Sigma rules for Contagious Interview
500 rules · scoped to actor · back to Contagious Interview
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: ETW Trace Evasion Activity
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
status: test
description: |
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://abuse.io/lockergoga.txt
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
date: 2019-03-22
modified: 2022-06-28
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- car.2016-04-002
logsource:
category: process_creation
product: windows
detection:
selection_clear_1:
CommandLine|contains|all:
- 'cl'
- '/Trace'
selection_clear_2:
CommandLine|contains|all:
- 'clear-log'
- '/Trace'
selection_disable_1:
CommandLine|contains|all:
- 'sl'
- '/e:false'
selection_disable_2:
CommandLine|contains|all:
- 'set-log'
- '/e:false'
selection_disable_3: # ETW provider removal from a trace session
CommandLine|contains|all:
- 'logman'
- 'update'
- 'trace'
- '--p'
- '-ets'
selection_pwsh_remove: # Autologger provider removal
CommandLine|contains: 'Remove-EtwTraceProvider'
selection_pwsh_set: # Provider “Enable” property modification
CommandLine|contains|all:
- 'Set-EtwTraceProvider'
- '0x11'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: Sysmon Driver Unloaded Via Fltmc.EXE
id: 4d7cda18-1b12-4e52-b45c-d28653210df8
related:
- id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic
type: similar
status: test
description: Detects possible Sysmon filter driver unloaded via fltmc.exe
references:
- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
author: Kirill Kiryanov, oscd.community
date: 2019-10-23
modified: 2023-02-13
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- attack.t1685.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\fltMC.exe'
- OriginalFileName: 'fltMC.exe'
selection_cli:
CommandLine|contains|all:
- 'unload'
- 'sysmon'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Remove Exported Mailbox from Exchange Webserver
id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
status: test
description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
references:
- https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
author: Christian Burkard (Nextron Systems)
date: 2021-08-27
modified: 2023-01-23
tags:
- attack.stealth
- attack.t1070
logsource:
service: msexchange-management
product: windows
detection:
keywords:
'|all':
- 'Remove-MailboxExportRequest'
- ' -Identity '
- ' -Confirm "False"'
condition: keywords
falsepositives:
- Unknown
level: high
title: Terminal Server Client Connection History Cleared - Registry
id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
status: test
description: Detects the deletion of registry keys containing the MSTSC connection history
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
- http://woshub.com/how-to-clear-rdp-connections-history/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Christian Burkard (Nextron Systems)
date: 2021-10-19
modified: 2023-02-08
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1112
logsource:
category: registry_delete
product: windows
detection:
selection1:
EventType: DeleteValue
TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
selection2:
EventType: DeleteKey
TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Prefetch File Deleted
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
status: test
description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
- https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
author: Cedric MAURUGEON
date: 2021-09-29
modified: 2024-01-25
tags:
- attack.stealth
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|contains: ':\Windows\Prefetch\'
TargetFilename|endswith: '.pf'
filter_main_svchost:
Image|endswith: ':\windows\system32\svchost.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Suspicious Ping/Del Command Combination
id: 54786ddc-5b8a-11ed-9b6a-0242ac120002
status: test
description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
references:
- https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
- https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Ilya Krestinichev
date: 2022-11-03
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
# Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
# Example: "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
selection_count:
CommandLine|contains|windash: ' -n '
selection_nul:
CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
selection_del_param:
CommandLine|contains|windash:
- ' -f '
- ' -q '
selection_all:
CommandLine|contains|all:
- 'ping' # Covers "ping" and "ping.exe"
- 'del '
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: HackTool - SILENTTRINITY Stager Execution
id: 03552375-cc2c-4883-bbe4-7958d5a980be
related:
- id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d # DLL Load
type: derived
status: test
description: Detects SILENTTRINITY stager use via PE metadata
references:
- https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019-10-22
modified: 2023-02-13
tags:
- attack.command-and-control
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection:
Description|contains: 'st2stager'
condition: selection
falsepositives:
- Unlikely
level: high
title: HackTool - SILENTTRINITY Stager DLL Load
id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
related:
- id: 03552375-cc2c-4883-bbe4-7958d5a980be # Process Creation
type: derived
status: test
description: Detects SILENTTRINITY stager dll loading activity
references:
- https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019-10-22
modified: 2023-02-17
tags:
- attack.command-and-control
- attack.t1071
logsource:
category: image_load
product: windows
detection:
selection:
Description|contains: 'st2stager'
condition: selection
falsepositives:
- Unlikely
level: high
title: Wannacry Killswitch Domain
id: 3eaf6218-3bed-4d8a-8707-274096f12a18
status: test
description: Detects wannacry killswitch domain dns queries
references:
- https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign
author: Mike Wade
date: 2020-09-16
modified: 2022-03-24
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: dns
detection:
selection:
query:
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
- 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
condition: selection
falsepositives:
- Analyst testing
level: high
title: Outbound Network Connection Initiated By Microsoft Dialer
id: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
status: test
description: |
Detects outbound network connection initiated by Microsoft Dialer.
