title: ADFS Database Named Pipe Connection By Uncommon Tool
id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
status: test
description: |
    Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).
    Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
    - https://o365blog.com/post/adfs/
    - https://github.com/Azure/SimuLand
author: Roberto Rodriguez @Cyb3rWard0g
date: 2021-10-08
modified: 2023-11-30
tags:
    - attack.collection
    - attack.t1005
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName: '\MICROSOFT##WID\tsql\query'
    filter_main_generic:
        Image|endswith:
            - ':\Windows\System32\mmc.exe'
            - ':\Windows\system32\svchost.exe'
            - ':\Windows\System32\wsmprovhost.exe'
            - ':\Windows\SysWOW64\mmc.exe'
            - ':\Windows\SysWOW64\wsmprovhost.exe'
            - ':\Windows\WID\Binn\sqlwriter.exe'
            - '\AzureADConnect.exe'
            - '\Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
            - '\Microsoft.IdentityServer.ServiceHost.exe'
            - '\Microsoft.Tri.Sensor.exe'
            - '\sqlservr.exe'
            - '\tssdis.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Esentutl Steals Browser Information
id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
status: test
description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
references:
    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
    - https://redcanary.com/threat-detection-report/threats/qbot/
    - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
author: frack113
date: 2022-02-13
modified: 2024-03-05
tags:
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\esentutl.exe'
        - OriginalFileName: 'esentutl.exe'
    selection_flag:
        CommandLine|contains|windash: '-r'
    selection_webcache:
        CommandLine|contains: '\Windows\WebCache'
    condition: all of selection*
falsepositives:
    - Legitimate use
level: medium

title: Veeam Backup Database Suspicious Query
id: 696bfb54-227e-4602-ac5b-30d9d2053312
status: test
description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_sql:
        Image|endswith: '\sqlcmd.exe'
        CommandLine|contains|all:
            - 'VeeamBackup'
            - 'From '
    selection_db:
        CommandLine|contains:
            - 'BackupRepositories'
            - 'Backups'
            - 'Credentials'
            - 'HostCreds'
            - 'SmbFileShares'
            - 'Ssh_creds'
            - 'VSphereInfo'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Crash Dump Created By Operating System
id: 882fbe50-d8d7-4e29-ae80-0648a8556866
related:
    - id: 2ff692c2-4594-41ec-8fcb-46587de769e0
      type: similar
status: experimental
description: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
references:
    - https://www.sans.edu/cyber-research/from-crash-compromise-unlocking-potential-windows-crash-dumps-offensive-security/
    - https://jasonmull.com/articles/offensive/2025-05-12-windows-crash-dumps-offensive-security/
author: Jason Mull
date: 2025-05-12
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1003.002
    - attack.t1005
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Microsoft-Windows-WER-SystemErrorReporting'
        EventID: 1001
    condition: selection
level: medium

title: SCM Database Handle Failure
id: 13addce7-47b2-4ca0-a98f-1de964d1d669
status: test
description: Detects non-system users failing to get a handle of the SCM database.
references:
    - https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2022-07-11
tags:
    - attack.discovery
    - attack.t1010
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4656
        ObjectType: 'SC_MANAGER OBJECT'
        ObjectName: 'ServicesActive'
        AccessMask: '0xf003f'  # is used in the reference; otherwise too many FPs
        # Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816
    filter:
        SubjectLogonId: '0x3e4'
    condition: selection and not filter
falsepositives:
    - Unknown
# triggering on many hosts in some environments
level: medium

