Sigma rules for BlackEnergy
500 rules · scoped to actor · back to BlackEnergy
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Procdump Execution
id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
status: test
description: Detects usage of the SysInternals Procdump utility
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth (Nextron Systems)
date: 2021-08-16
modified: 2023-02-28
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\procdump.exe'
- '\procdump64.exe'
condition: selection
falsepositives:
- Legitimate use of procdump by a developer or administrator
level: medium
title: Dumping Process via Sqldumper.exe
id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
status: test
description: Detects process dump via legitimate sqldumper.exe binary
references:
- https://twitter.com/countuponsec/status/910977826853068800
- https://twitter.com/countuponsec/status/910969424215232518
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
author: Kirill Kiryanov, oscd.community
date: 2020-10-08
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sqldumper.exe'
CommandLine|contains:
- '0x0110'
- '0x01100:40'
condition: selection
falsepositives:
- Legitimate MSSQL Server actions
level: medium
title: Potentially Suspicious GrantedAccess Flags On LSASS
id: a18dd26b-6450-46de-8c91-9659150cf088
related:
- id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
type: similar
status: test
description: Detects process access requests to LSASS process with potentially suspicious access flags
references:
- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
date: 2021-11-22
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection_target:
TargetImage|endswith: '\lsass.exe'
selection_access:
- GrantedAccess|endswith:
# - '10' # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- GrantedAccess|startswith:
- '0x100000'
- '0x1418' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '0x40'
# - '0x1000' # minimum access requirements to query basic info from service
# - '0x1010' # car.2019-04-004
# - '0x1400'
# - '0x1410' # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
filter_main_generic:
# When using this rule. Remove this filter and replace it by the path of the specific AV you use
SourceImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_malwarebytes:
SourceImage|endswith: ':\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
filter_optional_vscode:
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
filter_main_windefend_1:
SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\'
SourceImage|endswith: '\MsMpEng.exe'
filter_main_windefend_2:
CallTrace|contains|all:
- '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
- '}\mpengine.dll+'
GrantedAccess: '0x1418'
filter_main_windefend_3:
CallTrace|contains:
- '|c:\program files\windows defender\mprtp.dll'
- '|c:\program files\windows defender\MpClient.dll'
filter_optional_vmwaretools:
SourceImage|contains: ':\ProgramData\VMware\VMware Tools\'
SourceImage|endswith: '\vmtoolsd.exe'
filter_optional_sysinternals_process_explorer:
SourceImage|endswith:
- '\PROCEXP64.EXE'
- '\PROCEXP.EXE'
GrantedAccess: '0x40'
filter_optional_mbami:
SourceImage|endswith: '\MBAMInstallerService.exe'
GrantedAccess: '0x40'
filter_optional_nextron:
SourceImage|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
- '\thor.exe'
- '\thor64.exe'
GrantedAccess: '0x40'
filter_main_explorer:
SourceImage|endswith: '\explorer.exe'
GrantedAccess: '0x401'
filter_optional_sysinternals_handle:
SourceImage|endswith:
- '\handle.exe'
- '\handle64.exe'
GrantedAccess: '0x40'
filter_optional_webex:
SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
GrantedAccess: '0x401'
filter_optional_steam_apps:
SourceImage|contains: '\SteamLibrary\steamapps\'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software such as AV and EDR
level: medium
title: Potential Credential Dumping Activity Via LSASS
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: test
description: |
Detects process access requests to the LSASS process with specific call trace calls and access masks.
This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
references:
- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
- https://research.splunk.com/endpoint/windows_possible_credential_dumping/
author: Samir Bousseaden, Michael Haag
date: 2019-04-03
modified: 2024-03-02
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1038'
- '0x1438'
- '0x143a'
- '0x1fffff' # Too many false positives
# - '0x01000' # Too many false positives
# - '0x1010' # Too many false positives
# - '0x1400' # Too many false positives
# - '0x1410' # Too many false positives
# - '0x40' # Too many false positives
CallTrace|contains:
- 'dbgcore.dll'
- 'dbghelp.dll'
- 'kernel32.dll'
- 'kernelbase.dll'
- 'ntdll.dll'
filter_main_system_user:
SourceUser|contains: # Covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_thor:
CallTrace|contains|all:
- ':\Windows\Temp\asgard2-agent\'
- '\thor\thor64.exe+'
- '|UNKNOWN('
GrantedAccess: '0x103800'
filter_optional_sysmon:
SourceImage|endswith: ':\Windows\Sysmon64.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: Unsigned Image Loaded Into LSASS Process
id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
status: test
description: Loading unsigned image (DLL, EXE) into LSASS process
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\lsass.exe'
Signed: 'false'
condition: selection
falsepositives:
- Valid user connecting using RDP
level: medium
title: Potentially Suspicious AccessMask Requested From LSASS
id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
status: test
description: Detects process handle on LSASS process with certain access mask
references:
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
date: 2019-11-01
modified: 2023-12-19
tags:
- attack.credential-access
- car.2019-04-004
- attack.t1003.001
logsource:
product: windows
service: security
detection:
selection_1:
EventID: 4656 # A handle to an object was requested.
ObjectName|endswith: '\lsass.exe'
AccessMask|contains:
- '0x40'
- '0x1400'
# - '0x1000' # minimum access requirements to query basic info from service
- '0x100000'
- '0x1410' # car.2019-04-004
- '0x1010' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1418' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
selection_2:
EventID: 4663 # An attempt was made to access an object
ObjectName|endswith: '\lsass.exe'
AccessList|contains:
- '4484'
- '4416'
filter_main_specific:
ProcessName|endswith:
- '\csrss.exe'
- '\GamingServices.exe'
- '\lsm.exe'
- '\MicrosoftEdgeUpdate.exe'
- '\minionhost.exe' # Cyberreason
- '\MRT.exe' # MS Malware Removal Tool
- '\MsMpEng.exe' # Defender
- '\perfmon.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\svchost.exe'
- '\taskmgr.exe'
- '\thor.exe' # THOR
- '\thor64.exe' # THOR
- '\vmtoolsd.exe'
- '\VsTskMgr.exe' # McAfee Enterprise
- '\wininit.exe'
- '\wmiprvse.exe'
- 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff
ProcessName|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\ProgramData\Microsoft\Windows Defender\Platform\'
- ':\Windows\SysNative\'
- ':\Windows\System32\'
- ':\Windows\SysWow64\'
- ':\Windows\Temp\asgard2-agent\'
filter_main_generic:
ProcessName|contains: ':\Program Files' # too many false positives with legitimate AV and EDR solutions
filter_main_exact:
ProcessName|endswith:
- ':\Windows\System32\taskhostw.exe'
- ':\Windows\System32\msiexec.exe'
- ':\Windows\CCM\CcmExec.exe'
filter_main_sysmon:
ProcessName|endswith: ':\Windows\Sysmon64.exe'
AccessList|contains: '%%4484'
filter_main_aurora:
ProcessName|contains: ':\Windows\Temp\asgard2-agent-sc\aurora\'
ProcessName|endswith: '\aurora-agent-64.exe'
AccessList|contains: '%%4484'
filter_main_scenarioengine:
# Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
AccessList|contains: '%%4484'
filter_main_avira1:
ProcessName|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\is-'
ProcessName|endswith: '\avira_system_speedup.tmp'
AccessList|contains: '%%4484'
filter_main_avira2:
ProcessName|contains: ':\Windows\Temp\'
ProcessName|endswith: '\avira_speedup_setup_update.tmp'
AccessList|contains: '%%4484'
filter_main_snmp:
ProcessName|endswith: ':\Windows\System32\snmp.exe'
AccessList|contains: '%%4484'
filter_main_googleupdate:
ProcessName|contains: ':\Windows\SystemTemp\'
ProcessName|endswith: '\GoogleUpdate.exe'
AccessList|contains: '%%4484'
filter_optional_procmon:
ProcessName|endswith:
- '\procmon64.exe'
- '\procmon.exe'
AccessList|contains: '%%4484'
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
level: medium
title: Transferring Files with Credential Data via Network Shares
id: 910ab938-668b-401b-b08c-b596e80fdca5
related:
- id: 2e69f167-47b5-4ae7-a390-47764529eff5
type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2025-07-11
