.0.0/15 2 rules

Top techniques:Exploitation for Client Execution T1203, System Binary Proxy Execution T1218

Sample rules:

cidr_match: 51.104.0.0/15 2 rules

Top techniques:Exploitation for Client Execution T1203, System Binary Proxy Execution T1218

Sample rules:

eq: 127.0.0.1 2 rules

Top techniques:Network Service Discovery T1046, Windows Remote Management T1021.006, PowerShell T1059.001

Sample rules:

sigma Python Initiated Connection
sigma Potential Remote PowerShell Session Initiated

`ImagePath` 14 entries

match: cmd 5 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, Token Impersonation/Theft T1134.001, Create Process with Token T1134.002

Sample rules:

match: powershell 5 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002, Obfuscated Files or Information T1027, PowerShell T1059.001, SMB/Windows Admin Shares T1021.002

Sample rules:

match: && 4 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, Windows Service T1543.003

Sample rules:

match: /c 4 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, Token Impersonation/Theft T1134.001, Create Process with Token T1134.002

Sample rules:

match: rundll32 3 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, Token Impersonation/Theft T1134.001, Create Process with Token T1134.002, Windows Service T1543.003

Sample rules:

match: %COMSPEC% 2 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Windows Service T1543.003, Service Execution T1569.002, Token Impersonation/Theft T1134.001, Create Process with Token T1134.002

Sample rules:

match: -f 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: /r 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: input 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: invoke 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: mshta 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, Windows Service T1543.003

Sample rules:

match: pwsh 2 rules

Top techniques:Service Execution T1569.002, Windows Service T1543.003

Sample rules:

match: shell32.dll 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: shellexec_rundll 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

`ParentCommandLine` 14 entries

match: :\Users\ 3 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Active Scanning T1595, Rundll32 T1218.011

Sample rules:

ends_with: tunnel 2 rules

Top techniques:Web Protocols T1071.001, Remote Access Tools T1219

Sample rules:

eq: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule 2 rules

Top techniques:Bypass User Account Control T1548.002

Sample rules:

sigma Explorer NOUACCHECK Flag
sigma UAC Bypass Using Disk Cleanup

match: .lnk 2 rules

Top techniques:Active Scanning T1595, Malicious File T1204.002

Sample rules:

match: :\Users\Public\ 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Active Scanning T1595

Sample rules:

match: :\Windows\Temp\ 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Active Scanning T1595

Sample rules:

match:

JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw

2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005

Sample rules:

match: \Contacts\ 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Active Scanning T1595

Sample rules:

match: \Favorites\ 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Active Scanning T1595

Sample rules:

match: \Favourites\ 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Active Scanning T1595

Sample rules:

match: \ProgramData\Microsoft\Windows Defender Advanced Threat Protection 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005

Sample rules:

match: \Temporary Internet 2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005, Active Scanning T1595

Sample rules:

match:

cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA

2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005

Sample rules:

match:

nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA

2 rules

Top techniques:Compile After Delivery T1027.004, Visual Basic T1059.005, JavaScript T1059.007, Mshta T1218.005

Sample rules:

`file.name` 14 entries

wildcard: FssagentRpc 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: Spoolss 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: WinsPipe 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: dhcpserver 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: dnsserver 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: efsrpc 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: eventlog 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: lsarpc 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: lsass 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: netdfs 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: netlogon 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: samr 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: srvsvc 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

wildcard: winreg 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

`src_ip` 12 entries

eq: 127.0.0.1 5 rules

Top techniques:Remote Desktop Protocol T1021.001, Abuse Elevation Control Mechanism T1548, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Network Service Discovery T1046, Windows Remote Management T1021.006, PowerShell T1059.001

Sample rules:

eq: ::1 5 rules

Top techniques:Remote Desktop Protocol T1021.001, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Forced Authentication T1187, SMB/Windows Admin Shares T1021.002, Windows Remote Management T1021.006, PowerShell T1059.001

Sample rules:

sigma RDP Login from Localhost
sigma RottenPotato Like Attack Pattern
sigma PetitPotam Suspicious Kerberos TGT Request
sigma SMB Create Remote File Admin Share
sigma Potential Remote PowerShell Session Initiated

cidr_match: 127.0.0.0/8 4 rules

Top techniques:Valid Accounts T1078, External Remote Services T1133, Brute Force T1110, Exploit Public-Facing Application T1190, SMB/Windows Admin Shares T1021.002

Sample rules:

cidr_match: 169.254.0.0/16 4 rules

Top techniques:Valid Accounts T1078, External Remote Services T1133, Brute Force T1110, Exploit Public-Facing Application T1190, SMB/Windows Admin Shares T1021.002

Sample rules:

cidr_match: ::1/128 4 rules

Top techniques:Valid Accounts T1078, External Remote Services T1133, Brute Force T1110, Exploit Public-Facing Application T1190, SMB/Windows Admin Shares T1021.002

Sample rules:

cidr_match: fc00::/7 4 rules

Top techniques:Valid Accounts T1078, External Remote Services T1133, Brute Force T1110, Exploit Public-Facing Application T1190, SMB/Windows Admin Shares T1021.002

Sample rules:

cidr_match: fe80::/10 4 rules

Top techniques:Valid Accounts T1078, External Remote Services T1133, Brute Force T1110, Exploit Public-Facing Application T1190, SMB/Windows Admin Shares T1021.002

Sample rules:

cidr_match: 10.0.0.0/8 3 rules

Top techniques:Valid Accounts T1078, External Remote Services T1133, Brute Force T1110, Exploit Public-Facing Application T1190

Sample rules:

sigma External Remote RDP Logon from Public IP
sigma External Remote SMB Logon from Public IP
sigma Failed Logon From Public IP

cidr_match: 172.16.0.0/12 3 rules

Top techniques:Valid Accounts T1078, External Remote Services T1133, Brute Force T1110, Exploit Public-Facing Application T1190

Sample rules:

sigma External Remote RDP Logon from Public IP
sigma External Remote SMB Logon from Public IP
sigma Failed Logon From Public IP

cidr_match: 192.168.0.0/16 3 rules

Top techniques:Valid Accounts T1078, External Remote Services T1133, Brute Force T1110, Exploit Public-Facing Application T1190

Sample rules:

sigma External Remote RDP Logon from Public IP
sigma External Remote SMB Logon from Public IP
sigma Failed Logon From Public IP

eq: - 2 rules

Top techniques:Valid Accounts T1078, Brute Force T1110, External Remote Services T1133

Sample rules:

ne: "-" 2 rules

Top techniques:Password Spraying T1110.003

Sample rules:

`registry_path` 12 entries

eq: "*\\Microsoft\\Windows Defender\\SpyNet*" 3 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

splunk Disable Defender BlockAtFirstSeen Feature
splunk Disable Defender Spynet Reporting
splunk Disable Defender Submit Samples Consent Feature

eq: "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*" 3 rules

Top techniques:Modify Registry T1112

Sample rules:

eq: "*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" 2 rules

Top techniques:Registry Run Keys / Startup Folder T1547.001, Image File Execution Options Injection T1546.012

Sample rules:

splunk Registry Keys Used For Persistence
splunk Registry Keys Used For Privilege Escalation

eq: "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" 2 rules

Top techniques:Credentials in Registry T1552.002

Sample rules:

splunk Add DefaultUser And Password In Registry
splunk Auto Admin Logon Registry Entry

eq: "*USBSTOR*" 2 rules

Top techniques:Data from Removable Media T1025, Replication Through Removable Media T1091, Hardware Additions T1200

