dfirence · August 20, 2025 14:09
diff --git a/sigma-sketch.json b/sigma-sketch.json
 {
  "rule": {
    "id": "2e4e488a-6164-4811-9ea1-f960c7359c40",
    "name": "HackTool - CACTUSTORCH Remote Thread Creation",
    "description": "Detects remote thread creation from CACTUSTORCH as described in references.",
    "logic": "{\n  \"selection\": {\n    \"SourceImage|endswith\": [\n      \"\\\\System32\\\\cscript.exe\",\n      \"\\\\System32\\\\wscript.exe\",\n      \"\\\\System32\\\\mshta.exe\",\n      \"\\\\winword.exe\",\n      \"\\\\excel.exe\"\n    ],\n    \"TargetImage|contains\": \"\\\\SysWOW64\\\\\",\n    \"StartModule\": null\n  },\n  \"condition\": \"selection\"\n}",
    "risk_score": 0,
    "severity": "high",
    "meta": {
      "_type": "sigma:hq",
      "author": "@SBousseaden (detection), Thomas Patzke (rule)",
      "entities": [
        "sourceimage.endswith",
        "targetimage.contains",
        "startmodule"
      ],
      "mitre": "t1055.012|t1059.005|t1059.007|t1218.005",
      "note": "status = test| https://twitter.com/SBousseaden/status/1090588499517079552|https://github.com/mdsecactivebreach/CACTUSTORCH",   
      "product": {
        "company": "sigma-oss",
        "name": "windows:create_remote_thread"
      },
      "source": {
        "file": "create_remote_thread_win_hktl_cactustorch.yml",
        "path": "community\\3p\\sigma\\content\\rules\\windows\\create_remote_thread\\create_remote_thread_win_hktl_cactustorch.yml",
        "repo": "https://github.com/SigmaHQ/sigma"
      },
      "tags": "attack.defense-evasion|attack.execution|attack.t1055.012|attack.t1059.005|attack.t1059.007|attack.t1218.005",
      "time": {
        "created": "2019-02-01",
        "deprecated": "",
        "updated": "2023-05-05"
      }
    }
  }
 }
	{
	"rule": {
	"id": "2e4e488a-6164-4811-9ea1-f960c7359c40",
	"name": "HackTool - CACTUSTORCH Remote Thread Creation",
	"description": "Detects remote thread creation from CACTUSTORCH as described in references.",
	"logic": "{\n \"selection\": {\n \"SourceImage\|endswith\": [\n \"\\\\System32\\\\cscript.exe\",\n \"\\\\System32\\\\wscript.exe\",\n \"\\\\System32\\\\mshta.exe\",\n \"\\\\winword.exe\",\n \"\\\\excel.exe\"\n ],\n \"TargetImage\|contains\": \"\\\\SysWOW64\\\\\",\n \"StartModule\": null\n },\n \"condition\": \"selection\"\n}",
	"risk_score": 0,
	"severity": "high",
	"meta": {
	"_type": "sigma:hq",
	"author": "@SBousseaden (detection), Thomas Patzke (rule)",
	"entities": [
	"sourceimage.endswith",
	"targetimage.contains",
	"startmodule"
	],
	"mitre": "t1055.012\|t1059.005\|t1059.007\|t1218.005",
	"note": "status = test\| https://twitter.com/SBousseaden/status/1090588499517079552\|https://github.com/mdsecactivebreach/CACTUSTORCH",
	"product": {
	"company": "sigma-oss",
	"name": "windows:create_remote_thread"
	},
	"source": {
	"file": "create_remote_thread_win_hktl_cactustorch.yml",
	"path": "community\\3p\\sigma\\content\\rules\\windows\\create_remote_thread\\create_remote_thread_win_hktl_cactustorch.yml",
	"repo": "https://github.com/SigmaHQ/sigma"
	},
	"tags": "attack.defense-evasion\|attack.execution\|attack.t1055.012\|attack.t1059.005\|attack.t1059.007\|attack.t1218.005",
	"time": {
	"created": "2019-02-01",
	"deprecated": "",
	"updated": "2023-05-05"
	}
	}
	}
	}