Sigma rules for Cellebrite
500 rules · scoped to actor · back to Cellebrite
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: AWS User Login Profile Was Modified
id: 055fb148-60f8-462d-ad16-26926ce050f1
status: test
description: |
Detects activity when someone is changing passwords on behalf of other users.
An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
references:
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
author: toffeebr33k
date: 2021-08-09
modified: 2024-04-26
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName: 'UpdateLoginProfile'
filter_main_user_identity:
userIdentity.arn|fieldref: requestParameters.userName
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate user account administration
level: high
title: Anomalous User Activity
id: 258b6593-215d-4a26-a141-c8e31c1299a6
status: test
description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.privilege-escalation
- attack.t1098
- attack.persistence
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anomalousUserActivity'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Bulk Deletion Changes To Privileged Account Permissions
id: 102e11e3-2db5-4c9e-bc26-357d42585d21
status: test
description: Detects when a user is removed from a privileged role. Bulk changes should be investigated.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Remove eligible member (permanent)
- Remove eligible member (eligible)
condition: selection
falsepositives:
- Legtimate administrator actions of removing members from a role
level: high
title: ESXi Admin Permission Assigned To Account Via ESXCLI
id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
status: test
description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1059.012
- attack.t1098
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
CommandLine|contains|all:
- ' permission '
- ' set'
- 'Admin'
condition: selection
falsepositives:
- Legitimate administration activities
level: high
title: Privileged User Has Been Created
id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e
status: test
description: Detects the addition of a new user to a privileged group such as "root" or "sudo"
references:
- https://digital.nhs.uk/cyber-alerts/2018/cc-2825
- https://linux.die.net/man/8/useradd
- https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid
author: Pawel Mazur
date: 2022-12-21
modified: 2025-01-21
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1136.001
- attack.t1098
logsource:
product: linux
definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work'
detection:
# Example of the events that could be observed when matching these would be as follow
# Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash
# Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash
# Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash
# Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash
selection_new_user:
- 'new user'
selection_uids_gids:
- 'GID=0,' # root group
- 'UID=0,' # root UID
- 'GID=10,' # wheel group
- 'GID=27,' # sudo group
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
title: Cisco Local Accounts
id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
status: test
description: Find local accounts being created or modified as well as remote authentication configurations
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1136.001
- attack.t1098
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'username'
- 'aaa'
condition: keywords
falsepositives:
- When remote authentication is in place, this should not change often
level: high
title: User Added To Highly Privileged Group
id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
related:
- id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
type: similar
- id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
type: similar
status: test
description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
references:
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection_main:
- CommandLine|contains|all:
# net.exe
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
# powershell.exe
- 'Add-LocalGroupMember '
- ' -Group '
selection_group:
CommandLine|contains:
- 'Group Policy Creator Owners'
- 'Schema Admins'
condition: all of selection_*
falsepositives:
- Administrative activity that must be investigated
level: high
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
id: 2c99737c-585d-4431-b61a-c911d86ff32f
status: test
description: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat
date: 2019-04-03
modified: 2022-08-16
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)'
detection:
selection:
EventID: 5136
AttributeLDAPDisplayName: 'ntSecurityDescriptor'
AttributeValue|contains:
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter_main_dns_object_class:
ObjectClass:
- 'dnsNode'
- 'dnsZoneScope'
- 'dnsZone'
condition: selection and not 1 of filter_main_*
falsepositives:
- New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.
level: high
title: Password Change on Directory Service Restore Mode (DSRM) Account
id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
related:
- id: b61e87c0-50db-4b2e-8986-6a2be94b33b0
type: similar
status: stable
description: |
Detects potential attempts made to set the Directory Services Restore Mode administrator password.
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.
Attackers may change the password in order to obtain persistence.
references:
- https://adsecurity.org/?p=1714
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794
author: Thomas Patzke
date: 2017-02-19
modified: 2020-08-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
detection:
selection:
EventID: 4794
condition: selection
falsepositives:
- Initial installation of a domain controller.
level: high
title: Enabled User Right in AD to Control User Objects
id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
status: test
description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
references:
- https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
author: '@neu5ron'
date: 2017-07-30
modified: 2021-12-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
detection:
selection_base:
EventID: 4704
selection_keywords:
PrivilegeList|contains: 'SeEnableDelegationPrivilege'
condition: all of selection*
falsepositives:
- Unknown
level: high
title: Active Directory User Backdoors
id: 300bac00-e041-4ee2-9c36-e262656a6ecc
status: test
description: Detects scenarios where one can control another users or computers account without having to use their credentials.
references:
- https://msdn.microsoft.com/en-us/library/cc220234.aspx
- https://adsecurity.org/?p=3466
- https://blog.harmj0y.net/redteaming/another-word-on-delegation/
author: '@neu5ron'
date: 2017-04-13
modified: 2024-02-26
tags:
- attack.privilege-escalation
- attack.t1098
- attack.persistence
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
detection:
selection1:
EventID: 4738
filter_empty:
AllowedToDelegateTo:
- ''
- '-'
filter_null:
AllowedToDelegateTo: null
selection_5136_1:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
selection_5136_2:
EventID: 5136
ObjectClass: 'user'
AttributeLDAPDisplayName: 'servicePrincipalName'
selection_5136_3:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
condition: (selection1 and not 1 of filter_*) or 1 of selection_5136_*
falsepositives:
- Unknown
level: high
title: Password Spray Activity
id: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9
status: test
description: Indicates that a password spray attack has been successfully performed.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1110
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'passwordSpray'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: HackTool - Hydra Password Bruteforce Execution
id: aaafa146-074c-11eb-adc1-0242ac120002
status: test
description: Detects command line parameters used by Hydra password guessing hack tool
references:
- https://github.com/vanhauser-thc/thc-hydra
author: Vasiliy Burov
date: 2020-10-05
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1110
- attack.t1110.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-u '
- '-p '
CommandLine|contains:
- '^USER^'
- '^PASS^'
condition: selection
falsepositives:
- Software that uses the caret encased keywords PASS and USER in its command line
level: high
title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-07-07
tags:
- attack.initial-access
- attack.t1190
- attack.credential-access
- attack.t1110
logsource:
category: proxy
detection:
selection:
c-useragent|contains:
# Vulnerability scanner and brute force tools
- '(hydra)'
- ' arachni/'
- ' BFAC '
- ' brutus '
- ' cgichk '
- 'core-project/1.0'
- ' crimscanner/'
- 'datacha0s'
- 'dirbuster'
- 'domino hunter'
- 'dotdotpwn'
- 'FHScan Core'
- 'floodgate'
- 'get-minimal'
- 'gootkit auto-rooter scanner'
- 'grendel-scan'
- ' inspath '
- 'internet ninja'
- 'jaascois'
- ' zmeu '
- 'masscan'
- ' metis '
- 'morfeus fucking scanner'
- 'n-stealth'
- 'nsauditor'
- 'pmafind'
- 'security scan'
- 'springenwerk'
- 'teh forest lobster'
- 'toata dragostea'
- ' vega/'
- 'voideye'
- 'webshag'
- 'webvulnscan'
- ' whcc/'
# SQL Injection
- ' Havij'
- 'absinthe'
- 'bsqlbf'
- 'mysqloit'
- 'pangolin'
- 'sql power injector'
- 'sqlmap'
- 'sqlninja'
- 'uil2pn'
# Hack tool
- 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - Hashcat Password Cracker Execution
id: 39b31e81-5f5f-4898-9c0e-2160cfc0f9bf
status: test
description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat
- https://hashcat.net/wiki/doku.php?id=hashcat
author: frack113
date: 2021-12-27
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1110.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\hashcat.exe'
selection_cli:
CommandLine|contains|all:
- '-a '
- '-m 1000 '
- '-r '
condition: 1 of selection_*
falsepositives:
- Tools that use similar command line flags and values
level: high
title: Potential Base64 Decoded From Images
id: 09a910bf-f71f-4737-9c40-88880ba5913d
status: test
description: |
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
references:
- https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
- https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.stealth
- attack.t1140
logsource:
product: macos
category: process_creation
detection:
# Example: /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
# VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
selection_image:
Image|endswith: '/bash'
selection_view:
CommandLine|contains|all:
- 'tail'
- '-c'
selection_b64:
CommandLine|contains|all:
- 'base64'
- '-d' # Also covers "--decode"
- '>'
selection_files:
CommandLine|contains:
- '.avif'
- '.gif'
- '.jfif'
- '.jpeg'
- '.jpg'
- '.pjp'
- '.pjpeg'
- '.png'
- '.svg'
- '.webp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Inbox Manipulation Rules
id: ceb55fd0-726e-4656-bf4e-b585b7f7d572
status: test
description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1140
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'mcasSuspiciousInboxManipulationRules'
condition: selection
falsepositives:
- Actual mailbox rules that are moving items based on their workflow.
