Sigma rules for Cellebrite
500 rules · scoped to actor · back to Cellebrite
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Crash Dump Created By Operating System
id: 882fbe50-d8d7-4e29-ae80-0648a8556866
related:
- id: 2ff692c2-4594-41ec-8fcb-46587de769e0
type: similar
status: experimental
description: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
references:
- https://www.sans.edu/cyber-research/from-crash-compromise-unlocking-potential-windows-crash-dumps-offensive-security/
- https://jasonmull.com/articles/offensive/2025-05-12-windows-crash-dumps-offensive-security/
author: Jason Mull
date: 2025-05-12
tags:
- attack.credential-access
- attack.collection
- attack.t1003.002
- attack.t1005
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-WER-SystemErrorReporting'
EventID: 1001
condition: selection
level: medium
title: ADFS Database Named Pipe Connection By Uncommon Tool
id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
status: test
description: |
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).
Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
references:
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
- https://o365blog.com/post/adfs/
- https://github.com/Azure/SimuLand
author: Roberto Rodriguez @Cyb3rWard0g
date: 2021-10-08
modified: 2023-11-30
tags:
- attack.collection
- attack.t1005
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName: '\MICROSOFT##WID\tsql\query'
filter_main_generic:
Image|endswith:
- ':\Windows\System32\mmc.exe'
- ':\Windows\system32\svchost.exe'
- ':\Windows\System32\wsmprovhost.exe'
- ':\Windows\SysWOW64\mmc.exe'
- ':\Windows\SysWOW64\wsmprovhost.exe'
- ':\Windows\WID\Binn\sqlwriter.exe'
- '\AzureADConnect.exe'
- '\Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
- '\Microsoft.IdentityServer.ServiceHost.exe'
- '\Microsoft.Tri.Sensor.exe'
- '\sqlservr.exe'
- '\tssdis.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Esentutl Steals Browser Information
id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
status: test
description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
- https://redcanary.com/threat-detection-report/threats/qbot/
- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
author: frack113
date: 2022-02-13
modified: 2024-03-05
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\esentutl.exe'
- OriginalFileName: 'esentutl.exe'
selection_flag:
CommandLine|contains|windash: '-r'
selection_webcache:
CommandLine|contains: '\Windows\WebCache'
condition: all of selection*
falsepositives:
- Legitimate use
level: medium
title: Veeam Backup Database Suspicious Query
id: 696bfb54-227e-4602-ac5b-30d9d2053312
status: test
description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
Image|endswith: '\sqlcmd.exe'
CommandLine|contains|all:
- 'VeeamBackup'
- 'From '
selection_db:
CommandLine|contains:
- 'BackupRepositories'
- 'Backups'
- 'Credentials'
- 'HostCreds'
- 'SmbFileShares'
- 'Ssh_creds'
- 'VSphereInfo'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: SCM Database Handle Failure
id: 13addce7-47b2-4ca0-a98f-1de964d1d669
status: test
description: Detects non-system users failing to get a handle of the SCM database.
references:
- https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2022-07-11
tags:
- attack.discovery
- attack.t1010
logsource:
product: windows
service: security
detection:
selection:
EventID: 4656
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'ServicesActive'
AccessMask: '0xf003f' # is used in the reference; otherwise too many FPs
# Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816
filter:
SubjectLogonId: '0x3e4'
condition: selection and not filter
falsepositives:
- Unknown
# triggering on many hosts in some environments
level: medium
title: Github Repository/Organization Transferred
id: 04ad83ef-1a37-4c10-b57a-81092164bf33
status: test
description: Detects when a repository or an organization is being transferred to another location.
references:
- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
- https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership
- https://docs.github.com/en/migrations
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
- attack.persistence
- attack.exfiltration
- attack.t1020
- attack.t1537
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
- 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.
- 'org.transfer' # An organization was transferred between enterprise accounts.
- 'repo.transfer_outgoing' # A repository was transferred to another repository network.
condition: selection
falsepositives:
- Allowed administrative activities.
level: medium
title: Github Fork Private Repositories Setting Enabled/Cleared
id: 69b3bd1e-b38a-462f-9a23-fbdbf63d2294
status: test
description: |
Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
references:
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking
author: Romain Gaillard (@romain-gaillard)
date: 2024-07-29
tags:
- attack.persistence
- attack.exfiltration
- attack.t1020
- attack.t1537
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'private_repository_forking.clear' # An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.