title: Suspicious Network Connection to IP Lookup Service APIs
id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
related:
    - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
      type: derived
status: test
description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
references:
    - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-24
modified: 2024-03-22
tags:
    - attack.discovery
    - attack.t1016
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        - DestinationHostname:
              - 'www.ip.cn'
              - 'l2.io'
        - DestinationHostname|contains:
              - 'api.2ip.ua'
              - 'api.bigdatacloud.net'
              - 'api.ipify.org'
              - 'bot.whatismyipaddress.com'
              - 'canireachthe.net'
              - 'checkip.amazonaws.com'
              - 'checkip.dyndns.org'
              - 'curlmyip.com'
              - 'db-ip.com'
              - 'edns.ip-api.com'
              - 'eth0.me'
              - 'freegeoip.app'
              - 'geoipy.com'
              - 'getip.pro'
              - 'icanhazip.com'
              - 'ident.me'
              - 'ifconfig.io'
              - 'ifconfig.me'
              - 'ip-api.com'
              - 'ip.360.cn'
              - 'ip.anysrc.net'
              - 'ip.taobao.com'
              - 'ip.tyk.nu'
              - 'ipaddressworld.com'
              - 'ipapi.co'
              - 'ipconfig.io'
              - 'ipecho.net'
              - 'ipinfo.io'
              - 'ipip.net'
              - 'ipof.in'
              - 'ipv4.icanhazip.com'
              - 'ipv4bot.whatismyipaddress.com'
              - 'ipv6-test.com'
              - 'ipwho.is'
              - 'jsonip.com'
              - 'myexternalip.com'
              - 'seeip.org'
              - 'wgetip.com'
              - 'whatismyip.akamai.com'
              - 'whois.pconline.com.cn'
              - 'wtfismyip.com'
    filter_optional_brave:
        Image|endswith: '\brave.exe'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_opera:
        Image|endswith: '\opera.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate use of the external websites for troubleshooting or network monitoring
level: medium

title: Potential Recon Activity Via Nltest.EXE
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
related:
    - id: 410ad193-a728-4107-bc79-4419789fcbf8
      type: similar
    - id: 903076ff-f442-475a-b667-4f246bcc203b
      type: similar
    - id: 77815820-246c-47b8-9741-e0def3f57308
      type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
    - https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
    - https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
    - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
    - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
    - https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021-07-24
modified: 2023-12-15
tags:
    - attack.discovery
    - attack.t1016
    - attack.t1482
logsource:
    category: process_creation
    product: windows
detection:
    selection_nltest:
        - Image|endswith: '\nltest.exe'
        - OriginalFileName: 'nltestrk.exe'
    selection_recon:
        - CommandLine|contains|all:
              - 'server'
              - 'query'
        - CommandLine|contains:
              - '/user'
              - 'all_trusts' # Flag for /domain_trusts
              - 'dclist:'
              - 'dnsgetdc:'
              - 'domain_trusts'
              - 'dsgetdc:'
              - 'parentdomain'
              - 'trusted_domains'
    condition: all of selection_*
falsepositives:
    - Legitimate administration use but user and host must be investigated
level: medium

title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
status: experimental
description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
references:
    - https://pentestlab.blog/2022/03/21/unconstrained-delegation/
    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
author: frack113
date: 2025-03-05
tags:
    - attack.reconnaissance
    - attack.discovery
    - attack.credential-access
    - attack.t1018
    - attack.t1558
    - attack.t1589.002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enable'
detection:
    selection:
        ScriptBlockText|contains:
            - '-Properties*TrustedForDelegation'
            - '-Properties*TrustedToAuthForDelegation'
            - '-Properties*msDS-AllowedToDelegateTo'
            - '-Properties*PrincipalsAllowedToDelegateToAccount'
            - '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'
    condition: selection
falsepositives:
    - Legitimate use of the library for administrative activity
level: medium

title: DirectorySearcher Powershell Exploitation
id: 1f6399cf-2c80-4924-ace1-6fcff3393480
status: test
description: Enumerates Active Directory to determine computers that are joined to the domain
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
author: frack113
date: 2022-02-12
tags:
    - attack.discovery
    - attack.t1018
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-Object '
            - 'System.DirectoryServices.DirectorySearcher'
            - '.PropertiesToLoad.Add'
            - '.findall()'
            - 'Properties.name'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious Scan Loop Network
id: f8ad2e2c-40b6-4117-84d7-20b89896ab23
status: test
description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
    - https://ss64.com/nt/for.html
    - https://ss64.com/ps/foreach-object.html
author: frack113
date: 2022-03-12
tags:
    - attack.execution
    - attack.t1059
    - attack.discovery
    - attack.t1018
logsource:
    category: process_creation
    product: windows
detection:
    selection_loop:
        CommandLine|contains:
            - 'for '
            - 'foreach '
    selection_tools:
        CommandLine|contains:
            - 'nslookup'
            - 'ping'
    condition: all of selection_*
falsepositives:
    - Legitimate script
level: medium