Sample rules:

eq: "*\\Control\\Terminal Server\\fDenyTSConnections*" 2 rules

Top techniques:Modify Registry T1112, Remote Desktop Protocol T1021.001

Sample rules:

splunk Windows Modify Registry Disable RDP
splunk Windows Remote Services Rdp Enable

eq: "*\\InProcServer32\\*" 2 rules

Top techniques:Modify Registry T1112, Phishing T1566

Sample rules:

splunk Windows InProcServer32 New Outlook Form
splunk Windows New InProcServer32 Added

eq: "*\\Microsoft\\Terminal Server Client\\Servers\\*" 2 rules

Top techniques:File Deletion T1070.004, Remote Desktop Protocol T1021.001

Sample rules:

splunk Windows RDP Server Registry Deletion
splunk Windows RDP Server Registry Entry Created

eq: "*\\SYSTEM\\CurrentControlSet\\Services*" 2 rules

Top techniques:Services Registry Permissions Weakness T1574.011, Service Stop T1489

Sample rules:

splunk Windows Service Creation Using Registry Entry
splunk Windows Service Deletion In Registry

eq: "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" 2 rules

Top techniques:Remote Desktop Protocol T1021.001, Modify Registry T1112

Sample rules:

in: "HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*" 2 rules

Top techniques:Data from Removable Media T1025, Replication Through Removable Media T1091, Hardware Additions T1200

Sample rules:

in: "HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*" 2 rules

Top techniques:Data from Removable Media T1025, Replication Through Removable Media T1091, Hardware Additions T1200

Sample rules:

`EventType` 11 entries

eq: deleted 8 rules

Top techniques:Modify Registry T1112, Disable or Modify Tools T1562.001, Modify Authentication Process T1556, File Deletion T1070.004, Scheduled Task T1053.005, Impair Defenses T1562

Sample rules:

eq: logged-in 7 rules

Top techniques:Create or Modify System Process T1543, Windows Service T1543.003, Valid Accounts T1078, Brute Force T1110, Password Guessing T1110.001, Password Spraying T1110.003

Sample rules:

elastic Multiple Logon Failure Followed by Logon Success
elastic Potential Pass-the-Hash (PtH) Attempt
elastic Remote Windows Service Installed
elastic Account Password Reset Remotely
elastic Potential Account Takeover - Mixed Logon Types
elastic Service Creation via Local Kerberos Authentication
elastic Potential Account Takeover - Logon from New Source IP

eq: DeleteValue 5 rules

Top techniques:Modify Registry T1112, Screen Capture T1113, Disable or Modify Tools T1562.001, Indicator Removal T1070, Registry Run Keys / Startup Folder T1547.001

Sample rules:

eq: modified 5 rules

Top techniques:Modify Registry T1112, Modify Authentication Process T1556, Port Monitors T1547.010, Service Stop T1489

Sample rules:

in: "ConnectPipe" 4 rules

Top techniques:Application Layer Protocol T1071, Inter-Process Communication T1559

Sample rules:

in: "CreatePipe" 4 rules

Top techniques:Application Layer Protocol T1071, Inter-Process Communication T1559

Sample rules:

eq: SetValue 3 rules

Top techniques:Stage Capabilities T1608, Boot or Logon Autostart Execution T1547, Change Default File Association T1546.001, Bypass User Account Control T1548.002

Sample rules:

eq: logon-failed 3 rules

Top techniques:Brute Force T1110, Password Guessing T1110.001, Password Spraying T1110.003

Sample rules:

elastic Privileged Accounts Brute Force
elastic Multiple Logon Failure Followed by Logon Success
elastic Multiple Logon Failure from the same Source Address

eq: scheduled-task-created 3 rules

Top techniques:Scheduled Task/Job T1053, Scheduled Task T1053.005, Remote Services T1021

Sample rules:

elastic Remote Scheduled Task Creation via RPC
elastic A scheduled task was created
elastic Temporarily Scheduled Task Creation

eq: CreateKey 2 rules

Top techniques:Modify Registry T1112, Disable Windows Event Logging T1562.002

Sample rules:

eq: service-installed 2 rules

Top techniques:Create or Modify System Process T1543, Windows Service T1543.003, Remote Services T1021, SMB/Windows Admin Shares T1021.002, System Services T1569, Service Execution T1569.002

Sample rules:

elastic Remote Windows Service Installed
elastic Windows Service Installed via an Unusual Client

`IntegrityLevel` 10 entries

eq: S-1-16-16384 21 rules

Top techniques:Bypass User Account Control T1548.002, Msiexec T1218.007, Match Legitimate Resource Name or Location T1036.005, Scheduled Task T1053.005, Exploitation for Privilege Escalation T1068, Exploitation for Client Execution T1203

Sample rules (showing 8 of 21):

eq: System 21 rules

Sample rules (showing 8 of 21):

eq: High 16 rules

Top techniques:Bypass User Account Control T1548.002, Indirect Command Execution T1202, CMSTP T1218.003

Sample rules (showing 8 of 16):

sigma Suspicious High IntegrityLevel Conhost Legacy Option
sigma UAC Bypass Using ChangePK and SLUI
sigma UAC Bypass Using Disk Cleanup
sigma CMSTP UAC Bypass via COM Object Access
sigma UAC Bypass Tools Using ComputerDefaults
sigma UAC Bypass Using Consent and Comctl32 - Process
sigma UAC Bypass Using DismHost
sigma UAC Bypass Using IDiagnostic Profile

eq: S-1-16-12288 16 rules

Top techniques:Bypass User Account Control T1548.002, Indirect Command Execution T1202, CMSTP T1218.003

Sample rules (showing 8 of 16):

sigma Suspicious High IntegrityLevel Conhost Legacy Option
sigma UAC Bypass Using ChangePK and SLUI
sigma UAC Bypass Using Disk Cleanup
sigma CMSTP UAC Bypass via COM Object Access
sigma UAC Bypass Tools Using ComputerDefaults
sigma UAC Bypass Using Consent and Comctl32 - Process
sigma UAC Bypass Using DismHost
sigma UAC Bypass Using IDiagnostic Profile

eq: Medium 3 rules

Top techniques:Services Registry Permissions Weakness T1574.011, Modify Registry T1112

Sample rules:

eq: S-1-16-8192 3 rules

Top techniques:Services Registry Permissions Weakness T1574.011, Modify Registry T1112

Sample rules:

in: "low" 3 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548, Bypass User Account Control T1548.002

Sample rules:

in: "medium" 3 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548, Bypass User Account Control T1548.002

Sample rules:

eq: "system" 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548

Sample rules:

in: "high" 2 rules

Top techniques:Exploitation for Privilege Escalation T1068, Access Token Manipulation T1134, Abuse Elevation Control Mechanism T1548

Sample rules:

`user` 10 entries

ends_with: $ 18 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Domain Account T1087.002, DCSync T1003.006

Sample rules (showing 8 of 18):

match: AUTHORI 16 rules

Top techniques:LSASS Memory T1003.001, File Deletion T1070.004, Scheduled Task T1053.005, Abuse Elevation Control Mechanism T1548, Bypass User Account Control T1548.002, Create Process with Token T1134.002

Sample rules (showing 8 of 16):

match: AUTORI 16 rules

Sample rules (showing 8 of 16):

ne: *$ 10 rules

Top techniques:Password Spraying T1110.003

Sample rules (showing 8 of 10):

ne: "*$" 7 rules

Top techniques:Valid Accounts T1078, Password Spraying T1110.003, Email Addresses T1589.002, Domain Accounts T1078.002, Network Share Discovery T1135, Security Account Manager T1003.002

Sample rules:

eq: ANONYMOUS LOGON 3 rules

Top techniques:Pass the Hash T1550.002, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Forced Authentication T1187

Sample rules:

sigma Pass the Hash Activity 2
sigma RottenPotato Like Attack Pattern
sigma Possible PetitPotam Coerce Authentication Attempt

starts_with: MSOL_ 3 rules

Top techniques:DCSync T1003.006, Domain Account T1087.002

Sample rules:

eq: "*$" 2 rules

Top techniques:DCSync T1003.006, Steal or Forge Kerberos Tickets T1558

Sample rules:

eq: "ANONYMOUS LOGON" 2 rules

Top techniques:Exploitation of Remote Services T1210, Forced Authentication T1187