The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
references:
- https://tria.ge/240301-rk34sagf5x/behavioral2
- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
author: CertainlyP
date: 2024-04-26
tags:
- attack.execution
- attack.command-and-control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: ':\Windows\System32\dialer.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.
level: high
title: Renamed Visual Studio Code Tunnel Execution
id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da
status: test
description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-28
modified: 2025-10-29
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_image_only_tunnel:
OriginalFileName: null
CommandLine|endswith: '.exe tunnel'
selection_image_tunnel_args:
CommandLine|contains|all:
- '.exe tunnel'
- '--accept-server-license-terms'
selection_image_tunnel_service:
CommandLine|contains|all:
- 'tunnel '
- 'service'
- 'internal-run'
- 'tunnel-service.log'
selection_parent_tunnel:
ParentCommandLine|endswith: ' tunnel'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/d /c '
- '\servers\Stable-'
- 'code-server.cmd'
filter_main_parent_code:
ParentImage|endswith:
- '\code-tunnel.exe'
- '\code.exe'
filter_main_image_code:
Image|endswith:
- '\code-tunnel.exe'
- '\code.exe'
condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)
falsepositives:
- Unknown
level: high
title: Bitsadmin to Uncommon TLD
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
status: test
description: Detects Bitsadmin connections to domains with uncommon TLDs
references:
- https://twitter.com/jhencinski/status/1102695118455349248
- https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-03-07
modified: 2023-05-17
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1071.001
- attack.persistence
- attack.t1197
- attack.s0190
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft BITS/'
falsepositives:
cs-host|endswith:
- '.com'
- '.net'
- '.org'
- '.scdn.co' # spotify streaming
- '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
condition: selection and not falsepositives
falsepositives:
- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high
title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: test
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
- https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth (Nextron Systems)
date: 2019-12-05
modified: 2023-01-19
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
logsource:
category: proxy
detection:
selection:
c-uri|contains:
- '.paste.ee/r/'
- '.pastebin.com/raw/'
- '.hastebin.com/raw/'
- '.ghostbin.co/paste/*/raw/'
- 'pastetext.net/'
- 'pastebin.pl/'
- 'paste.ee/'
condition: selection
falsepositives:
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high
title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
references:
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
- http://www.botopedia.org/search?searchword=scan&searchphrase=all
- https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
- https://perishablepress.com/blacklist/ua-2013.txt
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
- https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
- https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
- https://twitter.com/crep1x/status/1635034100213112833
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-07-08
modified: 2024-04-14
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# RATs
- 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
- 'HttpBrowser/1.0' # HTTPBrowser RAT
- '*<|>*' # Houdini / Iniduoh / njRAT
- 'nsis_inetc (mozilla)' # ZeroAccess
- 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
# Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
# Malware
- '*zeroup*' # W32/Renos.Downloader
- 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
- '* adlib/*'
- '* tiny' # Trojan Downloader
- '* BGroom *' # Trojan Downloader
- '* changhuatong'
- '* CholTBAgent'
- 'Mozilla/5.0 WinInet'
- 'RookIE/1.0'
- 'M' # HkMain
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
- 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
- 'backdoorbot'
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
- 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
- 'Opera' # Trojan Keragany
- 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
- 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
- 'MSIE' # Toby web shell
- '*(Charon; Inferno)' # Loki Bot
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection
- 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
# Ursnif
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
# Emotet
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
# Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
- 'Mozilla/5.0 (Windows NT 6.1)'
- 'AppleWebkit/587.38 (KHTML, like Gecko)'
- 'Chrome/91.0.4472.77'