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: windows
service: security
detection:
selection_eid:
EventID: 5145
selection_object:
- RelativeTargetName|contains:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- RelativeTargetName:
- 'Windows\NTDS\ntds.dit'
- 'Windows\System32\config\SAM'
- 'Windows\System32\config\SECURITY'
- 'Windows\System32\config\SYSTEM'
condition: all of selection_*
falsepositives:
- Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium
title: LSASS Access From Non System Account
id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
status: test
description: Detects potential mimikatz-like tools accessing LSASS from non system account
references:
- https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2023-12-11
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4663
- 4656
AccessMask:
- '0x100000'
- '0x1010' # car.2019-04-004
- '0x1400'
- '0x1410' # car.2019-04-004
- '0x1418' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '0x40'
- '143a' # car.2019-04-004
- '1f0fff'
- '1f1fff'
- '1f2fff'
- '1f3fff'
# - '0x1000' # minimum access requirements to query basic info from service
ObjectType: 'Process'
ObjectName|endswith: '\lsass.exe'
filter_main_service_account:
SubjectUserName|endswith: '$'
filter_main_generic:
ProcessName|contains:
# Legitimate AV and EDR solutions
- ':\Program Files\'
- ':\Program Files (x86)\'
filter_main_wmiprvse:
ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
AccessMask: '0x1410'
filter_optional_steam:
ProcessName|contains: '\SteamLibrary\steamapps\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: ADFS Database Named Pipe Connection By Uncommon Tool
id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
status: test
description: |
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).
Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
references:
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
- https://o365blog.com/post/adfs/
- https://github.com/Azure/SimuLand
author: Roberto Rodriguez @Cyb3rWard0g
date: 2021-10-08
modified: 2023-11-30
tags:
- attack.collection
- attack.t1005
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName: '\MICROSOFT##WID\tsql\query'
filter_main_generic:
Image|endswith:
- ':\Windows\System32\mmc.exe'
- ':\Windows\system32\svchost.exe'
- ':\Windows\System32\wsmprovhost.exe'
- ':\Windows\SysWOW64\mmc.exe'
- ':\Windows\SysWOW64\wsmprovhost.exe'
- ':\Windows\WID\Binn\sqlwriter.exe'
- '\AzureADConnect.exe'
- '\Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
- '\Microsoft.IdentityServer.ServiceHost.exe'
- '\Microsoft.Tri.Sensor.exe'
- '\sqlservr.exe'
- '\tssdis.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Esentutl Steals Browser Information
id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
status: test
description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
- https://redcanary.com/threat-detection-report/threats/qbot/
- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
author: frack113
date: 2022-02-13
modified: 2024-03-05
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\esentutl.exe'
- OriginalFileName: 'esentutl.exe'
selection_flag:
CommandLine|contains|windash: '-r'
selection_webcache:
CommandLine|contains: '\Windows\WebCache'
condition: all of selection*
falsepositives:
- Legitimate use
level: medium
title: Veeam Backup Database Suspicious Query
id: 696bfb54-227e-4602-ac5b-30d9d2053312
status: test
description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
Image|endswith: '\sqlcmd.exe'
CommandLine|contains|all:
- 'VeeamBackup'
- 'From '
selection_db:
CommandLine|contains:
- 'BackupRepositories'
- 'Backups'
- 'Credentials'
- 'HostCreds'
- 'SmbFileShares'
- 'Ssh_creds'
- 'VSphereInfo'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Crash Dump Created By Operating System
id: 882fbe50-d8d7-4e29-ae80-0648a8556866
related:
- id: 2ff692c2-4594-41ec-8fcb-46587de769e0
type: similar
status: experimental
description: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
references:
- https://www.sans.edu/cyber-research/from-crash-compromise-unlocking-potential-windows-crash-dumps-offensive-security/
- https://jasonmull.com/articles/offensive/2025-05-12-windows-crash-dumps-offensive-security/
author: Jason Mull
date: 2025-05-12
tags:
- attack.credential-access
- attack.collection
- attack.t1003.002
- attack.t1005
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-WER-SystemErrorReporting'
EventID: 1001
condition: selection
level: medium
title: SCM Database Handle Failure
id: 13addce7-47b2-4ca0-a98f-1de964d1d669
status: test
description: Detects non-system users failing to get a handle of the SCM database.
references:
- https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2022-07-11
tags:
- attack.discovery
- attack.t1010
logsource:
product: windows
service: security
detection:
selection:
EventID: 4656
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'ServicesActive'
AccessMask: '0xf003f' # is used in the reference; otherwise too many FPs
# Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816
filter:
SubjectLogonId: '0x3e4'
condition: selection and not filter
falsepositives:
- Unknown
# triggering on many hosts in some environments
level: medium
title: Suspicious Network Connection to IP Lookup Service APIs
id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
related:
- id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
type: derived
status: test
description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
references:
- https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-24
modified: 2024-03-22
tags:
- attack.discovery
- attack.t1016
logsource:
category: network_connection
product: windows
detection:
selection:
- DestinationHostname:
- 'www.ip.cn'
- 'l2.io'
- DestinationHostname|contains:
- 'api.2ip.ua'
- 'api.bigdatacloud.net'
- 'api.ipify.org'
- 'bot.whatismyipaddress.com'
- 'canireachthe.net'
- 'checkip.amazonaws.com'
- 'checkip.dyndns.org'
- 'curlmyip.com'
- 'db-ip.com'
- 'edns.ip-api.com'
- 'eth0.me'
- 'freegeoip.app'
- 'geoipy.com'
- 'getip.pro'
- 'icanhazip.com'
- 'ident.me'
- 'ifconfig.io'
- 'ifconfig.me'
- 'ip-api.com'
- 'ip.360.cn'
- 'ip.anysrc.net'
- 'ip.taobao.com'
- 'ip.tyk.nu'
- 'ipaddressworld.com'
- 'ipapi.co'
- 'ipconfig.io'
- 'ipecho.net'
- 'ipinfo.io'
- 'ipip.net'
- 'ipof.in'
- 'ipv4.icanhazip.com'
- 'ipv4bot.whatismyipaddress.com'
- 'ipv6-test.com'
- 'ipwho.is'
- 'jsonip.com'
- 'myexternalip.com'
- 'seeip.org'
- 'wgetip.com'
- 'whatismyip.akamai.com'
- 'whois.pconline.com.cn'
- 'wtfismyip.com'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate use of the external websites for troubleshooting or network monitoring
level: medium
title: Potential Recon Activity Via Nltest.EXE
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
related:
- id: 410ad193-a728-4107-bc79-4419789fcbf8
type: similar
- id: 903076ff-f442-475a-b667-4f246bcc203b
type: similar
- id: 77815820-246c-47b8-9741-e0def3f57308
type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021-07-24
modified: 2023-12-15
tags:
- attack.discovery
- attack.t1016
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_nltest:
- Image|endswith: '\nltest.exe'
- OriginalFileName: 'nltestrk.exe'
selection_recon:
- CommandLine|contains|all:
- 'server'
- 'query'
- CommandLine|contains:
- '/user'
- 'all_trusts' # Flag for /domain_trusts
- 'dclist:'
- 'dnsgetdc:'
- 'domain_trusts'
- 'dsgetdc:'
- 'parentdomain'
- 'trusted_domains'
condition: all of selection_*
falsepositives:
- Legitimate administration use but user and host must be investigated
level: medium
title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
status: experimental
description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
references:
- https://pentestlab.blog/2022/03/21/unconstrained-delegation/
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
author: frack113
date: 2025-03-05
tags:
- attack.reconnaissance
- attack.discovery
- attack.credential-access
- attack.t1018
- attack.t1558
- attack.t1589.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enable'
detection:
selection:
ScriptBlockText|contains:
- '-Properties*TrustedForDelegation'
- '-Properties*TrustedToAuthForDelegation'
- '-Properties*msDS-AllowedToDelegateTo'
- '-Properties*PrincipalsAllowedToDelegateToAccount'
- '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'
condition: selection
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
title: DirectorySearcher Powershell Exploitation
id: 1f6399cf-2c80-4924-ace1-6fcff3393480
status: test
description: Enumerates Active Directory to determine computers that are joined to the domain
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
author: frack113
date: 2022-02-12
tags:
- attack.discovery
- attack.t1018
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object '
- 'System.DirectoryServices.DirectorySearcher'
- '.PropertiesToLoad.Add'
- '.findall()'
- 'Properties.name'
condition: selection
falsepositives:
- Unknown
level: medium
title: Suspicious Scan Loop Network
id: f8ad2e2c-40b6-4117-84d7-20b89896ab23
status: test
description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
- https://ss64.com/nt/for.html
- https://ss64.com/ps/foreach-object.html
author: frack113
date: 2022-03-12
tags:
- attack.execution
- attack.t1059
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: windows
detection:
selection_loop:
CommandLine|contains:
- 'for '
- 'foreach '
selection_tools:
CommandLine|contains:
- 'nslookup'
- 'ping'
condition: all of selection_*
falsepositives:
- Legitimate script
level: medium
title: Github Repository/Organization Transferred
id: 04ad83ef-1a37-4c10-b57a-81092164bf33
status: test
description: Detects when a repository or an organization is being transferred to another location.
references:
- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership
- https://docs.github.com/en/migrations
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
- attack.persistence
- attack.exfiltration
- attack.t1020
- attack.t1537
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
- 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.
- 'org.transfer' # An organization was transferred between enterprise accounts.
- 'repo.transfer_outgoing' # A repository was transferred to another repository network.
condition: selection
falsepositives:
- Allowed administrative activities.
level: medium
title: Github Fork Private Repositories Setting Enabled/Cleared
id: 69b3bd1e-b38a-462f-9a23-fbdbf63d2294
status: test
description: |
Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
references:
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
- attack.persistence
- attack.exfiltration
- attack.t1020
- attack.t1537
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'private_repository_forking.clear' # An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.
- 'private_repository_forking.enable' # An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.
condition: selection
falsepositives:
- Allowed administrative activities.
level: medium
title: AWS RDS Master Password Change
id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
status: test
description: Detects the change of database master password. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
author: faloker
date: 2020-02-12
modified: 2022-10-05
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: rds.amazonaws.com
responseElements.pendingModifiedValues.masterUserPassword|contains: '*'
eventName: ModifyDBInstance
condition: selection_source
falsepositives:
- Benign changes to a db instance
level: medium
title: PowerShell Script With File Hostname Resolving Capabilities
id: fbc5e92f-3044-4e73-a5c6-1c4359b539de
status: test
description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
references:
- https://www.fortypoundhead.com/showcontent.asp?artid=24022
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-content '
- 'foreach'
- '[System.Net.Dns]::GetHostEntry'
- 'Out-File'
condition: selection
falsepositives:
- The same functionality can be implemented by admin scripts, correlate with name and creator
level: medium
title: Potential Remote Desktop Tunneling
id: 8a3038e8-9c9d-46f8-b184-66234a160f6f
status: test
description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
references:
- https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
- attack.lateral-movement
- attack.t1021
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line
selection_opt:
CommandLine|contains:
- ' -L '
- ' -P '
- ' -R '
- ' -pw '
- ' -ssh '
condition: all of selection*
falsepositives:
- Unknown
level: medium
title: Psexec Execution
id: 730fc21b-eaff-474b-ad23-90fd265d4988
status: test
description: Detects user accept agreement execution in psexec commandline
references:
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2023-02-28
tags:
- attack.execution
- attack.lateral-movement
- attack.t1569
- attack.t1021
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\psexec.exe'
- OriginalFileName: 'psexec.c'
condition: selection
falsepositives:
- Administrative scripts.
level: medium
title: New Remote Desktop Connection Initiated Via Mstsc.EXE
id: 954f0af7-62dd-418f-b3df-a84bc2c7a774
status: test
description: |
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
author: frack113
date: 2022-01-07
modified: 2024-06-04
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mstsc.exe'
- OriginalFileName: 'mstsc.exe'
selection_cli:
CommandLine|contains|windash: ' /v:'
filter_optional_wsl:
# Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- WSL (Windows Sub System For Linux)
level: medium
title: Port Forwarding Activity Via SSH.EXE
id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
status: test
description: Detects port forwarding activity via SSH.exe
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2024-03-05
tags:
- attack.command-and-control
- attack.lateral-movement
- attack.t1572
- attack.t1021.001
- attack.t1021.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ssh.exe'
CommandLine|contains|windash: ' -R '
condition: selection
falsepositives:
- Administrative activity using a remote port forwarding to a local port
level: medium
title: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
related:
- id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
type: similar
status: experimental
description: |
Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.
In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP.
In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
references:
- https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
- https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall
- https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468
author: Daniel Koifman (KoifSec), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-15
tags:
- attack.lateral-movement
- attack.t1021.001
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\wmic.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'wmic.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_method:
CommandLine|contains:
- 'rdtoggle'
- 'Win32_TerminalServiceSetting'
selection_cli_property:
CommandLine|contains: 'SetAllowTSConnections'
condition: all of selection_*
falsepositives:
- Legitimate system administrators enabling RDP for remote support
- System configuration scripts during deployment
level: medium
title: Denied Access To Remote Desktop
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
status: test
description: |
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
author: Pushkarev Dmitry
date: 2020-06-27
modified: 2021-11-27
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4825
condition: selection
falsepositives:
- Valid user was not added to RDP group
level: medium
title: SMB Spoolss Name Piped Usage
id: bae2865c-5565-470d-b505-9496c87d0c30
status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
author: OTR (Open Threat Research), @neu5ron
date: 2018-11-28
modified: 2022-10-09
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path|endswith: 'IPC$'
name: spoolss
condition: selection
falsepositives:
- Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too
level: medium
title: Suspicious New-PSDrive to Admin Share
id: 1c563233-030e-4a07-af8c-ee0490a66d3a
status: test
description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
author: frack113
date: 2022-08-13
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-PSDrive'
- '-psprovider '
- 'filesystem'
- '-root '
- '\\\\'
- '$'
condition: selection
falsepositives:
- Unknown
level: medium
title: PUA - CSExec Default Named Pipe
id: f318b911-ea88-43f4-9281-0de23ede628e
related:
- id: 9e77ed63-2ecf-4c7b-b09d-640834882028
type: obsolete
status: test
description: Detects default CSExec pipe creation
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://github.com/malcomvetter/CSExec
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
modified: 2023-11-30
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.execution
- attack.t1569.002
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains: '\csexecsvc'
condition: selection
falsepositives:
- Legitimate Administrator activity
level: medium
title: PUA - RemCom Default Named Pipe
id: d36f87ea-c403-44d2-aa79-1a0ac7c24456
related:
- id: 9e77ed63-2ecf-4c7b-b09d-640834882028
type: obsolete
status: test
description: Detects default RemCom pipe creation
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://github.com/kavika13/RemCom
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
modified: 2023-11-30
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.execution
- attack.t1569.002
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains: '\RemCom'
condition: selection
falsepositives:
- Legitimate Administrator activity
level: medium
title: Copy From Or To Admin Share Or Sysvol Folder
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: test
description: Detects a copy command or a copy utility execution to or from an Admin share or remote
references:
- https://twitter.com/SBousseaden/status/1211636381086339073
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
date: 2019-12-30
modified: 2025-10-22
tags:
- attack.lateral-movement
- attack.collection
- attack.exfiltration
- attack.t1039
- attack.t1048
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_target:
CommandLine|contains:
- '\\\\*\\*$' # example \\SVR_NAME\ADMIN$
- '\Sysvol\'
selection_other_tools:
- Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
- OriginalFileName:
- 'robocopy.exe'
- 'XCOPY.EXE'
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_cli:
CommandLine|contains: 'copy'
selection_pwsh_img:
- Image|contains:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- 'copy-item'
- 'copy '
- 'cpi '
- ' cp '
- 'move '
- ' move-item'
- ' mi '
- ' mv '
condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
falsepositives:
- Administrative scripts
level: medium
title: Windows Admin Share Mount Via Net.EXE
id: 3abd6094-7027-475f-9630-8ab9be7b9725
related:
- id: f117933c-980c-4f78-b384-e3d838111165
type: similar
status: test
description: Detects when an admin share is mounted using net.exe
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga
date: 2020-10-05
modified: 2023-02-21
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ' \\\\*\\*$'
condition: all of selection_*
falsepositives:
- Administrators
level: medium
title: Password Provided In Command Line Of Net.EXE
id: d4498716-1d52-438f-8084-4a603157d131
status: test
description: Detects a when net.exe is called with a password in the command line
references:
- Internal Research
author: Tim Shelton (HAWK.IO)
date: 2021-12-09
modified: 2023-02-21
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.lateral-movement
- attack.stealth
- attack.t1021.002
- attack.t1078
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ':*\\'
- '/USER:* *'
filter_main_empty:
CommandLine|endswith: ' '
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Unsigned or Unencrypted SMB Connection to Share Established
id: 8d91f6e4-9f3b-4c21-ae41-2c5b7d9f7a12
status: experimental
description: |
Detects SMB server connections to shares without signing or encryption enabled.
This could indicate potential lateral movement activity using unsecured SMB shares.
author: Mohamed Abdelghani
date: 2025-10-19
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: smbserver-connectivity
detection:
selection_shares:
EventID: 4000
ShareName|contains:
- 'IPC$'
- 'ADMIN$'
- 'C$'
selection_status:
- SigningUsed: 'false'
- EncyptionUsed: 'false' # Note: typo in the original event field name
filter_main_local_ips:
- ClientAddress|cidr:
# IPv4
# - '10.0.0.0/8'
- '127.0.0.0/8'
- '169.254.0.0/16'
# - '172.16.0.0/12'
# - '192.168.0.0/16'
# IPv6
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
# The filters below cover the XML raw log
- ClientAddress|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
# - '0200????C0A8' # 192.168.
# - '0200????AC' # 172.
# - '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Connections from local or private IP addresses to SMB shares without signing or encryption enabled for older systems or misconfigured environments. Apply additional tuning as needed.
level: medium
title: Remote Service Activity via SVCCTL Named Pipe
id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
status: test
description: Detects remote service activity via remote access to the svcctl named pipe
references:
- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2024-08-01
tags:
- attack.lateral-movement
- attack.persistence
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: svcctl
AccessList|contains: 'WriteData'
condition: selection
falsepositives:
- Unknown
level: medium
title: DCERPC SMB Spoolss Named Pipe
id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
author: OTR (Open Threat Research)
date: 2018-11-28
modified: 2022-08-11
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: spoolss
condition: selection
falsepositives:
- 'Domain Controllers acting as printer servers too? :)'
level: medium
title: Bitbucket Global SSH Settings Changed
id: 16ab6143-510a-44e2-a615-bdb80b8317fc
status: test
description: Detects Bitbucket global SSH access configuration changes.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.lateral-movement
- attack.defense-impairment
- attack.t1685
- attack.t1021.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Global administration'
auditType.action: 'SSH settings changed'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
title: Bitbucket User Login Failure Via SSH
id: d3f90469-fb05-42ce-b67d-0fded91bbef3
status: test
description: |
Detects SSH user login access failures.
Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
references:
- https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
- https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.lateral-movement
- attack.credential-access
- attack.t1021.004
- attack.t1110
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Authentication'
auditType.action: 'User login failed(SSH)'
condition: selection
falsepositives:
- Legitimate user wrong password attempts.
level: medium
title: OpenEDR Spawning Command Shell
id: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
status: experimental
description: |
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
author: '@kostastsale'
date: 2026-02-19
references:
- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
- attack.execution
- attack.t1059.003
- attack.lateral-movement
- attack.t1021.004
- attack.command-and-control
- attack.t1219
logsource:
product: windows
category: process_creation
detection:
selection_img:
ParentImage|endswith: '\ITSMService.exe'
Image|endswith: '\ssh-shellhost.exe'
CommandLine|contains: '--pty'
selection_cli_shell:
CommandLine|contains:
- 'bash'
- 'cmd'
- 'powershell'
- 'pwsh'
condition: all of selection_*
falsepositives:
- Legitimate use of OpenEDR for remote command execution
level: medium
title: OpenSSH Server Listening On Socket
id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
status: test
description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
- https://winaero.com/enable-openssh-server-windows-10/
- https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
- https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: mdecrevoisier
date: 2022-10-25
tags:
- attack.lateral-movement
- attack.t1021.004
logsource:
product: windows
service: openssh
detection:
selection:
EventID: 4
process: sshd
payload|startswith: 'Server listening on '
condition: selection
falsepositives:
- Legitimate administrator activity
level: medium
title: Execute Invoke-command on Remote Host
id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
status: test
description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4
author: frack113
date: 2022-01-07
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains|all:
- 'invoke-command '
- ' -ComputerName '
condition: selection_cmdlet
falsepositives:
- Legitimate script
level: medium
title: Enable Windows Remote Management
id: 991a9744-f2f0-44f2-bd33-9092eba17dc3
status: test
description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
author: frack113
date: 2022-01-07
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains: 'Enable-PSRemoting '
condition: selection_cmdlet
falsepositives:
- Legitimate script
level: medium
title: HackTool - WinRM Access Via Evil-WinRM
id: a197e378-d31b-41c0-9635-cfdf1c1bb423
status: test
description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm
- https://github.com/Hackplayers/evil-winrm
author: frack113
date: 2022-01-07
modified: 2023-02-13
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ruby.exe'
CommandLine|contains|all:
- '-i '
- '-u '
- '-p '
condition: selection
falsepositives:
- Unknown
level: medium
title: Remote PowerShell Session Host Process (WinRM)
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
status: test
description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2022-10-09
tags:
- attack.execution
- attack.lateral-movement
- attack.t1059.001
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\wsmprovhost.exe'
- ParentImage|endswith: '\wsmprovhost.exe'
condition: selection
falsepositives:
- Legitimate usage of remote Powershell, e.g. for monitoring purposes.
level: medium
title: Potential Lateral Movement via Windows Remote Shell
id: 79df3f68-dccb-48e9-9171-b75cbc37c51d
status: experimental
description: |
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
references:
- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
- https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement
author: Liran Ravich
date: 2025-10-22
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" powershell
ParentImage|endswith: '\winrshost.exe'
filter_main_conhost:
Image: 'C:\Windows\System32\conhost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate use of WinRM within the organization
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
related:
- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
Payload|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
Payload|endswith: 'readtoend'
condition: selection_4103
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
id: a23791fe-8846-485a-b16b-ca691e1b03d4
related:
- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection_4103
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection_4104
falsepositives:
- Unknown
level: medium