Sponsor of the Day:
Jerkmate
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_speechruntime_child_process/
Suspicious Speech Runtime Binary Child Process | Detection.FYI
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt...
child process detectionsuspiciousspeechruntimebinary
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mshta_susp_child_processes/
Suspicious MSHTA Child Process | Detection.FYI
Detects a suspicious process spawning from an
child process detectionsuspiciousmshtafyi
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes/
Suspicious Outlook Child Process | Detection.FYI
Detects a suspicious process spawning from an Outlook process.
child process detectionsuspiciousoutlookfyi
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process/
Uncommon Sigverif.EXE Child Process | Detection.FYI
Detects uncommon child processes spawning from
child process detectionuncommonexefyi
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_msdt_susp_parent/
Suspicious MSDT Parent Process | Detection.FYI
Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
process detection fyisuspiciousparent
https://detection.fyi/sigmahq/sigma/unsupported/windows/sysmon_non_priv_program_files_move/
Files Dropped to Program Files by Non-Priviledged Process | Detection.FYI
Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes
process detection fyifilesdroppedprogramnon
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes/
Cscript/Wscript Potentially Suspicious Child Process | Detection.FYI
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning …
potentially suspicious childprocess detection fyiwscript
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process/
Wlrmdr.EXE Uncommon Argument Or Child Process | Detection.FYI
Detects the execution of
child process detectionexeuncommonargumentfyi
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_msra_process_injection/
Potential Process Injection Via Msra.EXE | Detection.FYI
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned …
exe detection fyiprocess injectionpotentialvia
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process/
Uncommon Child Process Of Appvlp.EXE | Detection.FYI
Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse …
exe detection fyichild processuncommon
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_hktl_dumpert/
HackTool - Dumpert Process Dumper Default File | Detection.FYI
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
default filedetection fyihacktoolprocessdumper
https://detection.fyi/mbabinski/sigma-rules/2023_onenote_malware/win_proc_creation_regasm_process_injection/
Suspicious Process Injection to RegAsm | Detection.FYI
Detects potential process injection of RegAsm.exe as indicated by lack of command-line arguments. This was observed in a recent campaign to distribute AsyncRAT...
process injectiondetection fyisuspicious
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_frombase64string_archive/
Suspicious FromBase64String Usage On Gzip Archive - Process Creation | Detection.FYI
Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
creation detection fyisuspicioususagegziparchive
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_webshell_chopper/
Chopper Webshell Process Pattern | Detection.FYI
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
pattern detection fyichopperwebshellprocess
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass/
Potential LSASS Process Dump Via Procdump | Detection.FYI
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine …
detection fyipotentiallsassprocessdump
https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm/
Remote LSASS Process Access Through Windows Remote Management | Detection.FYI
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
process accesswindows managementdetection fyiremotelsass
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_download_com_cradles/
Potential COM Objects Download Cradles Usage - Process Creation | Detection.FYI
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
creation detection fyiobjects downloadpotentialcradlesusage
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_regsvr32_susp_child_process/
Potentially Suspicious Child Process Of Regsvr32 | Detection.FYI
Detects potentially suspicious child processes of
potentially suspicious childdetection fyiprocessregsvr32
https://detection.fyi/sigmahq/sigma/unsupported/windows/sysmon_process_reimaging/
Defense evasion via process reimaging | Detection.FYI
Detects process reimaging defense evasion technique
defense evasiondetection fyiviaprocessreimaging
https://detection.fyi/mbabinski/sigma-rules/2023_redcanary_threatdetectionreport/technique_smb_win_admin_shares_process_execution/
Process Execution from Admin Share (RedCanary Threat Detection Report) | Detection.FYI
Detects processes executing from an Admin Share. Part of the RedCanary 2023 Threat Detection Report.
redcanary threat detectionprocess executionadminsharereport