- 'private_repository_forking.enable' # An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.
condition: selection
falsepositives:
- Allowed administrative activities.
level: medium
title: AWS RDS Master Password Change
id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
status: test
description: Detects the change of database master password. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
author: faloker
date: 2020-02-12
modified: 2022-10-05
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: rds.amazonaws.com
responseElements.pendingModifiedValues.masterUserPassword|contains: '*'
eventName: ModifyDBInstance
condition: selection_source
falsepositives:
- Benign changes to a db instance
level: medium
title: PowerShell Script With File Hostname Resolving Capabilities
id: fbc5e92f-3044-4e73-a5c6-1c4359b539de
status: test
description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
references:
- https://www.fortypoundhead.com/showcontent.asp?artid=24022
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-content '
- 'foreach'
- '[System.Net.Dns]::GetHostEntry'
- 'Out-File'
condition: selection
falsepositives:
- The same functionality can be implemented by admin scripts, correlate with name and creator
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
related:
- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
Payload|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
Payload|endswith: 'readtoend'
condition: selection_4103
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
id: a23791fe-8846-485a-b16b-ca691e1b03d4
related:
- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection_4103
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection_4104
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
ScriptBlockText|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
ScriptBlockText|endswith: 'readtoend'
condition: selection_4104
falsepositives:
- Unknown
level: medium
title: PUA - Potential PE Metadata Tamper Using Rcedit
id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
status: test
description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
references:
- https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
- https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
- https://github.com/electron/rcedit
author: Micah Babinski
date: 2022-12-11
modified: 2023-03-05
tags:
- attack.stealth
- attack.t1036.003
- attack.t1036
- attack.t1027.005
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\rcedit-x64.exe'
- '\rcedit-x86.exe'
- Description: 'Edit resources of exe'
- Product: 'rcedit'
selection_flags:
CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string"
selection_attributes:
CommandLine|contains:
- 'OriginalFileName'
- 'CompanyName'
- 'FileDescription'
- 'ProductName'
- 'ProductVersion'
- 'LegalCopyright'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool by administrators or users to update metadata of a binary
level: medium
title: Certificate Exported Via Certutil.EXE
id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5
status: test
description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
references:
- https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-exportPFX '
condition: all of selection_*
falsepositives:
- There legitimate reasons to export certificates. Investigate the activity to determine if it's benign
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml
title: Suspicious XOR Encoded PowerShell Command
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
related:
- id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
type: obsolete
status: test
description: Detects presence of a potentially xor encoded powershell command
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://redcanary.com/blog/yellow-cockatoo/
- https://zero2auto.com/2020/05/19/netwalker-re/
- https://mez0.cc/posts/cobaltstrike-powershell-exec/
author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
date: 2018-09-05
modified: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1140
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Description: 'Windows PowerShell'
- Product: 'PowerShell Core 6'
selection_cli_xor:
CommandLine|contains: 'bxor'
selection_cli_other:
CommandLine|contains:
- 'ForEach'
- 'for('
- 'for '
- '-join '
- "-join'"
- '-join"'
- '-join`'
- '::Join'
- '[char]'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious Download Via Certutil.EXE
id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
related:
- id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
tags:
- attack.stealth
- attack.t1027
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
- 'URL '
selection_http:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/info.yml
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-12-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
CommandLine|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
- 'readtoend('
condition: selection
falsepositives:
- Unknown
level: medium
title: File Encoded To Base64 Via Certutil.EXE
id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-02-24
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-encode'
condition: all of selection_*
falsepositives:
- As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/info.yml
title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
id: 74403157-20f5-415d-89a7-c505779585cf
status: test
description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-02-01
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains: 'ConvertTo-SecureString'
condition: all of selection_*
falsepositives:
- Legitimate use to pass password to different powershell commands
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - Security
id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
related:
- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection
falsepositives:
- Unknown
level: medium
title: Password Protected ZIP File Opened
id: 00ba9da1-b510-4f6b-b258-8d338836180f