level: high
title: MSHTA Execution with Suspicious File Extensions
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: |
Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files
- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
- https://twitter.com/mattifestation/status/1326228491302563846
- https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-02-22
modified: 2025-05-12
tags:
- attack.stealth
- attack.t1140
- attack.t1218.005
- attack.execution
- attack.t1059.007
- cve.2020-1599
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'mshta.exe'
selection_cli:
CommandLine|contains:
- '.7z'
- '.avi'
- '.bat'
- '.bmp'
- '.conf'
- '.csv'
- '.dll'
- '.doc'
- '.gif'
- '.gz'
- '.ini'
- '.jpe'
- '.jpg'
- '.json'
- '.lnk'
- '.log'
- '.mkv'
- '.mp3'
- '.mp4'
- '.pdf'
- '.png'
- '.ppt'
- '.rar'
- '.rtf'
- '.svg'
- '.tar'
- '.tmp'
- '.txt'
- '.xls'
- '.xml'
- '.yaml'
- '.yml'
- '.zip'
- 'vbscript'
# - '.chm' # could be prone to false positives
# - '.exe'
condition: all of selection_*
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
id: 5588576c-5898-4fac-bcdd-7475a60e8f43
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing
type: similar
- id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing
type: similar
status: experimental
description: |
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
product: zeek
service: dns
detection:
selection:
query|contains|all:
- 'UWhRCA' # Follows this pattern UWhRCAAAAA..BAAA
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing
type: similar
- id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network
type: similar
status: experimental
description: |
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains|all:
- 'UWhRCA'
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
title: Attempts of Kerberos Coercion Via DNS SPN Spoofing
id: 0ed99dda-6a35-11ef-8c99-0242ac120002
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
type: similar
status: experimental
description: |
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'UWhRCA'
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
title: Possible PetitPotam Coerce Authentication Attempt
id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
status: test
description: Detect PetitPotam coerced authentication activity.
references:
- https://github.com/topotam/PetitPotam
- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
author: Mauricio Velazco, Michael Haag
date: 2021-09-02
modified: 2022-08-11
tags:
- attack.credential-access
- attack.t1187
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName|startswith: '\\\\' # looking for the string \\somethink\IPC$
ShareName|endswith: '\IPC$'
RelativeTargetName: lsarpc
SubjectUserName: ANONYMOUS LOGON
condition: selection
falsepositives:
- Unknown. Feedback welcomed.
level: high
title: PetitPotam Suspicious Kerberos TGT Request
id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
status: test
description: |
Detect suspicious Kerberos TGT requests.
Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.
One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.
This request will generate a 4768 event with some unusual fields depending on the environment.
This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
references:
- https://github.com/topotam/PetitPotam
- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
- https://github.com/splunk/security_content/blob/88d689fe8a055d8284337b9fad5d9152b42043db/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
author: Mauricio Velazco, Michael Haag
date: 2021-09-02
modified: 2022-10-05
tags:
- attack.credential-access
- attack.t1187
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Account Logon > Kerberos Authentication Service" must be configured for Success/Failure'
detection:
selection:
EventID: 4768
TargetUserName|endswith: '$'
CertThumbprint|contains: '*'
filter_local:
IpAddress: '::1'
filter_thumbprint:
CertThumbprint: ''
condition: selection and not 1 of filter_*
falsepositives:
- False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts.
level: high
title: Suspicious Download and Execute Pattern via Curl/Wget
id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
status: experimental
description: |
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
references:
- https://gtfobins.github.io/gtfobins/wget/
- https://gtfobins.github.io/gtfobins/curl/
author: Aayush Gupta
date: 2025-06-17
tags:
- attack.execution
- attack.t1059.004
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection_downloader:
CommandLine|contains:
- '/curl'
- '/wget'
selection_tmp:
CommandLine|contains:
- '/tmp/'
- '/dev/shm/'
selection_executor:
CommandLine|contains: 'sh -c'
condition: all of selection_*
falsepositives:
- System update scripts using temporary files
- Installer scripts or automated provisioning tools
level: high
title: Network Connection Initiated By Eqnedt32.EXE
id: a66bc059-c370-472c-a0d7-f8fd1bf9d583
status: test
description: Detects network connections from the Equation Editor process "eqnedt32.exe".
references:
- https://twitter.com/forensicitguy/status/1513538712986079238
- https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/
- https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/
author: Max Altgelt (Nextron Systems)
date: 2022-04-14
modified: 2024-05-31
tags:
- attack.execution
- attack.t1203
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\eqnedt32.exe'
condition: selection
falsepositives:
- Unlikely
level: high
title: Guacamole Two Users Sharing Session Anomaly
id: 1edd77db-0669-4fef-9598-165bda82826d
status: test
description: Detects suspicious session with two users present
references:
- https://research.checkpoint.com/2020/apache-guacamole-rce/
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1212
logsource:
product: linux
service: guacamole
detection:
selection:
- '(2 users now present)'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious NTLM Authentication on the Printer Spooler Service
id: bb76d96b-821c-47cf-944b-7ce377864492
status: test
description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
references:
- https://twitter.com/med0x2e/status/1520402518685200384
- https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
author: Elastic (idea), Tobias Michalski (Nextron Systems)
date: 2022-05-04
modified: 2023-02-09
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.t1212
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'C:\windows\system32\davclnt.dll,DavSetCookie'
- 'http'
CommandLine|contains:
- 'spoolss'
- 'srvsvc'
- '/print/pipe/'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Kerberos Manipulation
id: f7644214-0eb0-4ace-9455-331ec4c09253
status: test
description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
author: Florian Roth (Nextron Systems)
date: 2017-02-10
modified: 2024-01-16
tags:
- attack.credential-access
- attack.t1212
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 675
- 4768
- 4769
- 4771
Status:
- '0x9'
- '0xA'
- '0xB'
- '0xF'
- '0x10'
- '0x11'
- '0x13'
- '0x14'
- '0x1A'
- '0x1F'
- '0x21'
- '0x22'
- '0x23'
- '0x24'
- '0x26'
- '0x27'
- '0x28'
- '0x29'
- '0x2C'
- '0x2D'
- '0x2E'
- '0x2F'
- '0x31'
- '0x32'
- '0x3E'
- '0x3F'
- '0x40'
- '0x41'
- '0x43'
- '0x44'
condition: selection
falsepositives:
- Faulty legacy applications
level: high
title: OpenCanary - GIT Clone Request
id: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8
status: test
description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.collection
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 16001
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential RemoteFXvGPUDisablement.EXE Abuse
id: f65e22f9-819e-4f96-9c7b-498364ae7a25
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
service: powershell-classic
definition: fields have to be extract from event
detection:
selection:
Data|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
id: cacef8fc-9d3d-41f7-956d-455c6e881bc5
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|startswith: 'function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
title: Network Connection Initiated By AddinUtil.EXE
id: 5205613d-2a63-4412-a895-3a2458b587b3
status: test
description: |
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
modified: 2024-07-16
tags:
- attack.stealth
- attack.t1218
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\addinutil.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
status: test
description: Detects programs on a Windows system that should not write scripts to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.ps1'
- '.bat'
- '.vbs'
- '.scf'
- '.wsf'
- '.wsh'
condition: selection
falsepositives:
- Unknown
level: high
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: Detects programs on a Windows system that should not write executables to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious DotNET CLR Usage Log Artifact
id: e0b06658-7d1d-4cd3-bf15-03467507ff7c
related:
- id: 4508a70e-97ef-4300-b62b-ff27992990ea
type: derived
- id: e4b63079-6198-405c-abd7-3fe8b0ce3263
type: obsolete
status: test
description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
references:
- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
- https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml
- https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
author: frack113, omkar72, oscd.community, Wojciech Lesicki
date: 2022-11-18
modified: 2023-02-23
tags:
- attack.stealth
- attack.t1218
logsource:
category: file_event
product: windows
definition: 'Requirements: UsageLogs folder must be monitored by the sysmon configuration'
detection:
selection:
TargetFilename|endswith:
- '\UsageLogs\cmstp.exe.log'
- '\UsageLogs\cscript.exe.log'
- '\UsageLogs\mshta.exe.log'
- '\UsageLogs\msxsl.exe.log'
- '\UsageLogs\regsvr32.exe.log'
- '\UsageLogs\rundll32.exe.log'
- '\UsageLogs\svchost.exe.log'
- '\UsageLogs\wscript.exe.log'
- '\UsageLogs\wmic.exe.log'
filter_main_rundll32:
# This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity
ParentImage|endswith: '\MsiExec.exe'
ParentCommandLine|contains: ' -Embedding'
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- 'Temp'
- 'zzzzInvokeManagedCustomActionOutOfProc'
condition: selection and not 1 of filter_main_*
falsepositives:
- Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
level: high
title: Legitimate Application Writing Files In Uncommon Location
id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
related:
- id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule
type: similar
status: experimental
description: |
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
references:
- https://lolbas-project.github.io/#/download
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-10
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection_img:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\cmdl32.exe'
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
- '\bitsadmin.exe'
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
- '\expand.exe'
- '\extrac32.exe'
- '\replace.exe'
- '\mshta.exe'
- '\ftp.exe'
- '\Ldifde.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
- '\findstr.exe'
selection_locations:
TargetFilename|contains:
- ':\Perflogs'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\'
- '\$Recycle.Bin\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml
title: Legitimate Application Dropped Archive
id: 654fcc6d-840d-4844-9b07-2c3300e54a26
status: test
description: Detects programs on a Windows system that should not write an archive to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth
date: 2022-08-21
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables
- \winword.exe
- \excel.exe
- \powerpnt.exe
- \msaccess.exe
- \mspub.exe
- \eqnedt32.exe
- \visio.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- \finger.exe
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- \notepad.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \mshta.exe
- \hh.exe
TargetFilename|endswith:
- '.zip'
- '.rar'
- '.7z'
- '.diagcab'
- '.appx'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Speech Runtime Binary Child Process
id: 78f10490-f2f4-4d19-a75b-4e0683bf3b8d
status: experimental
description: |
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
references:
- https://github.com/rtecCyberSec/SpeechRuntimeMove
author: andrewdanis
date: 2025-10-23
logsource:
category: process_creation
product: windows
tags:
- attack.lateral-movement
- attack.stealth
- attack.t1021.003
- attack.t1218
detection:
selection:
ParentImage|endswith: '\SpeechRuntime.exe'
condition: selection
falsepositives:
- Unlikely.
level: high
title: Execution via WorkFolders.exe
id: 0bbc6369-43e3-453d-9944-cae58821c173
status: test
description: Detects using WorkFolders.exe to execute an arbitrary control.exe
references:
- https://twitter.com/elliotkillick/status/1449812843772227588
author: Maxime Thiebaut (@0xThiebaut)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\control.exe'
ParentImage|endswith: '\WorkFolders.exe'
filter:
Image: 'C:\Windows\System32\control.exe'
condition: selection and not filter
falsepositives:
- Legitimate usage of the uncommon Windows Work Folders feature.
level: high
title: Execute Pcwrun.EXE To Leverage Follina
id: 6004abd0-afa4-4557-ba90-49d172e0a299
status: test
description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
references:
- https://twitter.com/nas_bench/status/1535663791362519040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\pcwrun.exe'
CommandLine|contains: '../'
condition: selection
falsepositives:
- Unlikely
level: high
title: Time Travel Debugging Utility Usage
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
related:
- id: e76c8240-d68f-4773-8880-5c6f63595aaf
type: derived
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\tttracer.exe'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
title: Suspicious Provlaunch.EXE Child Process
id: f9999590-1f94-4a34-a91e-951e47bedefd
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\provlaunch.exe'
selection_child:
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- Image|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\AppData\Temp\'
- '\Windows\System32\Tasks\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Renamed MegaSync Execution
id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
status: test
description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
references:
- https://redcanary.com/blog/rclone-mega-extortion/
author: Sittikorn S
date: 2021-06-22
modified: 2023-02-03
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection:
OriginalFileName: 'megasync.exe'
filter:
Image|endswith: '\megasync.exe'
condition: selection and not filter
falsepositives:
- Software that illegally integrates MegaSync in a renamed form
- Administrators that have renamed MegaSync
level: high
title: Uncommon Child Process Of Setres.EXE
id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
status: test
description: |
Detects uncommon child process of Setres.EXE.
Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Setres/
- https://twitter.com/0gtweet/status/1583356502340870144
- https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)'
date: 2022-12-11
modified: 2024-06-26
tags:
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\setres.exe'
Image|contains: '\choice'
filter_main_legit_location:
Image|endswith:
- 'C:\Windows\System32\choice.exe'
- 'C:\Windows\SysWOW64\choice.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
title: Suspicious AddinUtil.EXE CommandLine Execution
id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8
status: test
description: |
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\addinutil.exe'
- OriginalFileName: 'AddInUtil.exe'
selection_susp_1_flags:
CommandLine|contains:
- '-AddInRoot:'
- '-PipelineRoot:'
selection_susp_1_paths:
CommandLine|contains:
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
selection_susp_2:
CommandLine|contains:
- '-AddInRoot:.'
- '-AddInRoot:"."'
- '-PipelineRoot:.'
- '-PipelineRoot:"."'
CurrentDirectory|contains:
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
condition: selection_img and (all of selection_susp_1_* or selection_susp_2)
falsepositives:
- Unknown
level: high
title: Execution via stordiag.exe
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
status: test
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
references:
- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
- https://twitter.com/eral4m/status/1451112385041911809
author: Austin Songer (@austinsonger)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\stordiag.exe'
Image|endswith:
- '\schtasks.exe'
- '\systeminfo.exe'
- '\fltmc.exe'
filter:
ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
- 'c:\windows\system32\'
- 'c:\windows\syswow64\'
condition: selection and not filter
falsepositives:
- Legitimate usage of stordiag.exe.
level: high
title: Suspicious Child Process Of BgInfo.EXE
id: 811f459f-9231-45d4-959a-0266c6311987
related:
- id: aaf46cdc-934e-4284-b329-34aa701e3771
type: similar
status: test
description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\bginfo.exe'
- '\bginfo64.exe'
selection_child:
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- Image|contains:
- '\AppData\Local\'
- '\AppData\Roaming\'
- ':\Users\Public\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\PerfLogs\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Potentially Suspicious Child Processes Spawned by ConHost
id: dfa03a09-8b92-4d83-8e74-f72839b1c407
related:
- id: 7dc2dedd-7603-461a-bc13-15803d132355
type: similar
status: experimental
description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.stealth
- attack.t1202
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\conhost.exe'
selection_child:
- Image|endswith:
- '\cmd.exe' # Windows Command Prompt
- '\cscript.exe' # Windows Script Host (used for scripting exploits)
- '\mshta.exe' # MSHTA (HTML Application Host, often abused)
- '\powershell_ise.exe' # PowerShell ISE
- '\powershell.exe' # Windows PowerShell
- '\pwsh.exe' # PowerShell Core
- '\regsvr32.exe' # Windows Registry Server (commonly used for exploits)
- '\wscript.exe' # Windows Script Host (for executing scripts)
- OriginalFileName:
- 'cmd.exe'
- 'cscript.exe'
- 'mshta.exe'
- 'powershell_ise.exe'
- 'powershell.exe'
- 'pwsh.dll'
- 'regsvr32.exe'
- 'wscript.exe'
condition: all of selection_*
falsepositives:
- Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
level: high
title: Suspicious AgentExecutor PowerShell Execution
id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab
related:
- id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61
type: similar
status: test
description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
author: Nasreddine Bencherchali (Nextron Systems), memory-shards
references:
- https://twitter.com/lefterispan/status/1286259016436514816
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/
- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
- https://twitter.com/jseerden/status/1247985304667066373/photo/1
date: 2022-12-24
modified: 2024-08-07
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\AgentExecutor.exe'
- OriginalFileName: 'AgentExecutor.exe'
selection_cli:
# Example:
# AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]
# Note:
# - If [timeoutSeconds] is NULL then it defaults to 60000
# - If [enforceSignatureCheck] is:
# - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file "
# - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file "
# - [powershellPath] is always concatendated to "powershell.exe"
CommandLine|contains:
- ' -powershell' # Also covers the "-powershellDetection" flag
- ' -remediationScript'
filter_main_pwsh:
CommandLine|contains:
- 'C:\Windows\System32\WindowsPowerShell\v1.0\'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\'
filter_main_intune:
ParentImage|endswith: '\Microsoft.Management.Services.IntuneWindowsAgent.exe'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high