Sample rules:

splunk Detect Computer Changed with Anonymous Account
splunk PetitPotam Network Share Access Request

eq: HomeGroupUser$ 2 rules

Top techniques:Local Account T1136.001, Masquerading T1036

Sample rules:

sigma Hidden Local User Creation
sigma New or Renamed User Account with '$' Character

`ServiceFileName` 10 entries

match: cmd 5 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, Token Impersonation/Theft T1134.001, Create Process with Token T1134.002

Sample rules:

match: powershell 4 rules

Top techniques:Service Execution T1569.002, Obfuscated Files or Information T1027, PowerShell T1059.001, SMB/Windows Admin Shares T1021.002, Windows Service T1543.003

Sample rules:

match: && 3 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: /c 3 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, Token Impersonation/Theft T1134.001, Create Process with Token T1134.002

Sample rules:

match: %COMSPEC% 2 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Windows Service T1543.003, Service Execution T1569.002, Token Impersonation/Theft T1134.001, Create Process with Token T1134.002

Sample rules:

match: -f 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: invoke 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: rundll32 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001, Token Impersonation/Theft T1134.001, Create Process with Token T1134.002

Sample rules:

match: shell32.dll 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: shellexec_rundll 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

`Provider_Name` 8 entries

eq: Service Control Manager 43 rules

Top techniques:Windows Service T1543.003, Service Execution T1569.002, Obfuscated Files or Information T1027, PowerShell T1059.001, SMB/Windows Admin Shares T1021.002, Remote Desktop Software T1219.002

Sample rules (showing 8 of 43):

eq: MsiInstaller 4 rules

Top techniques:Service Stop T1489, System Binary Proxy Execution T1218, Msiexec T1218.007, Remote Desktop Software T1219.002

Sample rules:

sigma Application Uninstalled
sigma MSI Installation From Suspicious Locations
sigma MSI Installation From Web
sigma Atera Agent Installation

eq: Microsoft-Windows-Eventlog 3 rules

Top techniques:Clear Windows Event Logs T1070.001

Sample rules:

sigma Security Eventlog Cleared
sigma Eventlog Cleared
sigma Important Windows Eventlog Cleared

eq: Microsoft-Windows-Sysmon 3 rules

Top techniques:Process Injection T1055, Trusted Developer Utilities Proxy Execution T1127, MSBuild T1127.001, Indicator Removal T1070, Timestomp T1070.006, Access Token Manipulation T1134

Sample rules:

elastic Process Injection by the Microsoft Build Engine
elastic Potential Timestomp in Executable Files
elastic Privilege Escalation via Rogue Named Pipe Impersonation

eq: Application Error 2 rules

Top techniques:LSASS Memory T1003.001, Exploitation for Defense Evasion T1211, Disable or Modify Tools T1562.001

Sample rules:

eq: ESENT 2 rules

Top techniques:NTDS T1003.003

Sample rules:

sigma Ntdsutil Abuse
sigma Dump Ntds.dit To Suspicious Location

eq: Microsoft-Windows-DHCP-Server 2 rules

Top techniques:DLL T1574.001

Sample rules:

eq: ScreenConnect 2 rules

Top techniques:Windows Command Shell T1059.003

Sample rules:

`Description` 8 entries

eq: GnuPG’s OpenPGP tool 4 rules

Top techniques:Data Encrypted for Impact T1486

Sample rules:

sigma File Decryption Using Gpg4win
sigma File Encryption Using Gpg4win
sigma Portable Gpg.EXE Execution
sigma File Encryption/Decryption Via Gpg4win From Suspicious Locations

eq: AnyDesk 3 rules

Top techniques:Remote Desktop Software T1219.002

Sample rules:

eq: Command line RAR 3 rules

Top techniques:Archive via Utility T1560.001, Command and Scripting Interpreter T1059

Sample rules:

sigma Suspicious Greedy Compression Using Rar.EXE
sigma Winrar Compressing Dump Files
sigma WinRAR Execution in Non-Standard Folder

eq: Active Directory Editor 2 rules

Top techniques:Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

eq: System activity monitor 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

sigma Sysmon Configuration Update
sigma Uninstall Sysinternals Sysmon

eq: Windows PowerShell 2 rules

Top techniques:PowerShell T1059.001, Obfuscated Files or Information T1027, Deobfuscate/Decode Files or Information T1140

Sample rules:

match: 7-Zip 2 rules

Top techniques:Archive via Utility T1560.001

Sample rules:

match: st2stager 2 rules

Top techniques:Application Layer Protocol T1071

Sample rules:

`Product` 8 entries

eq: AnyDesk 3 rules

Top techniques:Remote Desktop Software T1219.002

Sample rules:

eq: Node.js 2 rules

Top techniques:JavaScript T1059.007

Sample rules:

eq: Ping Castle 2 rules

Top techniques:Active Scanning T1595

Sample rules:

eq: PowerShell Core 6 2 rules

Top techniques:PowerShell T1059.001, Obfuscated Files or Information T1027, Deobfuscate/Decode Files or Information T1140

Sample rules:

eq: Remote Utilities 2 rules

Sample rules:

eq: SQLite 2 rules

Top techniques:Data from Local System T1005, Steal Web Session Cookie T1539, Credentials from Web Browsers T1555.003

Sample rules:

eq: Sysinternals ADExplorer 2 rules

Top techniques:Domain Groups T1069.002, Domain Account T1087.002, Domain Trust Discovery T1482

Sample rules:

match: NetSupport Remote Control 2 rules

Sample rules:

`LogonType` 7 entries

eq: 3 12 rules

Top techniques:Valid Accounts T1078, Steal or Forge Kerberos Tickets T1558, Password Spraying T1110.003, Pass the Hash T1550.002, Brute Force T1110, External Remote Services T1133

Sample rules (showing 8 of 12):

sigma Pass the Hash Activity 2
sigma External Remote SMB Logon from Public IP
sigma Potential Privilege Escalation via Local Kerberos Relay over LDAP
sigma RottenPotato Like Attack Pattern
sigma Metasploit SMB Authentication
splunk Unusual Number of Remote Endpoint Authentication Events
splunk Windows Domain Admin Impersonation Indicator
splunk Windows Kerberos Local Successful Logon

eq: 9 5 rules

Top techniques:Pass the Hash T1550.002, Token Impersonation/Theft T1134.001, Use Alternate Authentication Material T1550

Sample rules:

sigma Potential Access Token Abuse
sigma DiagTrackEoP Default Login Username
sigma Successful Overpass the Hash Attempt
sigma Pass the Hash Activity 2
sigma Outgoing Logon with New Credentials

eq: 10 4 rules

Top techniques:Remote Desktop Protocol T1021.001, Default Accounts T1078.001, Domain Accounts T1078.002, Local Accounts T1078.003, Valid Accounts T1078, Brute Force T1110

Sample rules:

sigma Admin User Remote Logon
sigma RDP Login from Localhost
sigma External Remote RDP Logon from Public IP
splunk Windows RDP Login Session Was Established

eq: Network 4 rules

Top techniques:Brute Force T1110, Password Guessing T1110.001, Password Spraying T1110.003, Adversary-in-the-Middle T1557, Forced Authentication T1187, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

elastic Privileged Accounts Brute Force
elastic Multiple Logon Failure from the same Source Address
elastic Potential Computer Account NTLM Relay Activity
elastic Service Creation via Local Kerberos Authentication

wildcard: Network 3 rules

Top techniques:Brute Force T1110, Password Guessing T1110.001, Password Spraying T1110.003, Remote Services T1021, SMB/Windows Admin Shares T1021.002, Create or Modify System Process T1543

Sample rules:

elastic Multiple Logon Failure Followed by Logon Success
elastic Remote Windows Service Installed
elastic Account Password Reset Remotely

eq: 2 2 rules

Top techniques:Password Spraying T1110.003

Sample rules:

wildcard: network 2 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Use Alternate Authentication Material T1550

Sample rules:

`ObjectType` 7 entries

eq: File 5 rules

Top techniques:Spearphishing Attachment T1566.001, Shortcut Modification T1547.009, OS Credential Dumping T1003, SMB/Windows Admin Shares T1021.002, Transfer Data to Cloud Account T1537

Sample rules:

eq: Key 3 rules

Top techniques:Query Registry T1012, Credentials in Registry T1552.002

Sample rules:

eq: SAM_GROUP 2 rules

Top techniques:Domain Account T1087.002, Domain Groups T1069.002

Sample rules:

sigma AD Privileged Users or Groups Reconnaissance
sigma Reconnaissance Activity

eq: SAM_USER 2 rules

Top techniques:Domain Account T1087.002, Domain Groups T1069.002

Sample rules:

sigma AD Privileged Users or Groups Reconnaissance
sigma Reconnaissance Activity

eq: SC_MANAGER OBJECT 2 rules

Top techniques:Application Window Discovery T1010, Abuse Elevation Control Mechanism T1548

Sample rules:

sigma SCM Database Handle Failure
sigma SCM Database Privileged Operation

in: "%{19195a5b-6da0-11d0-afd3-00c04fd930c9}" 2 rules

Top techniques:DCSync T1003.006

Sample rules:

in: "domainDNS" 2 rules

Top techniques:DCSync T1003.006

Sample rules:

`AttributeLDAPDisplayName` 6 entries

eq: servicePrincipalName 6 rules

Top techniques:Account Manipulation T1098, Rogue Domain Controller T1207, Steal or Forge Kerberos Tickets T1558, Kerberoasting T1558.003

Sample rules:

sigma Active Directory User Backdoors
sigma Possible DC Shadow Attack
elastic User account exposed to Kerberoasting
splunk Windows AD ServicePrincipalName Added To Domain Account
splunk Windows AD Short Lived Domain Account ServicePrincipalName
splunk Windows AD Short Lived Domain Controller SPN Attribute

eq: gPCMachineExtensionNames 4 rules

Top techniques:Group Policy Modification T1484.001, Scheduled Task T1053.005, Boot or Logon Autostart Execution T1547, Windows File and Directory Permissions Modification T1222.001

Sample rules:

wildcard: gPCMachineExtensionNames 3 rules

Top techniques:Domain or Tenant Policy Modification T1484, Group Policy Modification T1484.001, Boot or Logon Initialization Scripts T1037, Boot or Logon Autostart Execution T1547, Scheduled Task/Job T1053, Scheduled Task T1053.005

Sample rules:

elastic Startup/Logon Script added to Group Policy Object
elastic Group Policy Abuse for Privilege Addition
elastic Scheduled Task Execution at Scale via GPO

eq: msDS-KeyCredentialLink 2 rules

Top techniques:Modify Authentication Process T1556, Account Manipulation T1098

Sample rules:

sigma Possible Shadow Credentials Added
elastic Potential Shadow Credentials added to AD Object

eq: gPCUserExtensionNames 2 rules

Top techniques:Scheduled Task T1053.005, Group Policy Modification T1484.001, Boot or Logon Autostart Execution T1547

Sample rules:

wildcard: gPCUserExtensionNames 2 rules

Sample rules:

elastic Startup/Logon Script added to Group Policy Object
elastic Scheduled Task Execution at Scale via GPO

`ShareName` 6 entries

eq: \\\\\*\\IPC$ 6 rules

Top techniques:SMB/Windows Admin Shares T1021.002, At T1053.002

Sample rules:

sigma Remote Task Creation via ATSVC Named Pipe
sigma DCERPC SMB Spoolss Named Pipe
sigma Impacket PsExec Execution
sigma First Time Seen Remote Named Pipe
sigma Suspicious PsExec Execution
sigma Remote Service Activity via SVCCTL Named Pipe

in: "\\\\*\\C$" 3 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Transfer Data to Cloud Account T1537, Network Share Discovery T1135

Sample rules:

ends_with: \SYSVOL 2 rules

Top techniques:Scheduled Task T1053.005, Group Policy Modification T1484.001, Boot or Logon Autostart Execution T1547

Sample rules:

in: "\\\\*\\IPC$" 2 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Transfer Data to Cloud Account T1537

Sample rules:

in: "\\\\*\\admin$" 2 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Transfer Data to Cloud Account T1537

Sample rules:

wildcard: \\*\SYSVOL 2 rules

Sample rules:

elastic Startup/Logon Script added to Group Policy Object
elastic Scheduled Task Execution at Scale via GPO

`Channel` 6 entries

eq: Microsoft-Windows-PowerShell/Operational 2 rules

Top techniques:Clear Windows Event Logs T1070.001

Sample rules:

sigma Eventlog Cleared
sigma Important Windows Eventlog Cleared

eq: Microsoft-Windows-Sysmon/Operational 2 rules

Top techniques:Clear Windows Event Logs T1070.001

Sample rules:

sigma Eventlog Cleared
sigma Important Windows Eventlog Cleared

eq: PowerShellCore/Operational 2 rules

Top techniques:Clear Windows Event Logs T1070.001

Sample rules:

sigma Eventlog Cleared
sigma Important Windows Eventlog Cleared

eq: Security 2 rules

Top techniques:Clear Windows Event Logs T1070.001

Sample rules:

sigma Eventlog Cleared
sigma Important Windows Eventlog Cleared

eq: System 2 rules

Top techniques:Clear Windows Event Logs T1070.001

Sample rules:

sigma Eventlog Cleared
sigma Important Windows Eventlog Cleared

eq: Windows PowerShell 2 rules

Top techniques:Clear Windows Event Logs T1070.001

Sample rules:

sigma Eventlog Cleared
sigma Important Windows Eventlog Cleared

`Data` 6 entries

match: EngineVersion=2. 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

match: MsMpEng.exe 2 rules

Top techniques:Exploitation for Defense Evasion T1211, Disable or Modify Tools T1562.001

Sample rules:

match: \Desktop\ 2 rules

Sample rules:

match: \Users\Public\ 2 rules

Sample rules:

match: mpengine.dll 2 rules

Top techniques:Exploitation for Defense Evasion T1211, Disable or Modify Tools T1562.001

Sample rules:

match: ntds.dit 2 rules

Top techniques:NTDS T1003.003

Sample rules:

sigma Ntdsutil Abuse
sigma Dump Ntds.dit To Suspicious Location

`TaskName` 6 entries

match: \Windows\BitLocker 2 rules

Top techniques:Scheduled Task T1053.005, Service Stop T1489

Sample rules:

sigma Important Scheduled Task Deleted/Disabled
sigma Important Scheduled Task Deleted

match: \Windows\ExploitGuard 2 rules

Top techniques:Scheduled Task T1053.005, Service Stop T1489

Sample rules:

sigma Important Scheduled Task Deleted/Disabled
sigma Important Scheduled Task Deleted

match: \Windows\SystemRestore\SR 2 rules

Top techniques:Scheduled Task T1053.005, Service Stop T1489

Sample rules:

sigma Important Scheduled Task Deleted/Disabled
sigma Important Scheduled Task Deleted

match: \Windows\Windows Defender\ 2 rules

Top techniques:Scheduled Task T1053.005, Service Stop T1489

Sample rules:

sigma Important Scheduled Task Deleted/Disabled
sigma Important Scheduled Task Deleted

match: \Windows\WindowsBackup\ 2 rules

Top techniques:Scheduled Task T1053.005, Service Stop T1489

Sample rules:

sigma Important Scheduled Task Deleted/Disabled
sigma Important Scheduled Task Deleted

match: \Windows\WindowsUpdate\ 2 rules

Top techniques:Scheduled Task T1053.005, Service Stop T1489

Sample rules:

sigma Important Scheduled Task Deleted/Disabled
sigma Important Scheduled Task Deleted

`ObjectClass` 5 entries

eq: groupPolicyContainer 4 rules

Top techniques:Group Policy Modification T1484.001, Windows File and Directory Permissions Modification T1222.001, Domain Accounts T1078.002

Sample rules:

sigma Windows Default Domain GPO Modification
splunk Windows AD GPO New CSE Addition
splunk Windows Default Group Policy Object Modified
splunk Windows Group Policy Object Created

eq: user 4 rules

Top techniques:Account Manipulation T1098, Steal or Forge Kerberos Tickets T1558, Kerberoasting T1558.003, Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484

Sample rules:

sigma Active Directory User Backdoors
elastic User account exposed to Kerberoasting
splunk Windows AD Dangerous User ACL Modification
splunk Windows AD ServicePrincipalName Added To Domain Account

eq: domainDNS 4 rules

Top techniques:Domain or Tenant Policy Modification T1484, Windows File and Directory Permissions Modification T1222.001, Rogue Domain Controller T1207

Sample rules:

splunk Windows AD DCShadow Privileges ACL Addition
splunk Windows AD Domain Replication ACL Addition
splunk Windows AD Domain Root ACL Deletion
splunk Windows AD Domain Root ACL Modification

eq: dnsNode 3 rules

Top techniques:Account Manipulation T1098, DHCP Spoofing T1557.003, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

eq: "dnsNode" 2 rules

Top techniques:DNS T1071.004, Forced Authentication T1187, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

splunk Windows Kerberos Coercion via DNS
splunk Windows Short Lived DNS Record

`RelativeTargetName` 5 entries

eq: lsarpc 3 rules

Top techniques:Forced Authentication T1187, SMB/Windows Admin Shares T1021.002

Sample rules:

eq: atsvc 2 rules

Top techniques:At T1053.002, SMB/Windows Admin Shares T1021.002

Sample rules:

eq: protected_storage 2 rules

Top techniques:SMB/Windows Admin Shares T1021.002

Sample rules:

sigma First Time Seen Remote Named Pipe
sigma Protected Storage Service Access

eq: spoolss 2 rules

Top techniques:SMB/Windows Admin Shares T1021.002

Sample rules:

sigma DCERPC SMB Spoolss Named Pipe
sigma First Time Seen Remote Named Pipe

eq: svcctl 2 rules

Top techniques:SMB/Windows Admin Shares T1021.002

Sample rules:

`Status` 5 entries

eq: 0x6 3 rules

Top techniques:Password Spraying T1110.003, Email Addresses T1589.002

Sample rules:

eq: 0x12 2 rules

Top techniques:Password Spraying T1110.003

Sample rules:

eq: 0x18 2 rules

Top techniques:Password Spraying T1110.003

Sample rules:

eq: 0xC000006A 2 rules

Top techniques:Password Spraying T1110.003

Sample rules:

eq: 0xc0000064 2 rules

Top techniques:Password Spraying T1110.003

Sample rules:

`AuditPolicyChanges` 5 entries

in: "%%8448" 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

in: "%%8448, %%8450" 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

in: "%%8450" 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

match: %%8448 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

match: %%8450 2 rules

Top techniques:Disable Windows Event Logging T1562.002

Sample rules:

sigma Windows Event Auditing Disabled
sigma Important Windows Event Auditing Disabled

`CallTrace` 5 entries

match: UNKNOWN 2 rules

Top techniques:Thread Execution Hijacking T1055.003, Malicious File T1204.002, Disable Windows Event Logging T1562.002

Sample rules:

match: dbgcore.dll 2 rules

Top techniques:LSASS Memory T1003.001, Disable or Modify Tools T1562.001

Sample rules:

match: dbghelp.dll 2 rules

Top techniques:LSASS Memory T1003.001, Disable or Modify Tools T1562.001

Sample rules:

match: |UNKNOWN( 2 rules

Top techniques:LSASS Memory T1003.001, Native API T1106

Sample rules:

wildcard: *UNKNOWN* 2 rules

Top techniques:OS Credential Dumping T1003, LSASS Memory T1003.001, Process Injection T1055, Process Hollowing T1055.012

Sample rules:

elastic Potential Credential Access via DuplicateHandle in LSASS
elastic Suspicious Process Creation CallTrace

`AccessMask` 4 entries

eq: 0x100 3 rules

Top techniques:DCSync T1003.006, OS Credential Dumping T1003, Valid Accounts T1078, Domain Accounts T1078.002

Sample rules:

sigma Active Directory Replication from Non Machine Account
sigma Mimikatz DC Sync
elastic Potential Credential Access via DCSync

eq: "0x100" 2 rules

Top techniques:DCSync T1003.006

Sample rules:

eq: "0x2" 2 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Transfer Data to Cloud Account T1537

Sample rules:

eq: 0x2 2 rules

Top techniques:LSA Secrets T1003.004, SMB/Windows Admin Shares T1021.002

Sample rules:

sigma DPAPI Domain Backup Key Extraction
sigma SMB Create Remote File Admin Share

`AuthenticationPackageName` 4 entries

eq: Negotiate 3 rules

Top techniques:Token Impersonation/Theft T1134.001, Default Accounts T1078.001, Domain Accounts T1078.002, Local Accounts T1078.003, Pass the Hash T1550.002

Sample rules:

sigma Potential Access Token Abuse
sigma Admin User Remote Logon
sigma Successful Overpass the Hash Attempt

eq: Kerberos 2 rules

Top techniques:Abuse Elevation Control Mechanism T1548, Steal or Forge Kerberos Tickets T1558

Sample rules:

eq: NTLM 2 rules

Top techniques:SMB/Windows Admin Shares T1021.002, Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001

Sample rules:

sigma Metasploit SMB Authentication
elastic Potential Computer Account NTLM Relay Activity

wildcard: Kerberos 2 rules

Top techniques:Adversary-in-the-Middle T1557, Forced Authentication T1187, Use Alternate Authentication Material T1550, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Create or Modify System Process T1543, Windows Service T1543.003

Sample rules:

`ModifyingApplication` 4 entries

ends_with: \MsMpEng.exe 2 rules

Top techniques:Disable or Modify System Firewall T1562.004

Sample rules:

eq: C:\Windows\System32\svchost.exe 2 rules

Top techniques:Disable or Modify System Firewall T1562.004

Sample rules:

starts_with: C:\ProgramData\Microsoft\Windows Defender\Platform\ 2 rules

Top techniques:Disable or Modify System Firewall T1562.004

Sample rules:

starts_with: C:\Windows\WinSxS\ 2 rules

Top techniques:Disable or Modify System Firewall T1562.004

Sample rules:

`ObjectName` 4 entries

ends_with: -500 2 rules

Top techniques:Domain Account T1087.002, Domain Groups T1069.002

Sample rules:

sigma AD Privileged Users or Groups Reconnaissance
sigma Reconnaissance Activity

ends_with: -512 2 rules

Top techniques:Domain Account T1087.002, Domain Groups T1069.002

Sample rules:

sigma AD Privileged Users or Groups Reconnaissance
sigma Reconnaissance Activity

ends_with: \lsass.exe 2 rules

Top techniques:LSASS Memory T1003.001

Sample rules:

match: \Microsoft\Windows Defender\Exclusions\ 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

`event.category` 3 entries

eq: authentication 5 rules

Top techniques:Brute Force T1110, Password Guessing T1110.001, Password Spraying T1110.003, Valid Accounts T1078, Use Alternate Authentication Material T1550, Pass the Hash T1550.002

Sample rules:

elastic Privileged Accounts Brute Force
elastic Multiple Logon Failure from the same Source Address
elastic Potential Pass-the-Hash (PtH) Attempt
elastic Potential Account Takeover - Mixed Logon Types
elastic Potential Account Takeover - Logon from New Source IP

eq: iam 2 rules

Top techniques:Scheduled Task/Job T1053, Scheduled Task T1053.005, Access Token Manipulation T1134

Sample rules:

elastic Unusual Scheduled Task Update
elastic Suspicious SeIncreaseBasePriorityPrivilege Use

eq: process 2 rules

Top techniques:OS Credential Dumping T1003, LSASS Memory T1003.001, Masquerading T1036, Rename Legitimate Utilities T1036.003, System Binary Proxy Execution T1218, Rundll32 T1218.011

Sample rules:

`AccessList` 3 entries

match: WriteData 4 rules

Top techniques:At T1053.002, Scheduled Task T1053.005, Shortcut Modification T1547.009, SMB/Windows Admin Shares T1021.002

Sample rules:

match: %%4417 3 rules

Top techniques:Scheduled Task T1053.005, Group Policy Modification T1484.001, Boot or Logon Autostart Execution T1547, Disable or Modify Tools T1562.001

Sample rules:

wildcard: *%%4417* 2 rules

Sample rules:

elastic Startup/Logon Script added to Group Policy Object
elastic Scheduled Task Execution at Scale via GPO

`TicketOptions` 3 entries

eq: 0x40810000 3 rules

Top techniques:Kerberoasting T1558.003, Golden Ticket T1558.001

Sample rules:

eq: 0x40800000 2 rules

Top techniques:Kerberoasting T1558.003, Golden Ticket T1558.001

Sample rules:

eq: 0x40810010 2 rules

Top techniques:Kerberoasting T1558.003, Golden Ticket T1558.001

Sample rules:

`Changes` 3 entries

in: "Failure removed" 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

in: "Success removed" 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

in: "Success removed, Failure removed" 2 rules

Top techniques:Disable or Modify Tools T1562.001

Sample rules:

`Payload` 3 entries

match: && 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: shell32.dll 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

match: shellexec_rundll 2 rules

Top techniques:Obfuscated Files or Information T1027, PowerShell T1059.001

Sample rules:

`Signed` 2 entries

eq: false 8 rules

Top techniques:DLL T1574.001, LSASS Memory T1003.001, Match Legitimate Resource Name or Location T1036.005, Shared Modules T1129, MMC T1218.014, Bypass User Account Control T1548.002

Sample rules:

sigma Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
sigma Unsigned .node File Loaded
sigma Unsigned Image Loaded Into LSASS Process
sigma Unsigned Module Loaded by ClickOnce Application
splunk UAC Bypass MMC Load Unsigned Dll
splunk Windows Unsigned DLL Side-Loading
splunk Windows Unsigned DLL Side-Loading In Same Process Path
splunk Windows Unsigned MS DLL Side-Loading

eq: true 8 rules

Top techniques:DLL T1574.001, Regsvr32 T1218.010, Rundll32 T1218.011

Sample rules:

`source.ip` 2 entries

ne: 127.0.0.1 8 rules

Top techniques:Forced Authentication T1187, Adversary-in-the-Middle T1557, LLMNR/NBT-NS Poisoning and SMB Relay T1557.001, Remote Services T1021, SMB/Windows Admin Shares T1021.002, Brute Force T1110

Sample rules:

elastic Multiple Logon Failure Followed by Logon Success
elastic Potential Computer Account NTLM Relay Activity
elastic Potential Kerberos Relay Attack against a Computer Account
elastic Potential NTLM Relay Attack against a Computer Account
elastic Potential Machine Account Relay Attack via SMB
elastic Remote Windows Service Installed
elastic Account Password Reset Remotely
elastic Potential Account Takeover - Logon from New Source IP

ne: ::1 7 rules

Sample rules:

elastic Multiple Logon Failure Followed by Logon Success
elastic Potential Computer Account NTLM Relay Activity
elastic Potential Kerberos Relay Attack against a Computer Account
elastic Potential NTLM Relay Attack against a Computer Account
elastic Potential Machine Account Relay Attack via SMB
elastic Remote Windows Service Installed
elastic Account Password Reset Remotely

`Esql.script_block_length` 2 entries

gt: 500 6 rules

Top techniques:Obfuscated Files or Information T1027, Command Obfuscation T1027.010, Command and Scripting Interpreter T1059, PowerShell T1059.001, Deobfuscate/Decode Files or Information T1140

Sample rules:

gt: 1000 2 rules

Sample rules:

`Esql.script_block_pattern_count` 2 entries

ge: 1 6 rules

Sample rules:

ge: 2 2 rules

Sample rules:

`OperationType` 2 entries

eq: %%14674 4 rules

Top techniques:Account Manipulation T1098, Steal or Forge Kerberos Tickets T1558, Kerberoasting T1558.003, Exploitation for Privilege Escalation T1068, Windows File and Directory Permissions Modification T1222.001, Use Alternate Authentication Material T1550

Sample rules:

elastic User account exposed to Kerberoasting
elastic Account Configured with Never-Expiring Password
elastic Modification of the msPKIAccountCredentials
splunk Windows AD Suspicious Attribute Modification

eq: "%%14674" 3 rules

Top techniques:Group Policy Modification T1484.001, Disable or Modify Tools T1562.001, Account Manipulation T1098, SID-History Injection T1134.005

Sample rules:

splunk Windows AD GPO Disabled
splunk Windows AD ServicePrincipalName Added To Domain Account
splunk Windows AD SID History Attribute Modified

`SignatureStatus` 2 entries

eq: Valid 4 rules

Top techniques:DLL T1574.001, Regsvr32 T1218.010, Rundll32 T1218.011

Sample rules:

ne: Valid 2 rules

Top techniques:DLL T1574.001, Boot or Logon Autostart Execution T1547

Sample rules:

`Company` 2 entries

eq: AnyDesk Software GmbH 3 rules

Top techniques:Remote Desktop Software T1219.002

Sample rules:

eq: LogMeIn, Inc. 2 rules

Top techniques:Remote Desktop Software T1219.002

Sample rules:

`TargetName` 2 entries

match: Microsoft_Windows_Shell_ZipFolder:filename 3 rules

Top techniques:Obfuscated Files or Information T1027, Masquerading T1036, Ingress Tool Transfer T1105, Spearphishing Attachment T1566.001

Sample rules:

match: \Temporary Internet Files\Content.Outlook 2 rules

Top techniques:Obfuscated Files or Information T1027, Spearphishing Attachment T1566.001

Sample rules:

`event_action` 2 entries

eq: "created" 3 rules

Top techniques:Masquerading T1036, Spearphishing Link T1566.002, AppDomainManager T1574.014

Sample rules:

eq: created 2 rules

Top techniques:Spearphishing Attachment T1566.001

Sample rules:

splunk Detect Outlook exe writing a zip file
splunk Spike in File Writes

`user.id` 2 entries

wildcard: S-1-12-1-* 3 rules

Top techniques:Use Alternate Authentication Material T1550, Pass the Hash T1550.002, Access Token Manipulation T1134, Create Process with Token T1134.002, Make and Impersonate Token T1134.003, Exploitation for Privilege Escalation T1068

Sample rules:

elastic Potential Pass-the-Hash (PtH) Attempt
elastic Process Creation via Secondary Logon
elastic Remote Computer Account DnsHostName Update

wildcard: S-1-5-21-* 3 rules

Sample rules:

elastic Potential Pass-the-Hash (PtH) Attempt
elastic Process Creation via Secondary Logon
elastic Remote Computer Account DnsHostName Update

`Attributes` 2 entries

eq: "*CertificateTemplate:*" 2 rules

Top techniques:Steal or Forge Authentication Certificates T1649, Use Alternate Authentication Material T1550

Sample rules:

eq: "*SAN:*upn*" 2 rules

Top techniques:Steal or Forge Authentication Certificates T1649, Use Alternate Authentication Material T1550

Sample rules:

`LogonId` 2 entries

eq: 0x3e4 2 rules

Top techniques:Application Window Discovery T1010, Abuse Elevation Control Mechanism T1548

Sample rules:

sigma SCM Database Handle Failure
sigma SCM Database Privileged Operation

eq: 0x3e7 2 rules

Top techniques:Command and Scripting Interpreter T1059, Windows Management Instrumentation T1047