status: test
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
- https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
service: security
detection:
selection:
EventID: 5379
TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
filter: # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4
TargetName|contains: '\Temporary Internet Files\Content.Outlook'
condition: selection and not filter
falsepositives:
- Legitimate used of encrypted ZIP files
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
related:
- id: 175997c5-803c-4b08-8bb0-70b099f47595
type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
- 'readtoend'
ServiceFileName|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
condition: selection
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - System
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - System
id: 175997c5-803c-4b08-8bb0-70b099f47595
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
- 'readtoend'
ImagePath|contains:
- ':system.io.compression.deflatestream'
- 'system.io.streamreader'
condition: selection
falsepositives:
- Unknown
level: medium
title: Potential Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: test
description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
author: Thomas Patzke
date: 2017-06-14
modified: 2024-12-13
tags:
- attack.impact
- attack.stealth
- attack.defense-impairment
- attack.t1070.004
- attack.t1027.005
- attack.t1485
- attack.t1553.002
- attack.s0195
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
- 4658
ObjectName|endswith:
- '.AAA'
- '.ZZZ'
condition: selection
falsepositives:
- Legitimate usage of SDelete
- Files that are interacted with that have these extensions legitimately
level: medium
title: Copy From Or To Admin Share Or Sysvol Folder
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: test
description: Detects a copy command or a copy utility execution to or from an Admin share or remote
references:
- https://twitter.com/SBousseaden/status/1211636381086339073
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
date: 2019-12-30
modified: 2025-10-22
tags:
- attack.lateral-movement
- attack.collection
- attack.exfiltration
- attack.t1039
- attack.t1048
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_target:
CommandLine|contains:
- '\\\\*\\*$' # example \\SVR_NAME\ADMIN$
- '\Sysvol\'
selection_other_tools:
- Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
- OriginalFileName:
- 'robocopy.exe'
- 'XCOPY.EXE'
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_cli:
CommandLine|contains: 'copy'
selection_pwsh_img:
- Image|contains:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- 'copy-item'
- 'copy '
- 'cpi '
- ' cp '
- 'move '
- ' move-item'
- ' mi '
- ' mv '
condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
falsepositives:
- Administrative scripts
level: medium
title: Suspicious Access to Sensitive File Extensions
id: 91c945bc-2ad1-4799-a591-4d00198a1215
related:
- id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
type: similar
status: test
description: Detects known sensitive file extensions accessed on a network share
references:
- Internal Research
author: Samir Bousseaden
date: 2019-04-03
modified: 2025-10-17
tags:
- attack.collection
- attack.t1039
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|endswith:
- '.bak'
- '.dmp'
- '.edb'
- '.kirbi'
- '.msg'
- '.nsf'
- '.nst'
- '.oab'
- '.ost'
- '.pst'
- '.rdp'
# - '\groups.xml' # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments
condition: selection
falsepositives:
- Help Desk operator doing backup or re-imaging end user machine or backup software
- Users working with these data types or exchanging message files
level: medium
title: Network Communication Initiated To Portmap.IO Domain
id: 07837ab9-60e1-481f-a74d-c31fb496a94c
status: test
description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
references:
- https://portmap.io/
- https://github.com/rapid7/metasploit-framework/issues/11337
- https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
author: Florian Roth (Nextron Systems)
date: 2024-05-31
tags:
- attack.t1041
- attack.command-and-control
- attack.t1090.002
- attack.exfiltration
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith: '.portmap.io'
condition: selection
falsepositives:
- Legitimate use of portmap.io domains
level: medium
title: Powershell Keylogging
id: 34f90d3c-c297-49e9-b26d-911b05a4866c
status: test
description: Adversaries may log user keystrokes to intercept credentials as the user types them.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1
author: frack113
date: 2021-07-30
modified: 2022-07-11
tags:
- attack.credential-access
- attack.collection
- attack.t1056.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_basic:
ScriptBlockText|contains: 'Get-Keystrokes'
selection_high: # want to run in background and keyboard
ScriptBlockText|contains|all:
- 'Get-ProcAddress user32.dll GetAsyncKeyState'
- 'Get-ProcAddress user32.dll GetForegroundWindow'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
title: Potential Keylogger Activity
id: 965e2db9-eddb-4cf6-a986-7a967df651e4
status: test
description: Detects PowerShell scripts that contains reference to keystroke capturing functions
references:
- https://twitter.com/ScumBots/status/1610626724257046529
- https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content
- https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content
- https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
tags:
- attack.collection
- attack.credential-access
- attack.t1056.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'
condition: selection
falsepositives:
- Unknown
level: medium
title: Recon Command Output Piped To Findstr.EXE
id: ccb5742c-c248-4982-8c5c-5571b9275ad3
related:
- id: fe63010f-8823-4864-a96b-a7b4a0f7b929
type: derived
status: test
description: |
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example.
Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
- https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-07-06
modified: 2025-10-08
tags:
- attack.discovery
- attack.t1057
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# Note: Add additional CLI to increase and enhance coverage
# Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend.
- 'ipconfig*|*find'
- 'net*|*find'
- 'netstat*|*find'
- 'ping*|*find'
- 'systeminfo*|*find'
- 'tasklist*|*find'
- 'whoami*|*find'
filter_optional_xampp:
CommandLine|contains|all:
- 'cmd.exe /c TASKLIST /V |'
- 'FIND /I'
- '\xampp\'
- '\catalina_start.bat'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml
title: Payload Decoded and Decrypted via Built-in Utilities
id: 234dc5df-40b5-49d1-bf53-0d44ce778eca
status: test
description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
- attack.stealth
- attack.t1059
- attack.t1204
- attack.execution
- attack.t1140
- attack.s0482
- attack.s0402
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/openssl'
CommandLine|contains|all:
- '/Volumes/'
- 'enc'
- '-base64'
- ' -d '
condition: selection
falsepositives:
- Unknown
level: medium
title: Suspicious Execution via macOS Script Editor
id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
status: test
description: Detects when the macOS Script Editor utility spawns an unusual child process.
author: Tim Rauch (rule), Elastic (idea)
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685
- https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
date: 2022-10-21
modified: 2022-12-28
logsource:
category: process_creation
product: macos
tags:
- attack.defense-impairment
- attack.t1566
- attack.t1566.002
- attack.initial-access
- attack.t1059
- attack.t1059.002
- attack.t1204
- attack.t1204.001
- attack.execution
- attack.persistence
- attack.t1553
detection:
selection_parent:
ParentImage|endswith: '/Script Editor'
selection_img:
- Image|endswith:
- '/curl'
- '/bash'
- '/sh'
- '/zsh'
- '/dash'
- '/fish'
- '/osascript'
- '/mktemp'
- '/chmod'
- '/php'
- '/nohup'
- '/openssl'
- '/plutil'
- '/PlistBuddy'
- '/xattr'
- '/sqlite'
- '/funzip'
- '/popen'
- Image|contains:
- 'python'
- 'perl'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious Installer Package Child Process
id: e0cfaecd-602d-41af-988d-f6ccebb2af26
status: test
description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
references:
- https://redcanary.com/blog/clipping-silver-sparrows-wings/
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
- attack.t1059
- attack.t1059.007
- attack.t1071
- attack.t1071.001
- attack.execution
- attack.command-and-control
logsource:
category: process_creation
product: macos
detection:
selection_installer:
ParentImage|endswith:
- '/package_script_service'
- '/installer'
Image|endswith:
- '/sh'
- '/bash'
- '/dash'
- '/python'
- '/ruby'
- '/perl'
- '/php'
- '/javascript'
- '/osascript'
- '/tclsh'
- '/curl'
- '/wget'
CommandLine|contains:
- 'preinstall'
- 'postinstall'
condition: selection_installer
falsepositives:
- Legitimate software uses the scripts (preinstall, postinstall)
level: medium
title: Suspicious Browser Child Process - MacOS
id: 0250638a-2b28-4541-86fc-ea4c558fa0c6
status: test
description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
references:
- https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml
author: Sohan G (D4rkCiph3r)
date: 2023-04-05
tags:
- attack.initial-access
- attack.execution
- attack.t1189
- attack.t1203
- attack.t1059
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|contains:
- 'com.apple.WebKit.WebContent'
- 'firefox'
- 'Google Chrome Helper'
- 'Google Chrome'
- 'Microsoft Edge'
- 'Opera'
- 'Safari'
- 'Tor Browser'
Image|endswith:
- '/bash'
- '/curl'
- '/dash'
- '/ksh'
- '/osascript'
- '/perl'
- '/php'
- '/pwsh'
- '/python'
- '/sh'
- '/tcsh'
- '/wget'
- '/zsh'
filter_main_generic:
CommandLine|contains: '--defaults-torrc' # Informs tor to use default config file
filter_main_ms_autoupdate:
CommandLine|contains: '/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate' # Microsoft AutoUpdate utility
filter_main_chrome:
ParentImage|contains:
- 'Google Chrome Helper'
- 'Google Chrome'
CommandLine|contains:
- '/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh' # Install the Google Chrome browser
- '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_preflight.sh' # Updates the Google Chrome branding configuration files
- '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_postflight.sh' # Script that performs the post-installation tasks
filter_main_ms_edge:
ParentImage|contains: 'Microsoft Edge'
CommandLine|contains:
- 'IOPlatformExpertDevice' # Retrieves the IOPlatformUUID (parent process - Microsoft Edge)
- 'hw.model' # Retrieves model name of the computer's hardware (parent process - Microsoft Edge)
filter_main_chromerecovery:
ParentImage|contains:
