Sigma rules for BAUXITE
500 rules · scoped to actor · back to BAUXITE
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Communication To LocaltoNet Tunneling Service Initiated - Linux
id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: linux
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
title: Communication To Ngrok Tunneling Service - Linux
id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
status: test
description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of ngrok
level: high
title: Communication To LocaltoNet Tunneling Service Initiated
id: 3ab65069-d82a-4d44-a759-466661a082d1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
title: Communication To Ngrok Tunneling Service Initiated
id: 1d08ac94-400d-4469-a82f-daee9a908849
related:
- id: 18249279-932f-45e2-b37a-8925f2597670
type: similar
status: test
description: |
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
modified: 2024-02-02
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of the ngrok service.
level: high
title: RDP Port Forwarding Rule Added Via Netsh.EXE
id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
status: test
description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Florian Roth (Nextron Systems), oscd.community
date: 2019-01-29
modified: 2023-02-13
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- ' i'
- ' p'
- '=3389'
- ' c'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: high
title: PUA - NPS Tunneling Tool Execution
id: 68d37776-61db-42f5-bf54-27e87072d17e
status: test
description: Detects the use of NPS, a port forwarding and intranet penetration proxy server
references:
- https://github.com/ehang-io/nps
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\npc.exe'
selection_cli_1:
CommandLine|contains|all:
- ' -server='
- ' -vkey='
- ' -password='
selection_cli_2:
CommandLine|contains: ' -config=npc'
selection_hashes:
# v0.26.10
Hashes|contains:
- "MD5=AE8ACF66BFE3A44148964048B826D005"
- "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181"
- "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856"
condition: 1 of selection_*
falsepositives:
- Legitimate use
level: high
title: HackTool - Htran/NATBypass Execution
id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e
status: test
description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
references:
- https://github.com/HiwinCN/HTran
- https://github.com/cw1997/NATBypass
author: Florian Roth (Nextron Systems)
date: 2022-12-27
modified: 2023-02-04
tags:
- attack.command-and-control
- attack.t1090
- attack.s0040
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\htran.exe'
- '\lcx.exe'
selection_cli:
CommandLine|contains:
- '.exe -tran '
- '.exe -slave '
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: PUA - Fast Reverse Proxy (FRP) Execution
id: 32410e29-5f94-4568-b6a3-d91a8adad863
status: test
description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
references:
- https://asec.ahnlab.com/en/38156/
- https://github.com/fatedier/frp
author: frack113, Florian Roth
date: 2022-09-02
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\frpc.exe'
- '\frps.exe'
selection_cli:
CommandLine|contains: '\frpc.ini'
selection_hashes:
# v0.44.0
Hashes|contains:
- "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
- "SHA1=06DDC9280E1F1810677935A2477012960905942F"
- "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
condition: 1 of selection_*
falsepositives:
- Legitimate use
level: high
title: PUA- IOX Tunneling Tool Execution
id: d7654f02-e04b-4934-9838-65c46f187ebc
status: test
description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
references:
- https://github.com/EddieIvan01/iox
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\iox.exe'
selection_commandline:
CommandLine|contains:
- '.exe fwd -l '
- '.exe fwd -r '
- '.exe proxy -l '
- '.exe proxy -r '
selection_hashes:
# v0.4
Hashes|contains:
- "MD5=9DB2D314DD3F704A02051EF5EA210993"
- "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD"
- "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731"
condition: 1 of selection*
falsepositives:
- Legitimate use
level: high
title: Ngrok Usage with Remote Desktop Service
id: 64d51a51-32a6-49f0-9f3d-17e34d640272
status: test
description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
references:
- https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
- https://ngrok.com/
author: Florian Roth (Nextron Systems)
date: 2022-04-29
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: windows
service: terminalservices-localsessionmanager
detection:
selection:
EventID: 21
Address|contains: '16777216'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - SharpChisel Execution
id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
related:
- id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
type: similar
status: test
description: Detects usage of the Sharp Chisel via the commandline arguments
references:
- https://github.com/shantanu561993/SharpChisel
- https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2023-02-13
tags:
- attack.command-and-control
- attack.t1090.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SharpChisel.exe'
- Product: 'SharpChisel'
# See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage
condition: selection
falsepositives:
- Unlikely
level: high
title: Renamed Cloudflared.EXE Execution
id: e0c69ebd-b54f-4aed-8ae3-e3467843f3f0
status: test
description: Detects the execution of a renamed "cloudflared" binary.
references:
- https://github.com/cloudflare/cloudflared/releases
- https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
- https://github.com/cloudflare/cloudflared
- https://www.intrinsec.com/akira_ransomware/
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
tags:
- attack.command-and-control
- attack.t1090.001
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-20
logsource:
category: process_creation
product: windows
detection:
selection_cleanup:
CommandLine|contains|all:
- ' tunnel '
- 'cleanup '
CommandLine|contains:
- '-config '
- '-connector-id '
selection_tunnel:
CommandLine|contains|all:
- ' tunnel '
- ' run '
CommandLine|contains:
- '-config '
- '-credentials-contents '
- '-credentials-file '
- '-token '
selection_accountless:
CommandLine|contains|all:
- '-url'
- 'tunnel'
selection_hashes:
Hashes|contains:
- 'SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29'
- 'SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8'
- 'SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039'
- 'SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28'
- 'SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7'
- 'SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373'
- 'SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670'
- 'SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a'
- 'SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0'
- 'SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1'
- 'SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2'
- 'SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac'
- 'SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f'
- 'SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d'
- 'SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499'
- 'SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b'
- 'SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f'
- 'SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032'
- 'SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234'
- 'SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f'
- 'SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058'
- 'SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c'
- 'SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f'
- 'SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5'
- 'SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3'
- 'SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4'
- 'SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c'
- 'SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4'
- 'SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f'
- 'SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad'
- 'SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7'
- 'SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75'
- 'SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6'
- 'SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688'
- 'SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f'
- 'SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663'
- 'SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77'
- 'SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078'
filter_main_known_names:
Image|endswith:
- '\cloudflared.exe'
- '\cloudflared-windows-386.exe'
- '\cloudflared-windows-amd64.exe'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: PUA - Chisel Tunneling Tool Execution
id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
related:
- id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
type: similar
status: test
description: Detects usage of the Chisel tunneling tool via the commandline arguments
references:
- https://github.com/jpillora/chisel/
- https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
- https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
author: Florian Roth (Nextron Systems)
date: 2022-09-13
modified: 2023-02-13
tags:
- attack.command-and-control
- attack.t1090.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\chisel.exe'
selection_param1:
CommandLine|contains:
- 'exe client '
- 'exe server '
selection_param2:
CommandLine|contains:
- '-socks5'
- '-reverse'
- ' r:'
- ':127.0.0.1:'
- '-tls-skip-verify '
- ':socks'
condition: selection_img or all of selection_param*
falsepositives:
- Some false positives may occur with other tools with similar commandlines
level: high
title: RDP over Reverse SSH Tunnel WFP
id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address
references:
- https://twitter.com/SBousseaden/status/1096148422984384514
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
author: Samir Bousseaden
date: 2019-02-16
modified: 2022-09-02
tags:
- attack.command-and-control
- attack.lateral-movement
- attack.t1090.001
- attack.t1090.002
- attack.t1021.001
- car.2013-07-002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
sourceRDP:
SourcePort: 3389
DestAddress:
- '127.*'
- '::1'
destinationRDP:
DestPort: 3389
SourceAddress:
- '127.*'
- '::1'
filter_app_container:
FilterOrigin: 'AppContainer Loopback'
filter_thor: # checking BlueKeep vulnerability
Application|endswith:
- '\thor.exe'
- '\thor64.exe'
condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
falsepositives:
- Programs that connect locally to the RDP port
level: high
title: PUA - AWS TruffleHog Execution
id: a840e606-7c8c-4684-9bc1-eb6b6155127f
status: experimental
description: |
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-21
tags:
- attack.credential-access
- attack.t1555
- attack.t1003
logsource:
product: aws
service: cloudtrail
detection:
selection:
userAgent: 'TruffleHog'
condition: selection
falsepositives:
- Legitimate use of TruffleHog by security teams for credential scanning.
level: medium
title: Rare Subscription-level Operations In Azure
id: c1182e02-49a3-481c-b3de-0fadc4091488
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.t1003
- attack.credential-access
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
- Microsoft.Maps/accounts/listKeys/action
- Microsoft.Media/mediaservices/listKeys/action
- Microsoft.CognitiveServices/accounts/listKeys/action
- Microsoft.Storage/storageAccounts/listKeys/action
- Microsoft.Compute/snapshots/write
- Microsoft.Network/networkSecurityGroups/write
condition: keywords
falsepositives:
- Valid change
level: medium
title: Access To Crypto Currency Wallets By Uncommon Applications
id: f41b0311-44f9-44f0-816d-dd45e39d4bc8
status: test
description: |
Detects file access requests to crypto currency files by uncommon processes.
Could indicate potential attempt of crypto currency wallet stealing.
references:
- Internal Research
author: X__Junior (Nextron Systems)
date: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
- FileName|contains:
- '\AppData\Roaming\Ethereum\keystore\'
- '\AppData\Roaming\EthereumClassic\keystore\'
- '\AppData\Roaming\monero\wallets\'
- FileName|endswith:
- '\AppData\Roaming\Bitcoin\wallet.dat'
- '\AppData\Roaming\BitcoinABC\wallet.dat'
- '\AppData\Roaming\BitcoinSV\wallet.dat'
- '\AppData\Roaming\DashCore\wallet.dat'
- '\AppData\Roaming\DogeCoin\wallet.dat'
- '\AppData\Roaming\Litecoin\wallet.dat'
- '\AppData\Roaming\Ripple\wallet.dat'
- '\AppData\Roaming\Zcash\wallet.dat'
filter_main_system:
Image: System
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Backup software
- Legitimate software installed on partitions other than "C:\"
- Searching software such as "everything.exe"
level: medium
title: Credential Manager Access By Uncommon Applications
id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
status: test
description: |
Detects suspicious processes based on name and location that access the windows credential manager and vault.
Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
references:
- https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-11
modified: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|contains:
- '\AppData\Local\Microsoft\Credentials\'
- '\AppData\Roaming\Microsoft\Credentials\'
- '\AppData\Local\Microsoft\Vault\'
- '\ProgramData\Microsoft\Vault\'
filter_system_folders:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).
# Increase level after false positives filters are good enough
level: medium
title: Esentutl Gather Credentials
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
status: test
description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
references:
- https://twitter.com/vxunderground/status/1423336151860002816
- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
author: sam0x90
date: 2021-08-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.003
- attack.s0404
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'esentutl'
- ' /p'
condition: selection
falsepositives:
- To be determined
level: medium
title: Shadow Copies Creation Using Operating Systems Utilities
id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
status: test
description: Shadow Copies creation using operating systems utilities, possible credential access
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2019-10-22
modified: 2022-11-10
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.002
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\wmic.exe'
- '\vssadmin.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wmic.exe'
- 'VSSADMIN.EXE'
selection_cli:
CommandLine|contains|all:
- 'shadow'
- 'create'
condition: all of selection_*
falsepositives:
- Legitimate administrator working with shadow copies, access for backup purposes
level: medium
title: Loaded Module Enumeration Via Tasklist.EXE
id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
status: test
description: |
Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
In order to dump the process memory or perform other nefarious actions.
references:
- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
- https://pentestlab.blog/tag/svchost/
author: Swachchhanda Shrawan Poudel
date: 2024-02-12
modified: 2024-03-13
tags:
- attack.t1003
- attack.credential-access
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\tasklist.exe'
- OriginalFileName: 'tasklist.exe'
selection_flags:
CommandLine|contains|windash: '-m'
selection_module:
# Note: add other interesting modules or binaries
CommandLine|contains: 'rdpcorets.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Capture Credentials with Rpcping.exe
id: 93671f99-04eb-4ab4-a161-70d446a84003
status: test
description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
- https://twitter.com/vysecurity/status/974806438316072960
- https://twitter.com/vysecurity/status/873181705024266241
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
author: Julia Fomina, oscd.community
date: 2020-10-09
modified: 2025-10-31
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_main_img:
- Image|endswith: '\RpcPing.exe'
- OriginalFileName: '\RpcPing.exe'
selection_main_flag:
CommandLine|contains|windash: '-s'
selection_cli_ntlm:
CommandLine|contains|windash: '-u'
CommandLine|contains: 'NTLM'
selection_cli_ncacn:
CommandLine|contains|windash: '-t'
CommandLine|contains: 'ncacn_np'
condition: all of selection_main_* and 1 of selection_cli_*
falsepositives:
- Unlikely
level: medium
title: File Access Of Signal Desktop Sensitive Data
id: 5d6c375a-18ae-4952-b4f6-8b803f6c8555
status: experimental
description: |
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
- https://vmois.dev/query-signal-desktop-messages-sqlite/
author: Andreas Braathen (mnemonic.io)
date: 2025-10-19
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
service: security
definition: 'Requirements: System Access Control List (SACL) policy with attributes List folder/read data on Objects'
detection:
selection:
EventID: 4663
ObjectType: 'File'
ObjectName|contains: '\AppData\Roaming\Signal\'
ObjectName|endswith:
- '\config.json'
- '\db.sqlite'
filter_main_signal:
ProcessName|endswith:
- '\signal-portable.exe'
- '\signal.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely, but possible from AV or backup software accessing the files.
level: medium
title: Potential Credential Dumping Attempt Using New NetworkProvider - REG
id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
related:
- id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-08-17
tags:
- attack.credential-access
- attack.t1003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
filter:
TargetObject|contains:
- '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
- '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
- '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
# - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
filter_valid_procs:
Image: C:\Windows\System32\poqexec.exe
condition: selection and not 1 of filter*
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: medium
title: Transferring Files with Credential Data via Network Shares - Zeek
id: 2e69f167-47b5-4ae7-a390-47764529eff5
related:
- id: 910ab938-668b-401b-b08c-b596e80fdca5
type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: '@neu5ron, Teymur Kheirkhabarov, oscd.community'
date: 2020-04-02
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
name:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- '\sam'
- '\ntds.dit'
- '\security'
condition: selection
falsepositives:
- Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium
title: DumpMinitool Execution
id: dee0a7a3-f200-4112-a99b-952196d81e42
status: test
description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
references:
- https://twitter.com/mrd0x/status/1511415432888131586
- https://twitter.com/mrd0x/status/1511489821247684615
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
- https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-04-06
modified: 2023-04-12
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\DumpMinitool.exe'
- '\DumpMinitool.x86.exe'
- '\DumpMinitool.arm64.exe'
- OriginalFileName:
- 'DumpMinitool.exe'
- 'DumpMinitool.x86.exe'
- 'DumpMinitool.arm64.exe'
selection_cli:
CommandLine|contains:
- ' Full'
- ' Mini'
- ' WithHeap'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Procdump Execution
id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
status: test
description: Detects usage of the SysInternals Procdump utility
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth (Nextron Systems)
date: 2021-08-16
modified: 2023-02-28
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\procdump.exe'
- '\procdump64.exe'
condition: selection
falsepositives:
- Legitimate use of procdump by a developer or administrator
level: medium
title: Dumping Process via Sqldumper.exe
id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
status: test
description: Detects process dump via legitimate sqldumper.exe binary
references:
- https://twitter.com/countuponsec/status/910977826853068800
- https://twitter.com/countuponsec/status/910969424215232518
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
author: Kirill Kiryanov, oscd.community
date: 2020-10-08
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sqldumper.exe'
CommandLine|contains:
- '0x0110'
- '0x01100:40'
condition: selection
falsepositives:
- Legitimate MSSQL Server actions
level: medium
title: Potentially Suspicious GrantedAccess Flags On LSASS
id: a18dd26b-6450-46de-8c91-9659150cf088
related:
- id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
type: similar
status: test
description: Detects process access requests to LSASS process with potentially suspicious access flags
references:
- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
date: 2021-11-22
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection_target:
TargetImage|endswith: '\lsass.exe'
selection_access:
- GrantedAccess|endswith:
# - '10' # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- GrantedAccess|startswith:
- '0x100000'
- '0x1418' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '0x40'
# - '0x1000' # minimum access requirements to query basic info from service
# - '0x1010' # car.2019-04-004
# - '0x1400'
# - '0x1410' # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
filter_main_generic:
# When using this rule. Remove this filter and replace it by the path of the specific AV you use
SourceImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_malwarebytes:
SourceImage|endswith: ':\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
filter_optional_vscode:
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
filter_main_windefend_1:
SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\'
SourceImage|endswith: '\MsMpEng.exe'
filter_main_windefend_2:
CallTrace|contains|all:
- '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
- '}\mpengine.dll+'
GrantedAccess: '0x1418'
filter_main_windefend_3:
CallTrace|contains:
- '|c:\program files\windows defender\mprtp.dll'
- '|c:\program files\windows defender\MpClient.dll'
filter_optional_vmwaretools:
SourceImage|contains: ':\ProgramData\VMware\VMware Tools\'
SourceImage|endswith: '\vmtoolsd.exe'
filter_optional_sysinternals_process_explorer:
SourceImage|endswith:
- '\PROCEXP64.EXE'
- '\PROCEXP.EXE'
GrantedAccess: '0x40'
filter_optional_mbami:
SourceImage|endswith: '\MBAMInstallerService.exe'
GrantedAccess: '0x40'
filter_optional_nextron:
SourceImage|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
- '\thor.exe'
- '\thor64.exe'
GrantedAccess: '0x40'
filter_main_explorer:
SourceImage|endswith: '\explorer.exe'
GrantedAccess: '0x401'
filter_optional_sysinternals_handle:
SourceImage|endswith:
- '\handle.exe'
- '\handle64.exe'
GrantedAccess: '0x40'
filter_optional_webex:
SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
GrantedAccess: '0x401'
filter_optional_steam_apps:
SourceImage|contains: '\SteamLibrary\steamapps\'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software such as AV and EDR
level: medium
title: Potential Credential Dumping Activity Via LSASS
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: test
description: |
Detects process access requests to the LSASS process with specific call trace calls and access masks.
This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
references:
- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
- https://research.splunk.com/endpoint/windows_possible_credential_dumping/
author: Samir Bousseaden, Michael Haag
date: 2019-04-03
modified: 2024-03-02
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1038'
- '0x1438'
- '0x143a'
- '0x1fffff' # Too many false positives
# - '0x01000' # Too many false positives
# - '0x1010' # Too many false positives
# - '0x1400' # Too many false positives
# - '0x1410' # Too many false positives
# - '0x40' # Too many false positives
CallTrace|contains:
- 'dbgcore.dll'
- 'dbghelp.dll'
- 'kernel32.dll'
- 'kernelbase.dll'
- 'ntdll.dll'
filter_main_system_user:
SourceUser|contains: # Covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_thor:
CallTrace|contains|all:
- ':\Windows\Temp\asgard2-agent\'
- '\thor\thor64.exe+'
- '|UNKNOWN('
GrantedAccess: '0x103800'
filter_optional_sysmon:
SourceImage|endswith: ':\Windows\Sysmon64.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: Unsigned Image Loaded Into LSASS Process
id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
status: test
description: Loading unsigned image (DLL, EXE) into LSASS process
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\lsass.exe'
Signed: 'false'
condition: selection
falsepositives:
- Valid user connecting using RDP
level: medium
title: Potentially Suspicious AccessMask Requested From LSASS
id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
status: test
description: Detects process handle on LSASS process with certain access mask
references:
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
date: 2019-11-01
modified: 2023-12-19
tags:
- attack.credential-access
- car.2019-04-004
- attack.t1003.001
logsource:
product: windows
service: security
detection:
selection_1:
EventID: 4656 # A handle to an object was requested.
ObjectName|endswith: '\lsass.exe'
AccessMask|contains:
- '0x40'
- '0x1400'
# - '0x1000' # minimum access requirements to query basic info from service
- '0x100000'
- '0x1410' # car.2019-04-004
- '0x1010' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1418' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
selection_2:
EventID: 4663 # An attempt was made to access an object
ObjectName|endswith: '\lsass.exe'
AccessList|contains:
- '4484'
- '4416'
filter_main_specific:
ProcessName|endswith:
- '\csrss.exe'
- '\GamingServices.exe'
- '\lsm.exe'
- '\MicrosoftEdgeUpdate.exe'
- '\minionhost.exe' # Cyberreason
- '\MRT.exe' # MS Malware Removal Tool
- '\MsMpEng.exe' # Defender
- '\perfmon.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\svchost.exe'
- '\taskmgr.exe'
- '\thor.exe' # THOR
- '\thor64.exe' # THOR
- '\vmtoolsd.exe'
- '\VsTskMgr.exe' # McAfee Enterprise
- '\wininit.exe'
- '\wmiprvse.exe'
- 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff
ProcessName|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\ProgramData\Microsoft\Windows Defender\Platform\'
- ':\Windows\SysNative\'
- ':\Windows\System32\'
- ':\Windows\SysWow64\'
- ':\Windows\Temp\asgard2-agent\'
filter_main_generic:
ProcessName|contains: ':\Program Files' # too many false positives with legitimate AV and EDR solutions
filter_main_exact:
ProcessName|endswith:
- ':\Windows\System32\taskhostw.exe'
- ':\Windows\System32\msiexec.exe'
- ':\Windows\CCM\CcmExec.exe'
filter_main_sysmon:
ProcessName|endswith: ':\Windows\Sysmon64.exe'
AccessList|contains: '%%4484'
filter_main_aurora:
ProcessName|contains: ':\Windows\Temp\asgard2-agent-sc\aurora\'
ProcessName|endswith: '\aurora-agent-64.exe'
AccessList|contains: '%%4484'
filter_main_scenarioengine:
# Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
AccessList|contains: '%%4484'
filter_main_avira1:
ProcessName|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\is-'
ProcessName|endswith: '\avira_system_speedup.tmp'
AccessList|contains: '%%4484'
filter_main_avira2:
ProcessName|contains: ':\Windows\Temp\'
ProcessName|endswith: '\avira_speedup_setup_update.tmp'
AccessList|contains: '%%4484'
filter_main_snmp:
ProcessName|endswith: ':\Windows\System32\snmp.exe'
AccessList|contains: '%%4484'
filter_main_googleupdate:
ProcessName|contains: ':\Windows\SystemTemp\'
ProcessName|endswith: '\GoogleUpdate.exe'
AccessList|contains: '%%4484'
filter_optional_procmon:
ProcessName|endswith:
- '\procmon64.exe'
- '\procmon.exe'
AccessList|contains: '%%4484'
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
level: medium
title: Transferring Files with Credential Data via Network Shares
id: 910ab938-668b-401b-b08c-b596e80fdca5
related:
- id: 2e69f167-47b5-4ae7-a390-47764529eff5
type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2025-07-11
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: windows
service: security
detection:
selection_eid:
EventID: 5145
selection_object:
- RelativeTargetName|contains:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- RelativeTargetName:
- 'Windows\NTDS\ntds.dit'
- 'Windows\System32\config\SAM'
- 'Windows\System32\config\SECURITY'
- 'Windows\System32\config\SYSTEM'
condition: all of selection_*
falsepositives:
- Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium
title: LSASS Access From Non System Account
id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
status: test
description: Detects potential mimikatz-like tools accessing LSASS from non system account
references:
- https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2023-12-11
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4663
- 4656
AccessMask:
- '0x100000'
- '0x1010' # car.2019-04-004
- '0x1400'
- '0x1410' # car.2019-04-004
- '0x1418' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '0x40'
- '143a' # car.2019-04-004
- '1f0fff'
- '1f1fff'
- '1f2fff'
- '1f3fff'
# - '0x1000' # minimum access requirements to query basic info from service
ObjectType: 'Process'
ObjectName|endswith: '\lsass.exe'
filter_main_service_account:
SubjectUserName|endswith: '$'
filter_main_generic:
ProcessName|contains:
# Legitimate AV and EDR solutions
- ':\Program Files\'
- ':\Program Files (x86)\'
filter_main_wmiprvse:
ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
AccessMask: '0x1410'
filter_optional_steam:
ProcessName|contains: '\SteamLibrary\steamapps\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: ADFS Database Named Pipe Connection By Uncommon Tool
id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
status: test
description: |
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).
Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
references:
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
- https://o365blog.com/post/adfs/
- https://github.com/Azure/SimuLand
author: Roberto Rodriguez @Cyb3rWard0g
date: 2021-10-08
modified: 2023-11-30
tags:
- attack.collection
- attack.t1005
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName: '\MICROSOFT##WID\tsql\query'
filter_main_generic:
Image|endswith:
- ':\Windows\System32\mmc.exe'
- ':\Windows\system32\svchost.exe'
- ':\Windows\System32\wsmprovhost.exe'
- ':\Windows\SysWOW64\mmc.exe'
- ':\Windows\SysWOW64\wsmprovhost.exe'
- ':\Windows\WID\Binn\sqlwriter.exe'
- '\AzureADConnect.exe'
- '\Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
- '\Microsoft.IdentityServer.ServiceHost.exe'
- '\Microsoft.Tri.Sensor.exe'
- '\sqlservr.exe'
- '\tssdis.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Esentutl Steals Browser Information
id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
status: test
description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
- https://redcanary.com/threat-detection-report/threats/qbot/
- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
author: frack113
date: 2022-02-13
modified: 2024-03-05
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\esentutl.exe'
- OriginalFileName: 'esentutl.exe'
selection_flag:
CommandLine|contains|windash: '-r'
selection_webcache:
CommandLine|contains: '\Windows\WebCache'
condition: all of selection*
falsepositives:
- Legitimate use
level: medium
title: Veeam Backup Database Suspicious Query
id: 696bfb54-227e-4602-ac5b-30d9d2053312
status: test
description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
Image|endswith: '\sqlcmd.exe'
CommandLine|contains|all:
- 'VeeamBackup'
- 'From '
selection_db:
CommandLine|contains:
- 'BackupRepositories'
- 'Backups'
- 'Credentials'
- 'HostCreds'
- 'SmbFileShares'
- 'Ssh_creds'
- 'VSphereInfo'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Crash Dump Created By Operating System
id: 882fbe50-d8d7-4e29-ae80-0648a8556866
related:
- id: 2ff692c2-4594-41ec-8fcb-46587de769e0
type: similar
status: experimental
description: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
references:
- https://www.sans.edu/cyber-research/from-crash-compromise-unlocking-potential-windows-crash-dumps-offensive-security/
- https://jasonmull.com/articles/offensive/2025-05-12-windows-crash-dumps-offensive-security/
author: Jason Mull
date: 2025-05-12
tags:
- attack.credential-access
- attack.collection
- attack.t1003.002
- attack.t1005
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-WER-SystemErrorReporting'
EventID: 1001
condition: selection
level: medium
title: SCM Database Handle Failure
id: 13addce7-47b2-4ca0-a98f-1de964d1d669
status: test
description: Detects non-system users failing to get a handle of the SCM database.
references:
- https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2022-07-11
tags:
- attack.discovery
- attack.t1010
logsource:
product: windows
service: security
detection:
selection:
EventID: 4656
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'ServicesActive'
AccessMask: '0xf003f' # is used in the reference; otherwise too many FPs
# Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816
filter:
SubjectLogonId: '0x3e4'
condition: selection and not filter
falsepositives:
- Unknown
# triggering on many hosts in some environments
level: medium
title: Suspicious Network Connection to IP Lookup Service APIs
id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
related:
- id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
type: derived
status: test
description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
references:
- https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-24
modified: 2024-03-22
tags:
- attack.discovery
- attack.t1016
logsource:
category: network_connection
product: windows
detection:
selection:
- DestinationHostname:
- 'www.ip.cn'
- 'l2.io'
- DestinationHostname|contains:
- 'api.2ip.ua'
- 'api.bigdatacloud.net'
- 'api.ipify.org'
- 'bot.whatismyipaddress.com'
- 'canireachthe.net'
- 'checkip.amazonaws.com'
- 'checkip.dyndns.org'
- 'curlmyip.com'
- 'db-ip.com'
- 'edns.ip-api.com'
- 'eth0.me'
- 'freegeoip.app'
- 'geoipy.com'
- 'getip.pro'
- 'icanhazip.com'
- 'ident.me'
- 'ifconfig.io'
- 'ifconfig.me'
- 'ip-api.com'
- 'ip.360.cn'
- 'ip.anysrc.net'
- 'ip.taobao.com'
- 'ip.tyk.nu'
- 'ipaddressworld.com'
- 'ipapi.co'
- 'ipconfig.io'
- 'ipecho.net'
- 'ipinfo.io'
- 'ipip.net'
- 'ipof.in'
- 'ipv4.icanhazip.com'
- 'ipv4bot.whatismyipaddress.com'
- 'ipv6-test.com'
- 'ipwho.is'
- 'jsonip.com'
- 'myexternalip.com'
- 'seeip.org'
- 'wgetip.com'
- 'whatismyip.akamai.com'
- 'whois.pconline.com.cn'
- 'wtfismyip.com'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate use of the external websites for troubleshooting or network monitoring
level: medium
title: Potential Recon Activity Via Nltest.EXE
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
related:
- id: 410ad193-a728-4107-bc79-4419789fcbf8
type: similar
- id: 903076ff-f442-475a-b667-4f246bcc203b
type: similar
- id: 77815820-246c-47b8-9741-e0def3f57308
type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021-07-24
modified: 2023-12-15
tags:
- attack.discovery
- attack.t1016
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_nltest:
- Image|endswith: '\nltest.exe'
- OriginalFileName: 'nltestrk.exe'
selection_recon:
- CommandLine|contains|all:
- 'server'
- 'query'
- CommandLine|contains:
- '/user'
- 'all_trusts' # Flag for /domain_trusts
- 'dclist:'
- 'dnsgetdc:'
- 'domain_trusts'
- 'dsgetdc:'
- 'parentdomain'
- 'trusted_domains'
condition: all of selection_*
falsepositives:
- Legitimate administration use but user and host must be investigated
level: medium
title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
status: experimental
description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
references:
- https://pentestlab.blog/2022/03/21/unconstrained-delegation/
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
author: frack113
date: 2025-03-05
tags:
- attack.reconnaissance
- attack.discovery
- attack.credential-access
- attack.t1018
- attack.t1558
- attack.t1589.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enable'
detection:
selection:
ScriptBlockText|contains:
- '-Properties*TrustedForDelegation'
- '-Properties*TrustedToAuthForDelegation'
- '-Properties*msDS-AllowedToDelegateTo'
- '-Properties*PrincipalsAllowedToDelegateToAccount'
- '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'
condition: selection
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
title: DirectorySearcher Powershell Exploitation
id: 1f6399cf-2c80-4924-ace1-6fcff3393480
status: test
description: Enumerates Active Directory to determine computers that are joined to the domain
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
author: frack113
date: 2022-02-12
tags:
- attack.discovery
- attack.t1018
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object '
- 'System.DirectoryServices.DirectorySearcher'
- '.PropertiesToLoad.Add'
- '.findall()'
- 'Properties.name'
condition: selection
falsepositives:
- Unknown
level: medium
title: Suspicious Scan Loop Network
id: f8ad2e2c-40b6-4117-84d7-20b89896ab23
status: test
description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
- https://ss64.com/nt/for.html
- https://ss64.com/ps/foreach-object.html
author: frack113
date: 2022-03-12
tags:
- attack.execution
- attack.t1059
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: windows
detection:
selection_loop:
CommandLine|contains:
- 'for '
- 'foreach '
selection_tools:
CommandLine|contains:
- 'nslookup'
- 'ping'
condition: all of selection_*
falsepositives:
- Legitimate script
level: medium
title: Potential Remote Desktop Tunneling
id: 8a3038e8-9c9d-46f8-b184-66234a160f6f
status: test
description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
references:
- https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
- attack.lateral-movement
- attack.t1021
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line
selection_opt:
CommandLine|contains:
- ' -L '
- ' -P '
- ' -R '
- ' -pw '
- ' -ssh '
condition: all of selection*
falsepositives:
- Unknown
level: medium
title: Psexec Execution
id: 730fc21b-eaff-474b-ad23-90fd265d4988
status: test
description: Detects user accept agreement execution in psexec commandline
references:
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2023-02-28
tags:
- attack.execution
- attack.lateral-movement
- attack.t1569
- attack.t1021
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\psexec.exe'
- OriginalFileName: 'psexec.c'
condition: selection
falsepositives:
- Administrative scripts.
level: medium
title: Bitbucket Global SSH Settings Changed
id: 16ab6143-510a-44e2-a615-bdb80b8317fc
status: test
description: Detects Bitbucket global SSH access configuration changes.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.lateral-movement
- attack.defense-impairment
- attack.t1685
- attack.t1021.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Global administration'
auditType.action: 'SSH settings changed'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
title: Bitbucket User Login Failure Via SSH
id: d3f90469-fb05-42ce-b67d-0fded91bbef3
status: test
description: |
Detects SSH user login access failures.
Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
references:
- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.lateral-movement
- attack.credential-access
- attack.t1021.004
- attack.t1110
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Authentication'
auditType.action: 'User login failed(SSH)'
condition: selection
falsepositives:
- Legitimate user wrong password attempts.
level: medium
title: OpenEDR Spawning Command Shell
id: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
status: experimental
description: |
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
author: '@kostastsale'
date: 2026-02-19
references:
- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
- attack.execution
- attack.t1059.003
- attack.lateral-movement
- attack.t1021.004
- attack.command-and-control
- attack.t1219
logsource:
product: windows
category: process_creation
detection:
selection_img:
ParentImage|endswith: '\ITSMService.exe'
Image|endswith: '\ssh-shellhost.exe'
CommandLine|contains: '--pty'
selection_cli_shell:
CommandLine|contains:
- 'bash'
- 'cmd'
- 'powershell'
- 'pwsh'
condition: all of selection_*
falsepositives:
- Legitimate use of OpenEDR for remote command execution
level: medium
title: Port Forwarding Activity Via SSH.EXE
id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
status: test
description: Detects port forwarding activity via SSH.exe
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2024-03-05
tags:
- attack.command-and-control
- attack.lateral-movement
- attack.t1572
- attack.t1021.001
- attack.t1021.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ssh.exe'
CommandLine|contains|windash: ' -R '
condition: selection
falsepositives:
- Administrative activity using a remote port forwarding to a local port
level: medium