Sample rules:

`ParentUser` 2 entries

match: AUTHORI 2 rules

Top techniques:Create Process with Token T1134.002, LSASS Memory T1003.001

Sample rules:

match: AUTORI 2 rules

Top techniques:Create Process with Token T1134.002, LSASS Memory T1003.001

Sample rules:

`Path` 2 entries

match: \Desktop\ 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

match: \Downloads\ 2 rules

Top techniques:Scheduled Task T1053.005

Sample rules:

`TargetUserSid` 2 entries

ends_with: -500 2 rules

Top techniques:Abuse Elevation Control Mechanism T1548

Sample rules:

starts_with: S-1-5-21- 2 rules

Top techniques:Abuse Elevation Control Mechanism T1548

Sample rules:

`aceType` 2 entries

in: "Access denied" 2 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484

Sample rules:

splunk Windows AD Dangerous Deny ACL Modification
splunk Windows AD Hidden OU Creation

in: D 2 rules

Top techniques:Windows File and Directory Permissions Modification T1222.001, Domain or Tenant Policy Modification T1484

Sample rules:

splunk Windows AD Dangerous Deny ACL Modification
splunk Windows AD Hidden OU Creation

`isutility` 2 entries

eq: TRUE 2 rules

Top techniques:Remote Access Tools T1219

Sample rules:

splunk Detect Remote Access Software Usage File
splunk Detect Remote Access Software Usage Registry

eq: True 2 rules

Top techniques:Remote Access Tools T1219

Sample rules:

splunk Detect Remote Access Software Usage FileInfo
splunk Detect Remote Access Software Usage DNS

`registry_value_name` 2 entries

eq: "(Default)" 2 rules

Top techniques:Bypass User Account Control T1548.002

Sample rules:

splunk Sdclt UAC Bypass
splunk WSReset UAC Bypass

eq: "FriendlyName" 2 rules

Top techniques:Data from Removable Media T1025, Replication Through Removable Media T1091, Hardware Additions T1200

Sample rules:

splunk Windows USBSTOR Registry Key Modification
splunk Windows WPDBusEnum Registry Key Modification

`Initiated` 1 entries

eq: true 40 rules

Top techniques:Protocol Tunneling T1572, Ingress Tool Transfer T1105, Web Service T1102, Exfiltration Over Web Service T1567, Remote Desktop Protocol T1021.001, Dead Drop Resolver T1102.001

Sample rules (showing 8 of 40):

`isOutlier` 1 entries

eq: 1 16 rules

Top techniques:Password Spraying T1110.003, Account Manipulation T1098, Impair Defenses T1562, Service Execution T1569.002, Transfer Data to Cloud Account T1537, Email Addresses T1589.002

Sample rules (showing 8 of 16):

splunk Detect Password Spray Attempts
splunk Excessive Usage Of SC Service Utility
splunk High Frequency Copy Of Files In Network Share
splunk Kerberos User Enumeration
splunk Spike in File Writes
splunk Unusual Number of Kerberos Service Tickets Requested
splunk Windows Increase in Group or Object Modification Activity
splunk Windows Increase in User Modification Activity

`event.outcome` 1 entries

eq: success 8 rules

Top techniques:Create or Modify System Process T1543, Windows Service T1543.003, Valid Accounts T1078, Access Token Manipulation T1134, Use Alternate Authentication Material T1550, Pass the Hash T1550.002

Sample rules:

elastic Potential Pass-the-Hash (PtH) Attempt
elastic Remote Windows Service Installed
elastic Account Password Reset Remotely
elastic Potential Account Takeover - Mixed Logon Types
elastic Process Creation via Secondary Logon
elastic Service Creation via Local Kerberos Authentication
elastic Potential Account Takeover - Logon from New Source IP
elastic Suspicious SeIncreaseBasePriorityPrivilege Use

`unique_accounts` 1 entries

gt: 30 8 rules

Top techniques:Password Spraying T1110.003

Sample rules:

`TicketEncryptionType` 1 entries

eq: 0x17 7 rules

Top techniques:Kerberoasting T1558.003, Golden Ticket T1558.001, Use Alternate Authentication Material T1550

Sample rules:

`unique_targets` 1 entries

gt: 30 5 rules

Top techniques:Network Share Discovery T1135, Valid Accounts T1078, Credential Stuffing T1110.004, Security Account Manager T1003.002, SMB/Windows Admin Shares T1021.002, Account Discovery T1087

Sample rules:

`short_lived` 1 entries

eq: TRUE 4 rules

Top techniques:Scheduled Task T1053.005, Domain Accounts T1078.002, Account Manipulation T1098, Rogue Domain Controller T1207

Sample rules:

splunk Short Lived Scheduled Task
splunk Suspicious Ticket Granting Ticket Request
splunk Windows AD Short Lived Domain Account ServicePrincipalName
splunk Windows AD Short Lived Server Object

`LogonProcessName` 1 entries

eq: seclogo 3 rules

Top techniques:Pass the Hash T1550.002, Use Alternate Authentication Material T1550

Sample rules:

sigma Successful Overpass the Hash Attempt
sigma Pass the Hash Activity 2
elastic Potential Pass-the-Hash (PtH) Attempt

`SourcePort` 1 entries

eq: 3389 3 rules

Top techniques:Remote Desktop Protocol T1021.001, Protocol Tunneling T1572, Internal Proxy T1090.001, External Proxy T1090.002

Sample rules:

`admonEventType` 1 entries

eq: Update 3 rules

Top techniques:Group Policy Modification T1484.001, Disable or Modify Tools T1562.001, Windows File and Directory Permissions Modification T1222.001

Sample rules:

`dns.question.name` 1 entries

eq: * 3 rules

Top techniques:Compromise Software Supply Chain T1195.002, Drive-by Compromise T1189, Remote Access Tools T1219

Sample rules:

`objectCategory` 1 entries

eq: "CN=Group-Policy-Container*" 3 rules

Top techniques:Group Policy Modification T1484.001, Disable or Modify Tools T1562.001, Windows File and Directory Permissions Modification T1222.001

Sample rules:

`status` 1 entries

eq: success 3 rules

Top techniques:Valid Accounts T1078, Account Manipulation T1098

Sample rules:

splunk Windows Multiple Account Passwords Changed
splunk Windows Multiple Accounts Deleted
splunk Windows Multiple Accounts Disabled

`unique_users` 1 entries

gt: 5 3 rules

Top techniques:Valid Accounts T1078, Account Manipulation T1098

Sample rules:

splunk Windows Multiple Account Passwords Changed
splunk Windows Multiple Accounts Deleted
splunk Windows Multiple Accounts Disabled

`ClientProcessId` 1 entries

eq: 0 2 rules

Top techniques:Create or Modify System Process T1543, Windows Service T1543.003

Sample rules:

`parent_process_id` 1 entries

eq: 0 2 rules

Top techniques:Create or Modify System Process T1543, Windows Service T1543.003

Sample rules:

`process_id` 1 entries

eq: 0 2 rules

Top techniques:Create or Modify System Process T1543, Windows Service T1543.003, Adversary-in-the-Middle T1557, Steal or Forge Kerberos Tickets T1558

Sample rules:

`Action` 1 entries

eq: 2 2 rules

Top techniques:Disable or Modify System Firewall T1562.004

Sample rules:

`All_Changes.result_id` 1 entries

eq: 4720 2 rules

Top techniques:Local Account T1136.001, Local Accounts T1078.003

Sample rules:

splunk Short Lived Windows Accounts
splunk Windows Create Local Account

`ApplicationPath` 1 entries

match: \AppData\Local\Temp\ 2 rules

Top techniques:Disable or Modify System Firewall T1562.004

Sample rules:

`Esql.max_logon` 1 entries

ge: 1000 2 rules

Top techniques:Valid Accounts T1078

Sample rules:

`Esql.min_logon` 1 entries

ge: 1 2 rules

Top techniques:Valid Accounts T1078

Sample rules:

`Esql.unique_host_count` 1 entries

ge: 2 2 rules

Top techniques:Valid Accounts T1078

Sample rules:

`NewTargetUserName` 1 entries

ne: "*$" 2 rules

Top techniques:Domain Accounts T1078.002

Sample rules:

splunk Suspicious Computer Account Name Change
splunk Suspicious Ticket Granting Ticket Request

`NewTemplateContent` 1 entries

match: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT 2 rules

Sample rules:

`OldTargetUserName` 1 entries

eq: "*$" 2 rules

Top techniques:Domain Accounts T1078.002

Sample rules:

splunk Suspicious Computer Account Name Change
splunk Suspicious Ticket Granting Ticket Request

`PipeName` 1 entries

starts_with: \PSHost 2 rules

Top techniques:PowerShell T1059.001

Sample rules:

sigma Alternate PowerShell Hosts Pipe
sigma New PowerShell Instance Created

`ServiceType` 1 entries

eq: "kernel mode driver" 2 rules

Top techniques:Rootkit T1014, Exploitation for Privilege Escalation T1068, Windows Service T1543.003

Sample rules:

splunk Windows Driver Load Non-Standard Path
splunk Windows Vulnerable Driver Installed

`SubjectUserSid` 1 entries

eq: S-1-0-0 2 rules

Top techniques:Pass the Hash T1550.002, Valid Accounts T1078

Sample rules:

`Target_User_Name` 1 entries

ne: *$ 2 rules

Top techniques:Password Spraying T1110.003

Sample rules:

`TemplateContent` 1 entries

match: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT 2 rules

Sample rules:

`count` 1 entries

ge: 100 2 rules

Top techniques:Data Destruction T1485

Sample rules:

`dropped_file_path_split_count` 1 entries

eq: 2 2 rules

Top techniques:Local Groups T1069.001, Replication Through Removable Media T1091

Sample rules:

splunk Windows Admin Permission Discovery
splunk Windows Replication Through Removable Media

`is_driver` 1 entries

eq: TRUE 2 rules

Top techniques:Windows Service T1543.003

Sample rules:

splunk Windows Vulnerable Driver Installed
splunk Windows Vulnerable Driver Loaded

`islibrary` 1 entries

eq: TRUE 2 rules

Top techniques:DLL T1574.001

Sample rules:

splunk Windows Known Abused DLL Created
splunk Windows Known Abused DLL Loaded Suspiciously

`parent_process_name` 1 entries

in: "powershell.exe" 2 rules

Top techniques:Process Injection T1055, PowerShell T1059.001, Account Access Removal T1531

Sample rules:

`user.domain` 1 entries

ne: NT AUTHORITY 2 rules

Top techniques:Brute Force T1110, Password Guessing T1110.001, Password Spraying T1110.003

Sample rules:

`ut_shannon` 1 entries

gt: 3 2 rules

Top techniques:Scheduled Task T1053.005, Windows Service T1543.003

Sample rules:

splunk Randomly Generated Scheduled Task Name
splunk Randomly Generated Windows Service Name

Indicator catalog

CommandLine 882 entries

Image 619 entries

TargetFilename 169 entries

Hashes 142 entries

OriginalFileName 130 entries

ParentImage 113 entries

Details 96 entries

TargetObject 73 entries

ScriptBlockText 67 entries

EventID 61 entries

ImageLoaded 60 entries

QueryName 58 entries

process_name 51 entries

DestinationHostname 33 entries

GrantedAccess 33 entries

Contents 33 entries

TargetImage 29 entries

ServiceName 26 entries

aceAccessRights 19 entries

file_name 17 entries

DestinationPort 16 entries

Properties 15 entries

SubcategoryGuid 15 entries

dest_ip 14 entries

ImagePath 14 entries

ParentCommandLine 14 entries

file.name 14 entries

src_ip 12 entries

registry_path 12 entries

EventType 11 entries

IntegrityLevel 10 entries

user 10 entries

ServiceFileName 10 entries

Provider_Name 8 entries

Description 8 entries

Product 8 entries

LogonType 7 entries

ObjectType 7 entries

AttributeLDAPDisplayName 6 entries

ShareName 6 entries

Channel 6 entries

Data 6 entries

TaskName 6 entries

ObjectClass 5 entries

RelativeTargetName 5 entries

Status 5 entries

AuditPolicyChanges 5 entries

CallTrace 5 entries

AccessMask 4 entries

AuthenticationPackageName 4 entries

ModifyingApplication 4 entries

ObjectName 4 entries

event.category 3 entries

AccessList 3 entries

TicketOptions 3 entries

Changes 3 entries

Payload 3 entries

Signed 2 entries

source.ip 2 entries

Esql.script_block_length 2 entries

Esql.script_block_pattern_count 2 entries

OperationType 2 entries

SignatureStatus 2 entries

Company 2 entries

TargetName 2 entries

event_action 2 entries

user.id 2 entries

Attributes 2 entries

LogonId 2 entries

ParentUser 2 entries

Path 2 entries

TargetUserSid 2 entries

aceType 2 entries

isutility 2 entries

registry_value_name 2 entries

Initiated 1 entries

isOutlier 1 entries

event.outcome 1 entries

unique_accounts 1 entries

`CommandLine` 882 entries

`Image` 619 entries

`TargetFilename` 169 entries

`Hashes` 142 entries

`OriginalFileName` 130 entries

`ParentImage` 113 entries

`Details` 96 entries

`TargetObject` 73 entries

`ScriptBlockText` 67 entries

`EventID` 61 entries

`ImageLoaded` 60 entries

`QueryName` 58 entries

`process_name` 51 entries

`DestinationHostname` 33 entries

`GrantedAccess` 33 entries

`Contents` 33 entries

`TargetImage` 29 entries

`ServiceName` 26 entries

`aceAccessRights` 19 entries

`file_name` 17 entries

`DestinationPort` 16 entries

`Properties` 15 entries

`SubcategoryGuid` 15 entries

`dest_ip` 14 entries

`ImagePath` 14 entries

`ParentCommandLine` 14 entries

`file.name` 14 entries

`src_ip` 12 entries

`registry_path` 12 entries

`EventType` 11 entries

`IntegrityLevel` 10 entries

`user` 10 entries

`ServiceFileName` 10 entries

`Provider_Name` 8 entries

`Description` 8 entries

`Product` 8 entries

`LogonType` 7 entries

`ObjectType` 7 entries

`AttributeLDAPDisplayName` 6 entries

`ShareName` 6 entries

`Channel` 6 entries

`Data` 6 entries

`TaskName` 6 entries

`ObjectClass` 5 entries

`RelativeTargetName` 5 entries

`Status` 5 entries

`AuditPolicyChanges` 5 entries

`CallTrace` 5 entries

`AccessMask` 4 entries

`AuthenticationPackageName` 4 entries

`ModifyingApplication` 4 entries

`ObjectName` 4 entries

`event.category` 3 entries

`AccessList` 3 entries

`TicketOptions` 3 entries

`Changes` 3 entries

`Payload` 3 entries

`Signed` 2 entries

`source.ip` 2 entries

`Esql.script_block_length` 2 entries

`Esql.script_block_pattern_count` 2 entries

`OperationType` 2 entries

`SignatureStatus` 2 entries

`Company` 2 entries

`TargetName` 2 entries

`event_action` 2 entries

`user.id` 2 entries

`Attributes` 2 entries

`LogonId` 2 entries

`ParentUser` 2 entries

`Path` 2 entries

`TargetUserSid` 2 entries

`aceType` 2 entries

`isutility` 2 entries

`registry_value_name` 2 entries

`Initiated` 1 entries

`isOutlier` 1 entries

`event.outcome` 1 entries

`unique_accounts` 1 entries

`TicketEncryptionType` 1 entries