- 'Google Chrome Helper'
- 'Google Chrome'
CommandLine|contains|all:
- '/Users/'
- '/Library/Application Support/Google/Chrome/recovery/'
- '/ChromeRecovery'
filter_optional_null:
# Aoids alerting for the events which do not have command-line arguments
CommandLine: null
filter_optional_empty:
# Aoids alerting for the events which do not have command-line arguments
CommandLine: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate browser install, update and recovery scripts
level: medium
title: Azure New CloudShell Created
id: 72af37e2-ec32-47dc-992b-bc288a2708cb
status: test
description: Identifies when a new cloudshell is created inside of Azure portal.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-09-21
modified: 2022-08-23
tags:
- attack.execution
- attack.t1059
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.PORTAL/CONSOLES/WRITE
condition: selection
falsepositives:
- A new cloudshell may be created by a system administrator.
level: medium
title: Potential Xterm Reverse Shell
id: 4e25af4b-246d-44ea-8563-e42aacab006b
status: test
description: Detects usage of "xterm" as a potential reverse shell tunnel
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-24
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'xterm'
CommandLine|contains: '-display'
CommandLine|endswith: ':1'
condition: selection
falsepositives:
- Unknown
level: medium
title: Python Spawning Pretty TTY Via PTY Module
id: c4042d54-110d-45dd-a0e1-05c47822c937
related:
- id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
type: similar
status: test
description: |
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
references:
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
modified: 2024-11-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli_import:
CommandLine|contains:
- 'import pty'
- 'from pty '
selection_cli_spawn:
CommandLine|contains: 'spawn'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Windows Defender Exclusions Added - PowerShell
id: c1344fa2-323b-4d2e-9176-84b4d4821c88
related:
- id: 17769c90-230e-488b-a463-e05c08e9d48f
type: similar
status: test
description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
references:
- https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-16
modified: 2022-11-26
tags:
- attack.defense-impairment
- attack.t1685
- attack.execution
- attack.t1059
logsource:
category: ps_script
product: windows
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_args_exc:
ScriptBlockText|contains:
- ' -ExclusionPath '
- ' -ExclusionExtension '
- ' -ExclusionProcess '
- ' -ExclusionIpAddress '
selection_args_pref:
ScriptBlockText|contains:
- 'Add-MpPreference '
- 'Set-MpPreference '
condition: all of selection*
falsepositives:
- Unknown
level: medium
title: Suspicious File Created In PerfLogs
id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b
status: test
description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
references:
- Internal Research
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.execution
- attack.t1059
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\PerfLogs\'
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.bin'
- '.chm'
- '.dll'
- '.exe'
- '.hta'
- '.lnk'
- '.ps1'
- '.psm1'
- '.py'
- '.scr'
- '.sys'
- '.vbe'
- '.vbs'
- '.zip'
condition: selection
falsepositives:
- Unlikely
level: medium
title: Renamed FTP.EXE Execution
id: 277a4393-446c-449a-b0ed-7fdc7795244c
status: test
description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-02-03
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_original:
OriginalFileName: 'ftp.exe'
filter_img:
Image|endswith: '\ftp.exe'
condition: selection_original and not filter_img
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/info.yml
title: Sysprep on AppData Folder
id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e
status: test
description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
references:
- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
author: Florian Roth (Nextron Systems)
date: 2018-06-22
modified: 2021-11-27
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sysprep.exe'
CommandLine|contains: '\AppData\'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
title: Use of FSharp Interpreters
id: b96b2031-7c17-4473-afe7-a30ce714db29
status: test
description: |
Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe"
Both can be used for AWL bypass and to execute F# code via scripts or inline.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
- https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/
author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
date: 2022-06-02
modified: 2024-04-23
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\fsi.exe'
- '\fsianycpu.exe'
- OriginalFileName:
- 'fsi.exe'
- 'fsianycpu.exe'
condition: selection
falsepositives:
- Legitimate use by a software developer.
level: medium
title: Renamed CURL.EXE Execution
id: 7530cd3d-7671-43e3-b209-976966f6ea48
status: test
description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
references:
- https://twitter.com/Kostastsale/status/1700965142828290260
author: X__Junior (Nextron Systems)
date: 2023-09-11
modified: 2023-10-12
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'curl.exe'
- Description: 'The curl executable'
filter_main_img:
Image|contains: '\curl'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/info.yml
title: Install New Package Via Winget Local Manifest
id: 313d6012-51a0-4d93-8dfc-de8553239e25
status: test
description: |
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
The manifest option enables you to install an application by passing in a YAML file directly to the client.
Winget can be used to download and install exe, msi or msix files later.
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install
- https://lolbas-project.github.io/lolbas/Binaries/Winget/
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Sreeman, Florian Roth (Nextron Systems), frack113
date: 2020-04-21
modified: 2023-04-17
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_install_flag:
CommandLine|contains:
- 'install'
- ' add ' # https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCLICore/Commands/InstallCommand.h
selection_manifest_flag:
CommandLine|contains:
- '-m '
- '--manifest'
condition: all of selection_*
falsepositives:
- Some false positives are expected in some environment that may use this functionality to install and test their custom applications
level: medium
title: Suspicious RASdial Activity
id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e
status: test
description: Detects suspicious process related to rasdial.exe
references:
- https://twitter.com/subTee/status/891298217907830785
author: juju4
date: 2019-01-16
modified: 2021-11-27
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: 'rasdial.exe'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
title: Unusual Parent Process For Cmd.EXE
id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b
status: test
description: Detects suspicious parent process for cmd.exe
references:
- https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-21
modified: 2023-12-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
ParentImage|endswith:
- '\csrss.exe'
- '\ctfmon.exe'
- '\dllhost.exe'
- '\epad.exe'
- '\FlashPlayerUpdateService.exe'
- '\GoogleUpdate.exe'
- '\jucheck.exe'
- '\jusched.exe'
- '\LogonUI.exe'
- '\lsass.exe'
- '\regsvr32.exe'
- '\SearchIndexer.exe'
- '\SearchProtocolHost.exe'
- '\SIHClient.exe'
- '\sihost.exe'
- '\slui.exe'
- '\spoolsv.exe'
- '\sppsvc.exe'
- '\taskhostw.exe'
- '\unsecapp.exe'
- '\WerFault.exe'
- '\wermgr.exe'
- '\wlanext.exe'
- '\WUDFHost.exe'
condition: selection
falsepositives:
- Unknown
level: medium
title: Perl Inline Command Execution
id: f426547a-e0f7-441a-b63e-854ac5bdf54d
status: test
description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\perl.exe'
- OriginalFileName: 'perl.exe' # Also covers perlX.XX.exe
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious Scan Loop Network
id: f8ad2e2c-40b6-4117-84d7-20b89896ab23
status: test
description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
- https://ss64.com/nt/for.html
- https://ss64.com/ps/foreach-object.html
author: frack113
date: 2022-03-12
tags:
- attack.execution
- attack.t1059
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: windows
detection:
selection_loop:
CommandLine|contains:
- 'for '
- 'foreach '
selection_tools:
CommandLine|contains:
- 'nslookup'
- 'ping'
condition: all of selection_*
falsepositives:
- Legitimate script
level: medium