title: Potential Remote Desktop Tunneling
id: 8a3038e8-9c9d-46f8-b184-66234a160f6f
status: test
description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
references:
    - https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line
    selection_opt:
        CommandLine|contains:
            - ' -L '
            - ' -P '
            - ' -R '
            - ' -pw '
            - ' -ssh '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Psexec Execution
id: 730fc21b-eaff-474b-ad23-90fd265d4988
status: test
description: Detects user accept agreement execution in psexec commandline
references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2023-02-28
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1569
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\psexec.exe'
        - OriginalFileName: 'psexec.c'
    condition: selection
falsepositives:
    - Administrative scripts.
level: medium

title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
related:
    - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
      type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
        Payload|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
        Payload|endswith: 'readtoend'
    condition: selection_4103
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
id: a23791fe-8846-485a-b16b-ca691e1b03d4
related:
    - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
      type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection_4103
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection_4104
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
        ScriptBlockText|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
        ScriptBlockText|endswith: 'readtoend'
    condition: selection_4104
falsepositives:
    - Unknown
level: medium

title: PUA - Potential PE Metadata Tamper Using Rcedit
id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
status: test
description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
references:
    - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
    - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
    - https://github.com/electron/rcedit
author: Micah Babinski
date: 2022-12-11
modified: 2023-03-05
tags:
    - attack.stealth
    - attack.t1036.003
    - attack.t1036
    - attack.t1027.005
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\rcedit-x64.exe'
              - '\rcedit-x86.exe'
        - Description: 'Edit resources of exe'
        - Product: 'rcedit'
    selection_flags:
        CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string"
    selection_attributes:
        CommandLine|contains:
            - 'OriginalFileName'
            - 'CompanyName'
            - 'FileDescription'
            - 'ProductName'
            - 'ProductVersion'
            - 'LegalCopyright'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool by administrators or users to update metadata of a binary
level: medium

title: Certificate Exported Via Certutil.EXE
id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5
status: test
description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
references:
    - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|windash: '-exportPFX '
    condition: all of selection_*
falsepositives:
    - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml

title: Suspicious XOR Encoded PowerShell Command
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
related:
    - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
      type: obsolete
status: test
description: Detects presence of a potentially xor encoded powershell command
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
    - https://redcanary.com/blog/yellow-cockatoo/
    - https://zero2auto.com/2020/05/19/netwalker-re/
    - https://mez0.cc/posts/cobaltstrike-powershell-exec/
author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
date: 2018-09-05
modified: 2023-01-30
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1140
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
        - Description: 'Windows PowerShell'
        - Product: 'PowerShell Core 6'
    selection_cli_xor:
        CommandLine|contains: 'bxor'
    selection_cli_other:
        CommandLine|contains:
            - 'ForEach'
            - 'for('
            - 'for '
            - '-join '
            - "-join'"
            - '-join"'
            - '-join`'
            - '::Join'
            - '[char]'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Suspicious Download Via Certutil.EXE
id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
related:
    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
      type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
    - https://twitter.com/egre55/status/1087685529016193025
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
    - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
tags:
    - attack.stealth
    - attack.t1027
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_flags:
        CommandLine|contains:
            - 'urlcache '
            - 'verifyctl '
            - 'URL '
    selection_http:
        CommandLine|contains: 'http'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/info.yml

title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-12-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
        CommandLine|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
            - 'readtoend('
    condition: selection
falsepositives:
    - Unknown
level: medium

title: File Encoded To Base64 Via Certutil.EXE
id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-02-24
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|windash: '-encode'
    condition: all of selection_*
falsepositives:
    - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/info.yml

title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
id: 74403157-20f5-415d-89a7-c505779585cf
status: test
description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-02-01
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains: 'ConvertTo-SecureString'
    condition: all of selection_*
falsepositives:
    - Legitimate use to pass password to different powershell commands
level: medium

title: Invoke-Obfuscation RUNDLL LAUNCHER - Security
id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
related:
    - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
      type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Password Protected ZIP File Opened
id: 00ba9da1-b510-4f6b-b258-8d338836180f
status: test
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
    - https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
    - attack.stealth
    - attack.t1027
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5379
        TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
    filter:  # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4
        TargetName|contains: '\Temporary Internet Files\Content.Outlook'
    condition: selection and not filter
falsepositives:
    - Legitimate used of encrypted ZIP files
level: medium

title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
related:
    - id: 175997c5-803c-4b08-8bb0-70b099f47595
      type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
            - 'readtoend'
        ServiceFileName|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation RUNDLL LAUNCHER - System
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation COMPRESS OBFUSCATION - System
id: 175997c5-803c-4b08-8bb0-70b099f47595
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
            - 'readtoend'
        ImagePath|contains:
            - ':system.io.compression.deflatestream'
            - 'system.io.streamreader'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: ESXi Storage Information Discovery Via ESXCLI
id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
status: test
description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
references:
    - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
    - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
    - attack.discovery
    - attack.execution
    - attack.t1033
    - attack.t1007
    - attack.t1059.012
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/esxcli'
        CommandLine|contains: 'storage'
    selection_cli:
        CommandLine|contains:
            - ' get'
            - ' list'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium

title: ESXi Network Configuration Discovery Via ESXCLI
id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174
status: test
description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
references:
    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
    - attack.discovery
    - attack.execution
    - attack.t1033
    - attack.t1007
    - attack.t1059.012
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/esxcli'
        CommandLine|contains: 'network'
    selection_cli:
        CommandLine|contains:
            - ' get'
            - ' list'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium

title: ESXi VSAN Information Discovery Via ESXCLI
id: d54c2f06-aca9-4e2b-81c9-5317858f4b79
status: test
description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
references:
    - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
    - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
    - attack.discovery
    - attack.execution
    - attack.t1033
    - attack.t1007
    - attack.t1059.012
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/esxcli'
        CommandLine|contains: 'vsan'
    selection_cli:
        CommandLine|contains:
            - ' get'
            - ' list'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium

title: ESXi System Information Discovery Via ESXCLI
id: e80273e1-9faf-40bc-bd85-dbaff104c4e9
status: test
description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
references:
    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
    - attack.discovery
    - attack.execution
    - attack.t1033
    - attack.t1007
    - attack.t1059.012
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/esxcli'
        CommandLine|contains: 'system'
    selection_cli:
        CommandLine|contains:
            - ' get'
            - ' list'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
level: medium

title: ESXi VM List Discovery Via ESXCLI
id: 5f1573a7-363b-4114-9208-ad7a61de46eb
status: test
description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
references:
    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
    - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
    - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
    - attack.discovery
    - attack.execution
    - attack.t1033
    - attack.t1007
    - attack.t1059.012
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/esxcli'
        CommandLine|contains: 'vm process'
        CommandLine|endswith: ' list'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
id: db885529-903f-4c5d-9864-28fe199e6370
related:
    - id: 435e10e4-992a-4281-96f3-38b11106adde
      type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-ADComputer '
            - ' -Filter \*'
        ScriptBlockText|contains:
            - ' | Select '
            - 'Out-File'
            - 'Set-Content'
            - 'Add-Content'
    condition: selection
falsepositives:
    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium

title: Get-ADUser Enumeration Using UserAccountControl Flags
id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8
status: test
description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting
    - https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/
author: frack113
date: 2022-03-17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        # 4194304 DONT_REQ_PREAUTH
        ScriptBlockText|contains|all:
            - 'Get-ADUser'
            - '-Filter'
            - 'useraccountcontrol'
            - '-band'
            - '4194304'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium

title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
id: c2993223-6da8-4b1a-88ee-668b8bf315e9
related:
    - id: 1114e048-b69c-4f41-bc20-657245ae6e3f
      type: similar
status: test
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-ADUser '
            - ' -Filter \*'
        ScriptBlockText|contains:
            - ' > '
            - ' | Select '
            - 'Out-File'
            - 'Set-Content'
            - 'Add-Content'
    condition: selection
falsepositives:
    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium

title: Enumerate All Information With Whoami.EXE
id: c248c896-e412-4279-8c15-1c558067b6fa
status: test
description: Detects the execution of "whoami.exe" with the "/all" flag
references:
    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-04
modified: 2024-03-05
tags:
    - attack.discovery
    - attack.t1033
    - car.2016-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_main_img:
        - Image|endswith: '\whoami.exe'
        - OriginalFileName: 'whoami.exe'
    selection_main_cli:
        CommandLine|contains|windash: ' -all'
    condition: all of selection_main_*
falsepositives:
    - Unknown
level: medium

title: Group Membership Reconnaissance Via Whoami.EXE
id: bd8b828d-0dca-48e1-8a63-8a58ecf2644f
status: test
description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
tags:
    - attack.discovery
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\whoami.exe'
        - OriginalFileName: 'whoami.exe'
    selection_cli:
        CommandLine|contains:
            - ' /groups'
            - ' -groups'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Whoami.EXE Execution With Output Option
id: c30fb093-1109-4dc8-88a8-b30d11c95a5d
status: test
description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
references:
    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2023-12-04
tags:
    - attack.discovery
    - attack.t1033
    - car.2016-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_main_img:
        - Image|endswith: '\whoami.exe'
        - OriginalFileName: 'whoami.exe'
    selection_main_cli:
        CommandLine|contains:
            - ' /FO CSV'
            - ' -FO CSV'
    selection_special:
        CommandLine|contains: 'whoami*>'
    condition: all of selection_main_* or selection_special
falsepositives:
    - Unknown
level: medium

title: User Discovery And Export Via Get-ADUser Cmdlet
id: 1114e048-b69c-4f41-bc20-657245ae6e3f
related:
    - id: c2993223-6da8-4b1a-88ee-668b8bf315e9
      type: similar
status: test
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2022-11-17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains|all:
            - 'Get-ADUser '
            - ' -Filter \*'
        CommandLine|contains:
            - ' > '
            - ' | Select '
            - 'Out-File'
            - 'Set-Content'
            - 'Add-Content'
    condition: all of selection_*
falsepositives:
    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium

title: Whoami.EXE Execution Anomaly
id: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0
status: test
description: Detects the execution of whoami.exe with suspicious parent processes.
references:
    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
author: Florian Roth (Nextron Systems)
date: 2021-08-12
modified: 2025-03-06
tags:
    - attack.discovery
    - attack.t1033
    - car.2016-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\whoami.exe'
        - OriginalFileName: 'whoami.exe'
    filter_main_known_parents:
        # This list can be any legitimate shell or application that you expect whoami to run from
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_optional_ms_monitoring_agent:
        ParentImage|endswith: ':\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe'
    filter_main_parent_null:
        ParentImage: null
    filter_main_parent_empty:
        ParentImage:
            - ''
            - '-'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
    - Monitoring activity
level: medium

title: Computer Discovery And Export Via Get-ADComputer Cmdlet
id: 435e10e4-992a-4281-96f3-38b11106adde
related:
    - id: db885529-903f-4c5d-9864-28fe199e6370
      type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
modified: 2022-11-17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains|all:
            - 'Get-ADComputer '
            - ' -Filter \*'
        CommandLine|contains:
            - ' > '
            - ' | Select '
            - 'Out-File'
            - 'Set-Content'
            - 'Add-Content'
    condition: all of selection_*
falsepositives:
    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium

title: Interactive Bash Suspicious Children
id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
status: test
description: Detects suspicious interactive bash as a parent to rather uncommon child processes
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.004
    - attack.t1036
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        ParentCommandLine: 'bash -i'
    anomaly1:
        CommandLine|contains:
            - '-c import '
            - 'base64'
            - 'pty.spawn'
    anomaly2:
        Image|endswith:
            - 'whoami'
            - 'iptables'
            - '/ncat'
            - '/nc'
            - '/netcat'
    condition: selection and 1 of anomaly*
falsepositives:
    - Legitimate software that uses these patterns
level: medium

title: Potentially Suspicious Execution From Tmp Folder
id: 312b42b1-bded-4441-8b58-163a3af58775
status: test
description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
modified: 2025-08-05
tags:
    - attack.stealth
    - attack.t1036
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|startswith: '/tmp/'
    filter_optional_nextcloud:
        Image|endswith: '/usr/bin/nextcloud'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Potential Homoglyph Attack Using Lookalike Characters in Filename
id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
status: test
description: |
    Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
    This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
    are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
    - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
    - http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-08
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1036.003
logsource:
    category: file_event
    product: windows
detection:
    selection_upper:
        TargetFilename|contains:
            - "\u0410" # А/A
            - "\u0412" # В/B
            - "\u0415" # Е/E
            - "\u041a" # К/K
            - "\u041c" # М/M
            - "\u041d" # Н/H
            - "\u041e" # О/O
            - "\u0420" # Р/P
            - "\u0421" # С/C
            - "\u0422" # Т/T
            - "\u0425" # Х/X
            - "\u0405" # Ѕ/S
            - "\u0406" # І/I
            - "\u0408" # Ј/J
            - "\u04ae" # Ү/Y
            - "\u04c0" # Ӏ/I
            - "\u050C" # Ԍ/G
            - "\u051a" # Ԛ/Q
            - "\u051c" # Ԝ/W
            - "\u0391" # Α/A
            - "\u0392" # Β/B
            - "\u0395" # Ε/E
            - "\u0396" # Ζ/Z
            - "\u0397" # Η/H
            - "\u0399" # Ι/I
            - "\u039a" # Κ/K
            - "\u039c" # Μ/M
            - "\u039d" # Ν/N
            - "\u039f" # Ο/O
            - "\u03a1" # Ρ/P
            - "\u03a4" # Τ/T
            - "\u03a5" # Υ/Y
            - "\u03a7" # Χ/X
    selection_lower:
        TargetFilename|contains:
            - "\u0430" # а/a
            - "\u0435" # е/e
            - "\u043e" # о/o
            - "\u0440" # р/p
            - "\u0441" # с/c
            - "\u0445" # х/x
            - "\u0455" # ѕ/s
            - "\u0456" # і/i
            - "\u04cf" # ӏ/l
            - "\u0458" # ј/j
            - "\u04bb" # һ/h
            - "\u0501" # ԁ/d
            - "\u051b" # ԛ/q
            - "\u051d" # ԝ/w
            - "\u03bf" # ο/o
    condition: 1 of selection_*
falsepositives:
    - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium

title: Potential Homoglyph Attack Using Lookalike Characters
id: 32e280f1-8ad4-46ef-9e80-910657611fbc
status: test
description: |
    Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
    This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
    are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
    - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
    - http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-07
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_upper:
        CommandLine|contains:
            - "\u0410" # А/A
            - "\u0412" # В/B
            - "\u0415" # Е/E
            - "\u041a" # К/K
            - "\u041c" # М/M
            - "\u041d" # Н/H
            - "\u041e" # О/O
            - "\u0420" # Р/P
            - "\u0421" # С/C
            - "\u0422" # Т/T
            - "\u0425" # Х/X
            - "\u0405" # Ѕ/S
            - "\u0406" # І/I
            - "\u0408" # Ј/J
            - "\u04ae" # Ү/Y
            - "\u04c0" # Ӏ/I
            - "\u050C" # Ԍ/G
            - "\u051a" # Ԛ/Q
            - "\u051c" # Ԝ/W
            - "\u0391" # Α/A
            - "\u0392" # Β/B
            - "\u0395" # Ε/E
            - "\u0396" # Ζ/Z
            - "\u0397" # Η/H
            - "\u0399" # Ι/I
            - "\u039a" # Κ/K
            - "\u039c" # Μ/M
            - "\u039d" # Ν/N
            - "\u039f" # Ο/O
            - "\u03a1" # Ρ/P
            - "\u03a4" # Τ/T
            - "\u03a5" # Υ/Y
            - "\u03a7" # Χ/X
    selection_lower:
        CommandLine|contains:
            - "\u0430" # а/a
            - "\u0435" # е/e
            - "\u043e" # о/o
            - "\u0440" # р/p
            - "\u0441" # с/c
            - "\u0445" # х/x
            - "\u0455" # ѕ/s
            - "\u0456" # і/i
            - "\u04cf" # ӏ/l
            - "\u0458" # ј/j
            - "\u04bb" # һ/h
            - "\u0501" # ԁ/d
            - "\u051b" # ԛ/q
            - "\u051d" # ԝ/w
            - "\u03bf" # ο/o
    condition: 1 of selection_*
falsepositives:
    - Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium

title: Potential ReflectDebugger Content Execution Via WerFault.EXE
id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
related:
    - id: 0cf2e1c6-8d10-4273-8059-738778f981ad
      type: derived
status: test
description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
references:
    - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
    - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
author: X__Junior (Nextron Systems)
date: 2023-06-30
tags:
    - attack.execution
    - attack.stealth
    - attack.t1036
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\WerFault.exe'
        - OriginalFileName: 'WerFault.exe'
    selection_cli:
        CommandLine|contains: ' -pr '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: CodePage Modification Via MODE.COM To Russian Language
id: 12fbff88-16b5-4b42-9754-cd001a789fb3
related:
    - id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e
      type: derived
status: test
description: |
    Detects a CodePage modification using the "mode.com" utility to Russian language.
    This behavior has been used by threat actors behind Dharma ransomware.
references:
    - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode
    - https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
    - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-17
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    # VT Query: behavior:"mode con cp select=1251"
    # VT Query: behavior:"mode con cp select=866"
    selection_img:
        - Image|endswith: '\mode.com'
        - OriginalFileName: 'MODE.COM'
    selection_cli:
        CommandLine|contains|all:
            - ' con '
            - ' cp '
            - ' select='
        CommandLine|endswith:
            - '=1251' # ANSI Cyrillic; Cyrillic (Windows) - Observed ITW by Dharma ransomware
            - '=866' # OEM Russian; Cyrillic (DOS) - Observed ITW by other malware
    condition: all of selection_*
falsepositives:
    - Russian speaking people changing the CodePage
level: medium

title: Explorer Process Tree Break
id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
status: test
description: |
  Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
  which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
references:
    - https://twitter.com/CyberRaiju/status/1273597319322058752
    - https://twitter.com/bohops/status/1276357235954909188?s=12
    - https://twitter.com/nas_bench/status/1535322450858233858
    - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
date: 2019-06-29
modified: 2025-10-31
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    # Note: See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference
    selection_factory:
        CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data
    selection_root:
        CommandLine|contains: 'explorer.exe'
        CommandLine|contains|windash: ' /root,'
        # There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example
        # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique.
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: Suspicious Process Start Locations
id: 15b75071-74cc-47e0-b4c6-b43744a62a2b
status: test
description: Detects suspicious process run from unusual locations
references:
    - https://car.mitre.org/wiki/CAR-2013-05-002
author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2022-01-07
tags:
    - attack.stealth
    - attack.t1036
    - car.2013-05-002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|contains:
              - ':\RECYCLER\'
              - ':\SystemVolumeInformation\'
        - Image|startswith:
              - 'C:\Windows\Tasks\'
              - 'C:\Windows\debug\'
              - 'C:\Windows\fonts\'
              - 'C:\Windows\help\'
              - 'C:\Windows\drivers\'
              - 'C:\Windows\addins\'
              - 'C:\Windows\cursors\'
              - 'C:\Windows\system32\tasks\'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium