detection.wiki

Detection rules › Sigma

Suspicious Program Names

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059 Command and Scripting Interpreter

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: 1 of selection_image

or:
Image|endswith: '\artifact.exe'
Image|endswith: '\artifact32.exe'
Image|endswith: '\artifact32big.exe'
Image|endswith: '\artifact64.exe'
Image|endswith: '\artifact_protected.exe'
Image|endswith: '\meterpreter'
Image|endswith: '\poc.exe'
Image|endswith: obfusc.exe
Image|endswith: obfuscated.exe
Image|contains: '\CVE-202'
Image|contains: '\CVE202'

Stage 2: 1 of selection_commandline

or:
CommandLine|contains: Hound.ps1
CommandLine|contains: Invoke-CVE
CommandLine|contains: MiniDogz.ps1
CommandLine|contains: PowerView.ps1
CommandLine|contains: '\PowerUp_'
CommandLine|contains: '\Temp\1.ps1'
CommandLine|contains: '\Temp\a.ps1'
CommandLine|contains: '\Temp\p.ps1'
CommandLine|contains: '\av.ps1'
CommandLine|contains: '\av_test.ps1'
CommandLine|contains: '\rshell.ps1'
CommandLine|contains: '\shell.ps1'
CommandLine|contains: _enc.ps1
CommandLine|contains: adrecon.ps1
CommandLine|contains: beacon.ps1
CommandLine|contains: bypass.ps1
CommandLine|contains: encode.ps1
CommandLine|contains: evil.ps1
CommandLine|contains: inject.ps1
CommandLine|contains: mimikatz.ps1
CommandLine|contains: obfs.ps1
CommandLine|contains: obfus.ps1
CommandLine|contains: obfusc.ps1
CommandLine|contains: obfuscated.ps1
CommandLine|contains: payload.ps1
CommandLine|contains: powercat.ps1
CommandLine|contains: powerup.ps1
CommandLine|contains: pupy.ps1
CommandLine|contains: revshell.ps1

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • Hound.ps1
  • Invoke-CVE
  • MiniDogz.ps1
  • PowerView.ps1
  • \PowerUp_
  • \Temp\1.ps1
  • \Temp\a.ps1
  • \Temp\p.ps1
  • \av.ps1
  • \av_test.ps1
  • \rshell.ps1
  • \shell.ps1
  • _enc.ps1
  • adrecon.ps1
  • beacon.ps1
  • bypass.ps1
  • encode.ps1
  • evil.ps1
  • inject.ps1
  • mimikatz.ps1
  • obfs.ps1
  • obfus.ps1
  • obfusc.ps1
  • obfuscated.ps1
  • payload.ps1
  • powercat.ps1
  • powerup.ps1
  • pupy.ps1
  • revshell.ps1
Imageends_with
  • \artifact.exe
  • \artifact32.exe
  • \artifact32big.exe
  • \artifact64.exe
  • \artifact_protected.exe
  • \meterpreter
  • \poc.exe
  • obfusc.exe
  • obfuscated.exe
Imagematch
  • \CVE-202
  • \CVE202