- 'Safari/537.36'
- 'Edge/91.0.864.37'
- 'Firefox/89.0'
- 'Gecko/20100101'
# Others
- '* pxyscand*'
- '* asd'
- '* mdms'
- 'sample'
- 'nocase'
- 'Moxilla'
- 'Win32 *'
- '*Microsoft Internet Explorer*'
- 'agent *'
- 'AutoIt' # Suspicious - base-lining recommended
- 'IczelionDownLoad'
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
- 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
- 'antSword/v2.1' # AntSword Webshell UA
- 'rqwrwqrqwrqw' # Racoon Stealer
- 'qwrqrwrqwrqwr' # Racoon Stealer
- 'rc2.0/client' # Racoon Stealer
- 'TakeMyPainBack' # Racoon Stealer
- 'xxx' # Racoon Stealer
- '20112211' # Racoon Stealer
- '23591' # Racoon Stealer
- '901785252112' # Racoon Stealer
- '1235125521512' # Racoon Stealer
- '125122112551' # Racoon Stealer
- 'B1D3N_RIM_MY_ASS' # Racoon Stealer
- 'AYAYAYAY1337' # Racoon Stealer
- 'iMightJustPayMySelfForAFeature' # Racoon Stealer
- 'ForAFeature' # Racoon Stealer
- 'Ares_ldr_v_*' # AresLoader
# - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
- 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
- 'CLCTR' # https://github.com/silence-is-best/c2db
- 'uploader' # https://github.com/silence-is-best/c2db
- 'agent' # https://github.com/silence-is-best/c2db
- 'License' # https://github.com/silence-is-best/c2db
- 'vb wininet' # https://github.com/silence-is-best/c2db
- 'Client' # https://github.com/silence-is-best/c2db
- 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
- 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
- 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
- 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
- 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'DuckTales' # Racoon Stealer
- 'Zadanie' # Racoon Stealer
- 'GunnaWunnaBlueTips' # Racoon Stealer
- 'Xlmst' # Racoon Stealer
- 'GeekingToTheMoon' # Racoon Stealer
- 'SunShineMoonLight' # Racoon Stealer
- 'BunnyRequester' # BunnyStealer
- 'BunnyTasks' # BunnyStealer
- 'BunnyStealer' # BunnyStealer
- 'BunnyLoader_Dropper' # BunnyStealer
- 'BunnyLoader' # BunnyStealer
- 'BunnyShell' # BunnyStealer
- 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
- '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
- 'SouthSide' # Racoon Stealer
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - Empire UserAgent URI Combo
id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
status: test
description: Detects user agent and URI paths used by empire agents
references:
- https://github.com/BC-SECURITY/Empire
author: Florian Roth (Nextron Systems)
date: 2020-07-13
modified: 2024-02-26
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-uri:
- '/admin/get.php'
- '/news.php'
- '/login/process.php'
cs-method: 'POST'
condition: selection
falsepositives:
- Valid requests with this exact user agent to server scripts of the defined names
level: high
title: APT User Agent
id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
status: test
description: Detects suspicious user agent strings used in APT malware in proxy logs
references:
- Internal Research
author: Florian Roth (Nextron Systems), Markus Neis
date: 2019-11-12
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# APT Related
- 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://www.cisa.gov/news-events/alerts/2017/02/10/enhanced-analysis-grizzly-steppe
- 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp
- 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp
- 'webclient' # Naikon APT
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT
- 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel
- 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
- 'Netscape' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
- 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
- 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla v5.1 *' # Sofacy Zebrocy samples
- 'MSIE 8.0' # Sofacy Azzy Backdoor from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
- 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA
- 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
- 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
- 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware
- 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
- 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
- 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001' # RedCurl Downloader APT https://www.facct.ru/blog/redcurl-2024
condition: selection
falsepositives:
- Old browsers
level: high
title: Windows WebDAV User Agent
id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
status: test
description: Detects WebDav DownloadCradle
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems)
date: 2018-04-06
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
condition: selection
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
- Legitimate WebDAV administration
level: high
title: Exploit Framework User Agent
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
status: test
description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2025-01-18
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
- 'Internet Explorer *'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/
# Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
- 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
- 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
# Metasploit Update by Florian Roth 08.07.2017
- 'Mozilla/5.0'
- 'Mozilla/4.0 (compatible; SPIPE/1.0'
# - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected
# - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected
- 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
- 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
- 'X-FORWARDED-FOR'
- 'DotDotPwn v2.1'
- 'SIPDROID'
- 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
# Empire
- 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0'
# Exploits
- '*wordpress hash grabber*'
- '*exploit*'
# Havoc
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36' # https://github.com/HavocFramework/Havoc/issues/519
condition: selection
falsepositives:
- Unknown
level: high
title: Crypto Miner User Agent
id: fa935401-513b-467b-81f4-f9e77aa0dd78
status: test
description: Detects suspicious user agent strings used by crypto miners in proxy logs
references:
- https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
- https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
author: Florian Roth (Nextron Systems)
date: 2019-10-21
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith:
# XMRig
- 'XMRig '
# CCMiner
- 'ccminer'
condition: selection
falsepositives:
- Unknown
level: high
title: Bitsadmin to Uncommon IP Server Address
id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
status: test
description: Detects Bitsadmin connections to IP addresses instead of FQDN names
references:
- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
author: Florian Roth (Nextron Systems)
date: 2022-06-10
modified: 2022-08-24
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1071.001
- attack.persistence
- attack.t1197
- attack.s0190
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft BITS/'
cs-host|endswith:
- '1'
- '2'
- '3'
- '4'
- '5'
- '6'
- '7'
- '8'
- '9'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: test
description: Detects suspicious malformed user agent strings in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-10-31
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection1:
c-useragent|startswith:
- 'user-agent' # User-Agent: User-Agent:
- 'Mozilla/3.0 '
- 'Mozilla/2.0 '
- 'Mozilla/1.0 '
- 'Mozilla ' # missing slash
- ' Mozilla/' # leading space
- 'Mozila/' # single 'l'
- 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol' # https://twitter.com/NtSetDefault/status/1303643299509567488
selection2:
c-useragent|contains:
- ' (compatible;MSIE ' # typical typo - missing space
- '.0;Windows NT ' # typical typo - missing space
- 'loader' # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg
selection3:
c-useragent:
- '_'
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
- 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a' # https://www.cyfirma.com/outofband/erbium-stealer-malware-report
- 'x' # Use by Racoon Stealer but could be something else
- 'xxx' # Use by Racoon Stealer but could be something else
falsepositives:
- c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
- cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
- '.acrobat.com'
- '.adobe.com'
- '.adobe.io'
condition: 1 of selection* and not falsepositives
falsepositives:
- Unknown
level: high
title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
id: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac
related:
- id: 953b895e-5cc9-454b-b183-7f3db555452e
type: obsolete
- id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
type: obsolete
- id: 37325383-740a-403d-b1a2-b2b4ab7992e7
type: obsolete
- id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
type: obsolete
status: test
description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
- https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
author: Markus Neis, Florian Roth (Nextron Systems)
date: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection_amazon_1:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'GET'
c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
cs-host: 'www.amazon.com'
cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection_amazon_2:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'POST'
c-uri: '/N4215/adj/amzn.us.sr.aps'
cs-host: 'www.amazon.com'
selection_generic_1:
c-useragent:
- 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
- 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
selection_generic_2:
c-useragent|endswith: '; MANM; MANM)'
selection_oscp:
c-uri|contains: '/oscp/'
cs-host: 'ocsp.verisign.com'
selection_onedrive:
cs-method: 'GET'
c-uri|endswith: '\?manifest=wac'
cs-host: 'onedrive.live.com'
filter_main_onedrive:
c-uri|startswith: 'http'
c-uri|contains: '://onedrive.live.com/'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: test
description: Detects strings used in command execution in DNS TXT Answer
references:
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
author: Markus Neis
date: 2018-08-08
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
category: dns
detection:
selection:
record_type: 'TXT'
answer|contains:
- 'IEX'
- 'Invoke-Expression'
- 'cmd.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: DNS Exfiltration and Tunneling Tools Execution
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
status: test
description: Well-known DNS Exfiltration tools execution
references:
- https://github.com/iagox86/dnscat2
- https://github.com/yarrick/iodine
author: Daniil Yugoslavskiy, oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.exfiltration
- attack.t1048.001
- attack.command-and-control
- attack.t1071.004
- attack.t1132.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\iodine.exe'
- Image|contains: '\dnscat2'
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential GobRAT File Discovery Via Grep
id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
status: test
description: Detects the use of grep to discover specific files created by the GobRAT malware
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/grep'
CommandLine|contains:
- 'apached'
- 'frpc'
- 'sshd.sh'
- 'zone.arm'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - WinPwn Execution - ScriptBlock
id: 851fd622-b675-4d26-b803-14bc7baa517a
related:
- id: d557dc06-62e8-4468-a8e8-7984124908ce
type: similar
status: test
description: |
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
- https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
- https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
- attack.credential-access
- attack.discovery
- attack.execution
- attack.privilege-escalation
- attack.t1046
- attack.t1082
- attack.t1106
- attack.t1518
- attack.t1548.002
- attack.t1552.001
- attack.t1555
- attack.t1555.003
logsource:
category: ps_script
product: windows
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Offline_Winpwn'
- 'WinPwn '
- 'WinPwn.exe'
- 'WinPwn.ps1'
condition: selection
falsepositives:
- As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
level: high
title: Suspicious Kernel Dump Using Dtrace
id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
status: test
description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
references:
- https://twitter.com/0gtweet/status/1474899714290208777?s=12
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
author: Florian Roth (Nextron Systems)
date: 2021-12-28
tags:
- attack.discovery
- attack.t1082
logsource:
product: windows
category: process_creation
detection:
selection_plain:
Image|endswith: '\dtrace.exe'
CommandLine|contains: 'lkd(0)'
selection_obfuscated:
CommandLine|contains|all:
- 'syscall:::return'
- 'lkd('
condition: 1 of selection*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml
title: HackTool - WinPwn Execution
id: d557dc06-62e8-4468-a8e8-7984124908ce
related:
- id: 851fd622-b675-4d26-b803-14bc7baa517a
type: similar
status: test
description: |
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
- https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
- https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
- attack.credential-access
- attack.discovery
- attack.execution
- attack.privilege-escalation
- attack.t1046
- attack.t1082
- attack.t1106
- attack.t1518
- attack.t1548.002
- attack.t1552.001
- attack.t1555
- attack.t1555.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Offline_Winpwn'
- 'WinPwn '
- 'WinPwn.exe'
- 'WinPwn.ps1'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - winPEAS Execution
id: 98b53e78-ebaf-46f8-be06-421aafd176d9
status: test
description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
references:
- https://github.com/carlospolop/PEASS-ng
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
author: Georg Lauenstein (sure[secure])
date: 2022-09-19
modified: 2023-03-23
tags:
- attack.privilege-escalation
- attack.discovery
- attack.t1082
- attack.t1087
- attack.t1046
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'winPEAS.exe'
- Image|endswith:
- '\winPEASany_ofs.exe'
- '\winPEASany.exe'
- '\winPEASx64_ofs.exe'
- '\winPEASx64.exe'
- '\winPEASx86_ofs.exe'
- '\winPEASx86.exe'
selection_cli_option:
CommandLine|contains:
- ' applicationsinfo' # Search installed applications information
- ' browserinfo' # Search browser information
- ' eventsinfo' # Display interesting events information
- ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
- ' filesinfo' # Search generic files that can contains credentials
- ' processinfo' # Search processes information
- ' servicesinfo' # Search services information
- ' windowscreds' # Search windows credentials
selection_cli_dl:
CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
selection_cli_specific:
- ParentCommandLine|endswith: ' -linpeas'
- CommandLine|endswith: ' -linpeas'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Network Reconnaissance Activity
id: e6313acd-208c-44fc-a0ff-db85d572e90e
status: test
description: Detects a set of suspicious network related commands often used in recon stages
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
author: Florian Roth (Nextron Systems)
date: 2022-02-07
tags:
- attack.discovery
- attack.t1087
- attack.t1082
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'nslookup'
- '_ldap._tcp.dc._msdcs.'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
title: Shell Execution GCC - Linux
id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
status: test
description: |
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/gcc/#shell
- https://gtfobins.github.io/gtfobins/c89/#shell
- https://gtfobins.github.io/gtfobins/c99/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/c89'
- '/c99'
- '/gcc'
CommandLine|contains: '-wrapper'
selection_cli:
CommandLine|contains:
- '/bin/bash,-s'
- '/bin/dash,-s'
- '/bin/fish,-s'
- '/bin/sh,-s'
- '/bin/zsh,-s'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Shell Execution via Find - Linux
id: 6adfbf8f-52be-4444-9bac-81b539624146
status: test
description: |
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
references:
- https://gtfobins.github.io/gtfobins/find/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/find'
CommandLine|contains|all:
- ' . '
- '-exec'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Shell Execution via Flock - Linux
id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
status: test
description: |
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/flock/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/flock'
CommandLine|contains: ' -u '
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Shell Execution via Nice - Linux
id: 093d68c7-762a-42f4-9f46-95e79142571a
status: test
description: |
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/nice/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/nice'
CommandLine|endswith:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Unknown
level: high
title: Vim GTFOBin Abuse - Linux
id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
status: test
description: |
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/vim/
- https://gtfobins.github.io/gtfobins/rvim/
- https://gtfobins.github.io/gtfobins/vimdiff/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rvim'
- '/vim'
- '/vimdiff'
CommandLine|contains:
- ' --cmd'
- ' -c '
selection_cli:
CommandLine|contains:
- ':!/'
- ':lua '
- ':py '
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: PUA - Seatbelt Execution
id: 38646daa-e78f-4ace-9de0-55547b2d30da
status: test
description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
references:
- https://github.com/GhostPack/Seatbelt
- https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-18
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1526
- attack.t1087
- attack.t1083
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Seatbelt.exe'
- OriginalFileName: 'Seatbelt.exe'
- Description: 'Seatbelt'
- CommandLine|contains:
# This just a list of the commands that will produce the least amount of FP in "theory"
# Comment out/in as needed in your environment
# To get the full list of commands see reference section
- ' DpapiMasterKeys'
- ' InterestingProcesses'
- ' InterestingFiles'
- ' CertificateThumbprints'
- ' ChromiumBookmarks'
- ' ChromiumHistory'
- ' ChromiumPresence'
- ' CloudCredentials'
- ' CredEnum'
- ' CredGuard'
- ' FirefoxHistory'
- ' ProcessCreationEvents'
# - ' RDPSessions'
# - ' PowerShellHistory'
selection_group_list:
CommandLine|contains:
- ' -group=misc'
- ' -group=remote'
- ' -group=chromium'
- ' -group=slack'
- ' -group=system'
- ' -group=user'
- ' -group=all'
selection_group_output:
CommandLine|contains: ' -outputfile='
condition: selection_img or all of selection_group_*
falsepositives:
- Unlikely
level: high
title: SharpHound Recon Account Discovery
id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1087
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
OpNum: 2
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - SOAPHound Execution
id: e92a4287-e072-4a40-9739-370c106bb750
status: test
description: |
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
references:
- https://github.com/FalconForceTeam/SOAPHound
- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
author: '@kostastsale'
date: 2024-01-26
tags:
- attack.discovery
- attack.t1087
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains:
- ' --buildcache '
- ' --bhdump '
- ' --certdump '
- ' --dnsdump '
selection_2:
CommandLine|contains:
- ' -c '
- ' --cachefilename '
- ' -o '
- ' --outputdirectory'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: OpenCanary - HTTPPROXY Login Attempt
id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760
status: test
description: |
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.command-and-control
- attack.t1090
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 7001
condition: selection
falsepositives:
- Unlikely
level: high
title: Malicious IP Address Sign-In Failure Rate
id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd
status: test
description: Indicates sign-in from a malicious IP address based on high failure rates.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'maliciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Malicious IP Address Sign-In Suspicious
id: 36440e1c-5c22-467a-889b-593e66498472
status: test
description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Sign-In From Malware Infected IP
id: 821b4dc3-1295-41e7-b157-39ab212dd6bd
status: test
description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'malwareInfectedIPAddress'
condition: selection
falsepositives:
- Using an IP address that is shared by many users
level: high
title: Communication To LocaltoNet Tunneling Service Initiated - Linux
id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: linux
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
title: Communication To Ngrok Tunneling Service - Linux
id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
status: test
description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of ngrok
level: high
title: Communication To LocaltoNet Tunneling Service Initiated
id: 3ab65069-d82a-4d44-a759-466661a082d1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
title: Communication To Ngrok Tunneling Service Initiated
id: 1d08ac94-400d-4469-a82f-daee9a908849
related:
- id: 18249279-932f-45e2-b37a-8925f2597670
type: similar
status: test
description: |
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
modified: 2024-02-02
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of the ngrok service.
level: high
title: RDP Port Forwarding Rule Added Via Netsh.EXE
id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
status: test
description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Florian Roth (Nextron Systems), oscd.community
date: 2019-01-29
modified: 2023-02-13
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- ' i'
- ' p'
- '=3389'
- ' c'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: high
title: PUA - NPS Tunneling Tool Execution
id: 68d37776-61db-42f5-bf54-27e87072d17e
status: test
description: Detects the use of NPS, a port forwarding and intranet penetration proxy server
references:
- https://github.com/ehang-io/nps
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\npc.exe'
selection_cli_1:
CommandLine|contains|all:
- ' -server='
- ' -vkey='
- ' -password='
selection_cli_2:
CommandLine|contains: ' -config=npc'
selection_hashes:
# v0.26.10
Hashes|contains:
- "MD5=AE8ACF66BFE3A44148964048B826D005"
- "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181"
- "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856"
condition: 1 of selection_*
falsepositives:
- Legitimate use
level: high
title: HackTool - Htran/NATBypass Execution
id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e
status: test
description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
references:
- https://github.com/HiwinCN/HTran
- https://github.com/cw1997/NATBypass
author: Florian Roth (Nextron Systems)
date: 2022-12-27
modified: 2023-02-04
tags:
- attack.command-and-control
- attack.t1090
- attack.s0040
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\htran.exe'
- '\lcx.exe'
selection_cli:
CommandLine|contains:
- '.exe -tran '
- '.exe -slave '
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: PUA - Fast Reverse Proxy (FRP) Execution
id: 32410e29-5f94-4568-b6a3-d91a8adad863
status: test
description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
references:
- https://asec.ahnlab.com/en/38156/
- https://github.com/fatedier/frp
author: frack113, Florian Roth
date: 2022-09-02
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\frpc.exe'
- '\frps.exe'
selection_cli:
CommandLine|contains: '\frpc.ini'
selection_hashes:
# v0.44.0
Hashes|contains:
- "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
- "SHA1=06DDC9280E1F1810677935A2477012960905942F"
- "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
condition: 1 of selection_*
falsepositives:
- Legitimate use
level: high