SigmaHQ · nasbench · Feb 28, 2026 · Feb 4, 2026 · Feb 4, 2026 · Feb 4, 2026
diff --git a/...ws/image_load/image_load_side_load_bthprops_cpl/81909c5c-7cc6-4e0b-aea7-e1d4ab7abf0f.evtx b/...ws/image_load/image_load_side_load_bthprops_cpl/81909c5c-7cc6-4e0b-aea7-e1d4ab7abf0f.evtx
diff --git a/...ws/image_load/image_load_side_load_bthprops_cpl/81909c5c-7cc6-4e0b-aea7-e1d4ab7abf0f.json b/...ws/image_load/image_load_side_load_bthprops_cpl/81909c5c-7cc6-4e0b-aea7-e1d4ab7abf0f.json
@@ -0,0 +1,59 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 7,
+      "Version": 3,
+      "Level": 4,
+      "Task": 7,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-02-04T08:43:28.342637Z"
+        }
+      },
+      "EventRecordID": 715282,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 776,
+          "ThreadID": 4352
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "srv-01.midgardnet.tech",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-02-04 08:43:28.234",
+      "ProcessGuid": "14207D89-06B0-6983-CF01-000000004402",
+      "ProcessId": 6672,
+      "Image": "C:\\Users\\SwachchhandaP\\Downloads\\fsquirt.exe",
+      "ImageLoaded": "C:\\Users\\SwachchhandaP\\Downloads\\bthprops.cpl",
+      "FileVersion": "-",
+      "Description": "-",
+      "Product": "-",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "Hashes": "MD5=221877743CF329314E571E9398EFCA70,SHA256=863390BB749E466975A6A5330CCD077C846E1F387AAE0327AFFE33DF87153E67,IMPHASH=7FF91A855D5B3D338EB5B4CE63698F4A",
+      "Signed": "false",
+      "Signature": "-",
+      "SignatureStatus": "Unavailable",
+      "User": "MIDGARDNET\\SwachchhandaP"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/image_load/image_load_side_load_bthprops_cpl/info.yml b/regression_data/rules/windows/image_load/image_load_side_load_bthprops_cpl/info.yml
@@ -0,0 +1,13 @@
+id: 8ee57597-baba-46bd-8a61-85ff51f7aab6
+description: N/A
+date: 2026-02-04
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 81909c5c-7cc6-4e0b-aea7-e1d4ab7abf0f
+      title: Potential Bthprops.Cpl Sideloading
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/image_load/image_load_side_load_bthprops_cpl/81909c5c-7cc6-4e0b-aea7-e1d4ab7abf0f.evtx
diff --git a/...ation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx b/...ation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx
diff --git a/...ation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.json b/...ation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.json
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-02-04T08:52:58.205267Z"
+        }
+      },
+      "EventRecordID": 715573,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 776,
+          "ThreadID": 4344
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "srv-01.midgardnet.tech",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-02-04 08:52:58.203",
+      "ProcessGuid": "14207D89-08EA-6983-2A02-000000004402",
+      "ProcessId": 5696,
+      "Image": "C:\\Users\\SwachchhandaP\\Downloads\\taskhost.exe",
+      "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
+      "Description": "Windows Calculator",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "CALC.EXE",
+      "CommandLine": "taskhost.exe",
+      "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\",
+      "User": "MIDGARDNET\\SwachchhandaP",
+      "LogonGuid": "14207D89-057C-6983-A047-0C0000000000",
+      "LogonId": "0xc47a0",
+      "TerminalSessionId": 2,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=1FD4DD58C75D6F2EDCDB337EE686231E,SHA256=4208893C871D2499F184E3F0F2554DA89F451FA9E98D95FC9516C5AE8F2B3BBD,IMPHASH=8EEAA9499666119D13B3F44ECD77A729",
+      "ParentProcessGuid": "14207D89-08EA-6983-2902-000000004402",
+      "ParentProcessId": 1816,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "cmd  /c taskhost.exe",
+      "ParentUser": "MIDGARDNET\\SwachchhandaP"
+    }
+  }
+}
diff --git a/...on_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml b/...on_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
@@ -0,0 +1,13 @@
+id: 0efa6f32-c1df-4053-91ca-cafc05416e79
+description: N/A
+date: 2026-02-04
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: e4a6b256-3e47-40fc-89d2-7a477edd6915
+      title: System File Execution Location Anomaly
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx
diff --git a/...proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx b/...proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx
diff --git a/...proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.json b/...proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.json
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-02-04T08:47:45.988926Z"
+        }
+      },
+      "EventRecordID": 715337,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 776,
+          "ThreadID": 4344
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "srv-01.midgardnet.tech",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-02-04 08:47:45.987",
+      "ProcessGuid": "14207D89-07B1-6983-EA01-000000004402",
+      "ProcessId": 5592,
+      "Image": "C:\\Users\\SwachchhandaP\\Downloads\\svchost.exe",
+      "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)",
+      "Description": "Windows Calculator",
+      "Product": "Microsoft® Windows® Operating System",
+      "Company": "Microsoft Corporation",
+      "OriginalFileName": "CALC.EXE",
+      "CommandLine": ".\\svchost.exe",
+      "CurrentDirectory": "C:\\Users\\SwachchhandaP\\Downloads\\",
+      "User": "MIDGARDNET\\SwachchhandaP",
+      "LogonGuid": "14207D89-057C-6983-A047-0C0000000000",
+      "LogonId": "0xc47a0",
+      "TerminalSessionId": 2,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=1FD4DD58C75D6F2EDCDB337EE686231E,SHA256=4208893C871D2499F184E3F0F2554DA89F451FA9E98D95FC9516C5AE8F2B3BBD,IMPHASH=8EEAA9499666119D13B3F44ECD77A729",
+      "ParentProcessGuid": "14207D89-0781-6983-E201-000000004402",
+      "ParentProcessId": 984,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\"",
+      "ParentUser": "MIDGARDNET\\SwachchhandaP"
+    }
+  }
+}
diff --git a/...a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml b/...a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml
@@ -0,0 +1,13 @@
+id: 9cee7767-9219-40b3-b77e-dedf82957c94
+description: N/A
+date: 2026-02-04
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
+      title: Suspicious Process Masquerading As SvcHost.EXE
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx
diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml
@@ -8,7 +8,7 @@ references:
     - Internal Research
 author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2020-05-26
-modified: 2025-12-03
+modified: 2026-02-04
 tags:
     - attack.defense-evasion
     - attack.t1036.005
@@ -36,6 +36,7 @@ detection:
             - '\explorer.exe'
             - '\extrac32.exe'
             - '\fontdrvhost.exe'
+            - '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
             - '\ipconfig.exe'
             - '\iscsicli.exe'
             - '\iscsicpl.exe'

diff --git a/rules/windows/image_load/image_load_side_load_bthprops_cpl.yml b/rules/windows/image_load/image_load_side_load_bthprops_cpl.yml
@@ -0,0 +1,36 @@
+title: Potential Bthprops.Cpl Sideloading
+id: 81909c5c-7cc6-4e0b-aea7-e1d4ab7abf0f
+status: experimental
+description: |
+    Detects potential DLL sideloading of bthprops.cpl, which can be abused by fsquirt.exe (Bluetooth File Transfer Wizard) to load a malicious DLL from a non-standard location.
+references:
+    - https://github.com/mhaskar/FsquirtCPLPoC
+    - https://securelist.com/sidewinder-apt/114089/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-02-04
+tags:
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.privilege-escalation
+    - attack.t1574.001
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith: '\bthprops.cpl'
+    filter_main_legitimate_paths:
+        ImageLoaded|startswith:
+            - 'C:\Windows\Prefetch\'
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\WinSxS\'
+    filter_main_legit_signed:
+        OriginalFileName: bluetooth.cpl
+        Signature: Microsoft Windows
+        Signed: true
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unlikely
+level: high
+regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_bthprops_cpl/info.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml
@@ -12,7 +12,7 @@ references:
     - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
 author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2017-11-27
-modified: 2025-11-23
+modified: 2026-02-04
 tags:
     - attack.defense-evasion
     - attack.t1036
@@ -41,6 +41,7 @@ detection:
             - '\dllhst3g.exe'
             - '\dwm.exe'
             - '\eventvwr.exe'
+            - '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
             - '\logonui.exe'
             - '\LsaIso.exe'
             - '\lsass.exe'
@@ -106,3 +107,4 @@ detection:
 falsepositives:
     - Unknown
 level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
diff --git a/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml b/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml
@@ -33,3 +33,4 @@ detection:
 falsepositives:
     - Unlikely
 level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml