Sigma rules for Contagious Interview
500 rules · scoped to actor · back to Contagious Interview
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: HackTool - SharpLdapWhoami Execution
id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d
status: test
description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
references:
- https://github.com/bugch3ck/SharpLdapWhoami
author: Florian Roth (Nextron Systems)
date: 2022-08-29
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection_name:
Image|endswith: '\SharpLdapWhoami.exe'
selection_pe: # in case the file has been renamed after compilation
- OriginalFileName|contains: 'SharpLdapWhoami'
- Product: 'SharpLdapWhoami'
selection_flags1:
CommandLine|endswith:
- ' /method:ntlm'
- ' /method:kerb'
- ' /method:nego'
- ' /m:nego'
- ' /m:ntlm'
- ' /m:kerb'
condition: 1 of selection*
falsepositives:
- Programs that use the same command line flags
level: high
title: HackTool - SharpView Execution
id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
related:
- id: dcd74b95-3f36-4ed9-9598-0490951643aa
type: similar
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
- https://github.com/tevora-threat/SharpView/
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
author: frack113
date: 2021-12-10
modified: 2023-02-14
tags:
- attack.discovery
- attack.t1049
- attack.t1069.002
- attack.t1482
- attack.t1135
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'SharpView.exe'
- Image|endswith: '\SharpView.exe'
- CommandLine|contains:
# - 'Add-DomainGroupMember'
# - 'Add-DomainObjectAcl'
# - 'Add-ObjectAcl'
- 'Add-RemoteConnection'
- 'Convert-ADName'
- 'ConvertFrom-SID'
- 'ConvertFrom-UACValue'
- 'Convert-SidToName'
# - 'ConvertTo-SID'
- 'Export-PowerViewCSV'
# - 'Find-DomainLocalGroupMember'
- 'Find-DomainObjectPropertyOutlier'
- 'Find-DomainProcess'
- 'Find-DomainShare'
- 'Find-DomainUserEvent'
- 'Find-DomainUserLocation'
- 'Find-ForeignGroup'
- 'Find-ForeignUser'
- 'Find-GPOComputerAdmin'
- 'Find-GPOLocation'
- 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile'
- 'Find-LocalAdminAccess'
- 'Find-ManagedSecurityGroups'
# - 'Get-ADObject'
- 'Get-CachedRDPConnection'
- 'Get-DFSshare'
# - 'Get-DNSRecord'
# - 'Get-DNSZone'
# - 'Get-Domain'
- 'Get-DomainComputer'
- 'Get-DomainController'
- 'Get-DomainDFSShare'
- 'Get-DomainDNSRecord'
# - 'Get-DomainDNSZone'
- 'Get-DomainFileServer'
- 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser'
- 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping'
- 'Get-DomainGroup' # 'Get-DomainGroupMember'
- 'Get-DomainGUIDMap'
- 'Get-DomainManagedSecurityGroup'
- 'Get-DomainObject' # 'Get-DomainObjectAcl'
- 'Get-DomainOU'
- 'Get-DomainPolicy' # 'Get-DomainPolicyData'
- 'Get-DomainSID'
- 'Get-DomainSite'
- 'Get-DomainSPNTicket'
- 'Get-DomainSubnet'
- 'Get-DomainTrust' # 'Get-DomainTrustMapping'
# - 'Get-DomainUser'
- 'Get-DomainUserEvent'
# - 'Get-Forest'
- 'Get-ForestDomain'
- 'Get-ForestGlobalCatalog'
- 'Get-ForestTrust'
- 'Get-GptTmpl'
- 'Get-GroupsXML'
# - 'Get-GUIDMap'
# - 'Get-IniContent'
# - 'Get-IPAddress'
- 'Get-LastLoggedOn'
- 'Get-LoggedOnLocal'
- 'Get-NetComputer' # 'Get-NetComputerSiteName'
- 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust'
- 'Get-NetFileServer'
- 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust'
- 'Get-NetGPO' # 'Get-NetGPOGroup'
# - 'Get-NetGroup'
- 'Get-NetGroupMember'
- 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember'
- 'Get-NetLoggedon'
- 'Get-NetOU'
- 'Get-NetProcess'
- 'Get-NetRDPSession'
- 'Get-NetSession'
- 'Get-NetShare'
- 'Get-NetSite'
- 'Get-NetSubnet'
- 'Get-NetUser'
# - 'Get-ObjectAcl'
- 'Get-PathAcl'
- 'Get-PrincipalContext'
# - 'Get-Proxy'
- 'Get-RegistryMountedDrive'
- 'Get-RegLoggedOn'
# - 'Get-SiteName'
# - 'Get-UserEvent'
# - 'Get-WMIProcess'
- 'Get-WMIRegCachedRDPConnection'
- 'Get-WMIRegLastLoggedOn'
- 'Get-WMIRegMountedDrive'
- 'Get-WMIRegProxy'
- 'Invoke-ACLScanner'
- 'Invoke-CheckLocalAdminAccess'
- 'Invoke-Kerberoast'
- 'Invoke-MapDomainTrust'
- 'Invoke-RevertToSelf'
- 'Invoke-Sharefinder'
- 'Invoke-UserImpersonation'
# - 'New-DomainGroup'
# - 'New-DomainUser'
- 'Remove-DomainObjectAcl'
- 'Remove-RemoteConnection'
- 'Request-SPNTicket'
# - 'Resolve-IPAddress'
# - 'Set-ADObject'
- 'Set-DomainObject'
# - 'Set-DomainUserPassword'
- 'Test-AdminAccess'
condition: selection
falsepositives:
- Unknown
level: high
title: Windows Binaries Write Suspicious Extensions
id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
related:
- id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
type: derived
status: test
description: Detects Windows executables that write files with suspicious extensions
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1036
logsource:
category: file_event
product: windows
detection:
selection_generic:
Image|endswith:
- '\csrss.exe'
- '\lsass.exe'
- '\RuntimeBroker.exe'
- '\sihost.exe'
- '\smss.exe'
- '\wininit.exe'
- '\winlogon.exe'
TargetFilename|endswith:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.iso'
- '.ps1'
- '.txt'
- '.vbe'
- '.vbs'
selection_special:
Image|endswith:
- '\dllhost.exe'
- '\rundll32.exe'
- '\svchost.exe'
TargetFilename|endswith:
- '.bat'
- '.hta'
- '.iso'
- '.ps1'
- '.vbe'
- '.vbs'
filter_main_AppLockerPolicyTest:
Image: 'C:\Windows\System32\dllhost.exe'
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\__PSScriptPolicyTest_'
TargetFilename|endswith: '.ps1'
filter_main_script_gpo_machine:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Windows\System32\GroupPolicy\DataStore\'
- '\sysvol\'
- '\Policies\'
- '\Machine\Scripts\Startup\'
TargetFilename|endswith:
- '.ps1'
- '.bat'
filter_main_clipchamp:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Program Files\WindowsApps\Clipchamp'
- '.ps1'
filter_main_powershell_preview:
Image:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|startswith:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
TargetFilename|endswith: '.ps1'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Forfiles.EXE Child Process Masquerading
id: f53714ec-5077-420e-ad20-907ff9bb2958
status: test
description: |
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
references:
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2024-01-05
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
# Notes:
# - The parent must not have CLI options
# - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
# - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
ParentCommandLine|endswith:
- '.exe'
- '.exe"'
Image|endswith: '\cmd.exe'
CommandLine|startswith: '/c echo "'
filter_main_parent_not_sys:
ParentImage|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
ParentImage|endswith: '\forfiles.exe'
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
Image|endswith: '\cmd.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Process Execution From A Potentially Suspicious Folder
id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
status: test
description: Detects a potentially suspicious execution from an uncommon folder.
references:
- https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
- https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-01-16
modified: 2024-07-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- ':\Perflogs\'
- ':\Users\All Users\'
- ':\Users\Default\'
- ':\Users\NetworkService\'
- ':\Windows\addins\'
- ':\Windows\debug\'
- ':\Windows\Fonts\'
- ':\Windows\Help\'
- ':\Windows\IME\'
- ':\Windows\Media\'
- ':\Windows\repair\'
- ':\Windows\security\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- '$Recycle.bin'
- '\config\systemprofile\'
- '\Intel\Logs\'
- '\RSA\MachineKeys\'
filter_optional_ibm:
Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\'
filter_optional_citrix:
Image|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\'
Image|endswith: '\CitrixReceiverUpdater.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
title: Taskmgr as LOCAL_SYSTEM
id: 9fff585c-c33e-4a86-b3cd-39312079a65f
status: test
description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-03-18
modified: 2022-05-27
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Image|endswith: '\taskmgr.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
related:
- id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
type: derived
status: test
description: |
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
references:
- https://twitter.com/GelosSnake/status/934900723426439170
- https://asec.ahnlab.com/en/39828/
- https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2017-11-27
modified: 2026-02-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\atbroker.exe'
- '\audiodg.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\certreq.exe'
- '\certutil.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\consent.exe'
- '\cscript.exe'
- '\csrss.exe'
- '\dashost.exe'
- '\defrag.exe'
- '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
- '\dism.exe'
- '\dllhost.exe'
- '\dllhst3g.exe'
- '\dwm.exe'
- '\eventvwr.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\finger.exe'
- '\logonui.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\ntoskrnl.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\runonce.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\services.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\userinit.exe'
- '\werfault.exe'
- '\werfaultsecure.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winver.exe'
- '\wlanext.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
filter_main_generic:
Image|startswith:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\uus\'
- 'C:\Windows\WinSxS\'
filter_optional_system32:
Image|contains: '\SystemRoot\System32\'
filter_main_powershell:
Image|contains:
- 'C:\Program Files\PowerShell\7\'
- 'C:\Program Files\PowerShell\7-preview\'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
Image|endswith: '\pwsh.exe'
filter_main_wsl_programfiles:
Image|startswith:
- 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
- 'C:\Program Files\WSL\'
Image|endswith: '\wsl.exe'
filter_main_wsl_appdata:
Image|startswith: C:\Users\'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
Image|endswith: '\wsl.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
title: Suspicious MSDT Parent Process
id: 7a74da6b-ea76-47db-92cc-874ad90df734
status: test
description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
author: Nextron Systems
date: 2022-06-01
modified: 2023-02-06
tags:
- attack.stealth
- attack.t1036
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
# Note: office applications are covered by: 438025f9-5856-4663-83f7-52f878a70a50
selection_msdt:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Windows Update Agent Empty Cmdline
id: 52d097e2-063e-4c9c-8fbb-855c8948d135
status: test
description: |
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-26
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Wuauclt.exe'
- OriginalFileName: 'Wuauclt.exe'
selection_cli:
CommandLine|endswith:
- 'Wuauclt'
- 'Wuauclt.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
title: Suspicious Calculator Usage
id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
status: test
description: |
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
references:
- https://twitter.com/ItsReallyNick/status/1094080242686312448
author: Florian Roth (Nextron Systems)
date: 2019-02-09
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains: '\calc.exe '
selection_2:
Image|endswith: '\calc.exe'
filter_main_known_locations:
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
condition: selection_1 or ( selection_2 and not filter_main_known_locations )
falsepositives:
- Unknown
level: high
title: Suspicious Child Process Of Wermgr.EXE
id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
related:
- id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
type: similar
status: test
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
references:
- https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
- https://www.echotrail.io/insights/search/wermgr.exe
- https://github.com/binderlabs/DirCreate2System
author: Florian Roth (Nextron Systems)
date: 2022-10-14
modified: 2024-08-29
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wermgr.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\ipconfig.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\netstat.exe'
- '\nslookup.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\systeminfo.exe'
- '\whoami.exe'
- '\wscript.exe'
filter_main_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- 'C:\Windows\system32\WerConCpl.dll'
- 'LaunchErcApp '
CommandLine|contains:
- '-queuereporting'
- '-responsepester'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Renamed ZOHO Dctask64 Execution
id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
status: test
description: |
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
references:
- https://twitter.com/gN3mes1s/status/1222088214581825540
- https://twitter.com/gN3mes1s/status/1222095963789111296
- https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1036
- attack.t1055.001
- attack.t1202
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Hashes|contains:
- 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
- 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
- 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
- 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
filter_main_legit_name:
Image|endswith: '\dctask64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Sdiagnhost Calling Suspicious Child Process
id: f3d39c45-de1a-4486-a687-ab126124f744
status: test
description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
- https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
- https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
author: Nextron Systems, @Kostastsale
date: 2022-06-01
modified: 2024-08-23
tags:
- attack.stealth
- attack.t1036
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sdiagnhost.exe'
Image|endswith:
# Add more suspicious LOLBins
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\taskkill.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
# - '\csc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
- '\calc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
filter_main_cmd_bits:
Image|endswith: '\cmd.exe'
CommandLine|contains: 'bits'
filter_main_powershell_noprofile:
Image|endswith: '\powershell.exe'
CommandLine|endswith:
- '-noprofile -'
- '-noprofile'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Suspicious Process Parents
id: cbec226f-63d9-4eca-9f52-dfb6652f24df
status: test
description: Detects suspicious parent processes that should not have any children or should only have a single possible child program
references:
- https://twitter.com/x86matthew/status/1505476263464607744?s=12
- https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
author: Florian Roth (Nextron Systems)
date: 2022-03-21
modified: 2022-09-08
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\minesweeper.exe'
- '\winver.exe'
- '\bitsadmin.exe'
selection_special:
ParentImage|endswith:
- '\csrss.exe'
- '\certutil.exe'
# - '\schtasks.exe'
- '\eventvwr.exe'
- '\calc.exe'
- '\notepad.exe'
filter_special:
Image|endswith:
- '\WerFault.exe'
- '\wermgr.exe'
- '\conhost.exe' # csrss.exe, certutil.exe
- '\mmc.exe' # eventvwr.exe
- '\win32calc.exe' # calc.exe
- '\notepad.exe'
filter_null:
Image: null
condition: selection or ( selection_special and not 1 of filter_* )
falsepositives:
- Unknown
level: high
title: Renamed Plink Execution
id: 1c12727d-02bf-45ff-a9f3-d49806a3cf43
status: test
description: Detects the execution of a renamed version of the Plink binary
references:
- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
- https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
modified: 2023-02-03
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'Plink'
- CommandLine|contains|all:
- ' -l forward'
- ' -P '
- ' -R '
filter:
Image|endswith: '\plink.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Suspicious Process Masquerading As SvcHost.EXE
id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
related:
- id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
type: similar
- id: e4a6b256-3e47-40fc-89d2-7a477edd6915
type: similar
status: test
description: |
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
references:
- https://tria.ge/240731-jh4crsycnb/behavioral2
- https://redcanary.com/blog/threat-detection/process-masquerading/
author: Swachchhanda Shrawan Poudel
date: 2024-08-07
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
filter_main_img_location:
Image:
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
filter_main_ofn:
OriginalFileName: 'svchost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml
title: Uncommon Svchost Command Line Parameter
id: f17211f1-1f24-4d0c-829f-31e28dc93cdd
status: experimental
description: |
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
references:
- https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/
- https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
author: Liran Ravich
date: 2025-11-14
modified: 2026-03-23
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1036.005
- attack.t1055
- attack.t1055.012
logsource:
category: process_creation
product: windows
detection:
selection:
# Example of command to simulate: "C:\Windows\System32\svchost.exe" calc.exe
Image|endswith: '\svchost.exe'
filter_main_flags:
CommandLine|re: '-k\s\w{1,64}(?:\s?(?:-p|-s))?'
filter_main_empty:
CommandLine: ''
filter_main_null:
CommandLine: null
filter_optional_defender:
ParentImage|endswith: '\MsMpEng.exe'
CommandLine|contains: 'svchost.exe'
filter_optional_mrt:
ParentImage|endswith: '\MRT.exe'
CommandLine: 'svchost.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
title: Potential MsiExec Masquerading
id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
status: test
description: Detects the execution of msiexec.exe from an uncommon directory
references:
- https://twitter.com/200_okay_/status/1194765831911215104
author: Florian Roth (Nextron Systems)
date: 2019-11-14
modified: 2023-02-21
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\msiexec.exe'
- OriginalFileName: '\msiexec.exe'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Scheduled Task Creation Masquerading as System Processes
id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
status: experimental
description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1053.005
- attack.t1036.004
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|windash: ' /create '
CommandLine|contains:
- ' audiodg'
- ' conhost'
- ' dwm.exe'
- ' explorer'
- ' lsass'
- ' lsm'
- ' mmc'
- ' msiexec'
- ' regsvr32'
- ' rundll32'
- ' services'
- ' spoolsv'
- ' svchost'
- ' taskeng'
- ' taskhost'
- ' wininit'
- ' winlogon'
condition: all of selection_*
falsepositives:
- Legitimate system administration tasks scheduling trusted system processes.
level: high
title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
- attack.initial-access
- attack.stealth
- attack.t1189
- attack.execution
- attack.t1204.002
- attack.t1036.005
logsource:
category: proxy
detection:
selection:
- c-uri|contains: '/flash_install.php'
- c-uri|endswith: '/install_flash_player.exe'
filter:
cs-host|endswith: '.adobe.com'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
level: high
title: OpenCanary - TFTP Request
id: b4e6b016-a2ac-4759-ad85-8000b300d61e
status: test
description: Detects instances where a TFTP service on an OpenCanary node has had a request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 10001
condition: selection
falsepositives:
- Unlikely
level: high
title: Remote DCOM/WMI Lateral Movement
id: 68050b10-e477-4377-a99b-3721b422d6ef
status: test
description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.execution
- attack.t1021.003
- attack.t1047
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
- 99fcfec4-5260-101b-bbcb-00aa0021347a
- 000001a0-0000-0000-c000-000000000046
- 00000131-0000-0000-c000-000000000046
- 00000143-0000-0000-c000-000000000046
- 00000000-0000-0000-c000-000000000046
condition: selection
falsepositives:
- Some administrative tasks on remote host
level: high
title: WMImplant Hack Tool
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
status: test
description: Detects parameters used by WMImplant
references:
- https://github.com/FortyNorthSecurity/WMImplant
author: NVISO
date: 2020-03-26
modified: 2022-12-25
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'WMImplant'
- ' change_user '
- ' gen_cli '
- ' command_exec '
- ' disable_wdigest '
- ' disable_winrm '
- ' enable_wdigest '
- ' enable_winrm '
- ' registry_mod '
- ' remote_posh '
- ' sched_job '
- ' service_mod '
- ' process_kill '
# - ' process_start '
- ' active_users '
- ' basic_info '
# - ' drive_list '
# - ' installed_programs '
- ' power_off '
- ' vacant_system '
- ' logon_events '
condition: selection
falsepositives:
- Administrative scripts that use the same keywords.
level: high
title: Suspicious Encoded Scripts in a WMI Consumer
id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
status: test
description: Detects suspicious encoded payloads in WMI Event Consumers
references:
- https://github.com/RiccardoAncarani/LiquidSnake
author: Florian Roth (Nextron Systems)
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1047
- attack.persistence
- attack.t1546.003
logsource:
product: windows
category: wmi_event
detection:
selection_destination:
Destination|base64offset|contains:
- 'WriteProcessMemory'
- 'This program cannot be run in DOS mode'
- 'This program must be run under Win32'
condition: selection_destination
falsepositives:
- Unknown
level: high
title: Suspicious WmiPrvSE Child Process
id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
related:
- id: 692f0bec-83ba-4d04-af7e-e884a96059b6
type: similar
- id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
type: similar
- id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
type: obsolete
status: test
description: Detects suspicious and uncommon child processes of WmiPrvSE
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
- https://twitter.com/ForensicITGuy/status/1334734244120309760
author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2023-11-10
tags:
- attack.execution
- attack.stealth
- attack.t1047
- attack.t1204.002
- attack.t1218.010
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith: '\wbem\WmiPrvSE.exe'
selection_children_1:
# TODO: Add more LOLBINs or suspicious processes that make sens in your environment
Image|endswith:
- '\certutil.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\verclsid.exe'
- '\wscript.exe'
selection_children_2:
# This is in a separate selection due to the nature of FP generated with CMD
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'cscript'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'wscript'
filter_main_werfault:
Image|endswith: '\WerFault.exe'
filter_main_wmiprvse:
Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself
filter_main_msiexec:
Image|endswith: '\msiexec.exe'
CommandLine|contains: '/i '
condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: HackTool - Potential Impacket Lateral Movement Activity
id: 10c14723-61c7-4c75-92ca-9af245723ad2
related:
- id: e31f89f7-36fb-4697-8ab6-48823708353b
type: obsolete
status: stable
description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
references:
- https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py
- https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py
- https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py
- https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py
- https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
date: 2019-09-03
modified: 2023-02-21
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection_other:
# *** wmiexec.py
# parent is wmiprvse.exe
# examples:
# cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
# cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
# *** dcomexec.py -object MMC20
# parent is mmc.exe
# example:
# "C:\Windows\System32\cmd.exe" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1
# *** dcomexec.py -object ShellBrowserWindow
# runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe
# example:
# "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1567520103.71 2>&1
# *** smbexec.py
# parent is services.exe
# example:
# C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat
ParentImage|endswith:
- '\wmiprvse.exe' # wmiexec
- '\mmc.exe' # dcomexec MMC
- '\explorer.exe' # dcomexec ShellBrowserWindow
- '\services.exe' # smbexec
CommandLine|contains|all:
- 'cmd.exe'
- '/Q'
- '/c'
- '\\\\127.0.0.1\\'
- '&1'
selection_atexec:
ParentCommandLine|contains:
- 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs")
- 'taskeng.exe' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:")
# cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1
CommandLine|contains|all:
- 'cmd.exe'
- '/C'
- 'Windows\Temp\'
- '&1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Autorun Registry Modified via WMI
id: c80e66d8-1780-48a9-b412-46663fd21ac0
status: experimental
description: |
Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
references:
- Internal Research
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-17
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1547.001
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_execution_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe' # wmic process call create 'reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Desktops /t REG_SZ /d "\"C:\Users\user\AppData\Roaming\Microsoft\tre\Desktops.exe\" random" /f'
- ParentImage|endswith: '\wmiprvse.exe'
selection_execution_cmd:
CommandLine|contains|all:
- 'reg'
- ' add '
CommandLine|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
selection_suspicious_paths_1:
CommandLine|contains:
- ':\Perflogs'
- :\ProgramData'
- ':\Windows\Temp'
- ':\Temp'
- '\AppData\Local\Temp'
- '\AppData\Roaming'
- ':\$Recycle.bin'
- ':\Users\Default'
- ':\Users\public'
- '%temp%'
- '%tmp%'
- '%Public%'
- '%AppData%'
selection_suspicious_paths_user_1:
CommandLine|contains: ':\Users\'
selection_suspicious_paths_user_2:
CommandLine|contains:
- '\Favorites'
- '\Favourites'
- '\Contacts'
- '\Music'
- '\Pictures'
- '\Documents'
- '\Photos'
condition: all of selection_execution_* and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_*))
falsepositives:
- Legitimate administrative activity or software installations
level: high
title: HackTool - CrackMapExec Execution
id: 42a993dd-bb3e-48c8-b372-4d6684c4106c
status: test
description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
- https://www.mandiant.com/resources/telegram-malware-iranian-espionage
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-03-08
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.discovery
- attack.t1047
- attack.t1053
- attack.t1059.003
- attack.t1059.001
- attack.t1110
- attack.t1201
logsource:
category: process_creation
product: windows
detection:
selection_binary:
Image|endswith: '\crackmapexec.exe'
selection_special:
CommandLine|contains: ' -M pe_inject '
selection_execute:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -x '
selection_hash:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
- " -H 'NTHASH'"
selection_module_mssql:
CommandLine|contains|all:
- ' mssql '
- ' -u '
- ' -p '
- ' -M '
- ' -d '
selection_module_smb1:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -H '
- ' -M '
- ' -o '
selection_module_smb2:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -p '
- ' --local-auth'
part_localauth_1:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
part_localauth_2:
CommandLine|contains|all:
- ' 10.'
- ' 192.168.'
- '/24 '
condition: 1 of selection_* or all of part_localauth*
falsepositives:
- Unknown
level: high
title: Suspicious HH.EXE Execution
id: e8a95b5e-c891-46e2-b33a-93937d3abc31
status: test
description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'HH.exe'
- Image|endswith: '\hh.exe'
selection_paths:
CommandLine|contains:
- '.application'
- '\AppData\Local\Temp\'
- '\Content.Outlook\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
# - '\AppData\Local\Temp\Temp?_'
# - '\AppData\Local\Temp\Rar$'
# - '\AppData\Local\Temp\7z'
# - '\AppData\Local\Temp\wz'
# - '\AppData\Local\Temp\peazip-tmp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Process Created Via Wmic.EXE
id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
related:
- id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic
type: derived
status: test
description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
references:
- https://thedfirreport.com/2020/10/08/ryuks-return/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-12
modified: 2023-02-14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'process '
- 'call '
- 'create '
CommandLine|contains:
# Add more susupicious paths and binaries as you see fit in your env
- 'rundll32'
- 'bitsadmin'
- 'regsvr32'
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'powershell'
- 'pwsh'
- 'certutil'
- 'cscript'
- 'wscript'
- 'mshta'
- '\Users\Public\'
- '\Windows\Temp\'
- '\AppData\Local\'
- '%temp%'
- '%tmp%'
- '%ProgramData%'
- '%appdata%'
- '%comspec%'
- '%localappdata%'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Microsoft Office Child Process
id: 438025f9-5856-4663-83f7-52f878a70a50
related:
- id: c27515df-97a9-4162-8a60-dc0eeb51b775 # Speicifc OneNote rule due to its recent usage in phishing attacks
type: derived
- id: e1693bc8-7168-4eab-8718-cdcaa68a1738
type: derived
- id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
type: obsolete
- id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
type: obsolete
- id: 04f5363a-6bca-42ff-be70-0d28bf629ead
type: obsolete
status: test
description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
- https://github.com/splunk/security_content/blob/300af51b88ad5d5b27ce4f5f54e4d6e6a3a2c06d/detections/endpoint/office_spawning_control.yml
- https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
- https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
date: 2018-04-06
modified: 2023-04-24
tags:
- attack.execution
- attack.stealth
- attack.t1047
- attack.t1204.002
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\EQNEDT32.EXE'
- '\EXCEL.EXE'
- '\MSACCESS.EXE'
- '\MSPUB.exe'
- '\ONENOTE.EXE'
- '\POWERPNT.exe'
- '\VISIO.exe'
- '\WINWORD.EXE'
- '\wordpad.exe'
- '\wordview.exe'
selection_child_processes:
- OriginalFileName:
- 'bitsadmin.exe'
- 'CertOC.exe'
- 'CertUtil.exe'
- 'Cmd.Exe'
- 'CMSTP.EXE'
- 'cscript.exe'
- 'curl.exe'
- 'HH.exe'
- 'IEExec.exe'
- 'InstallUtil.exe'
- 'javaw.exe'
- 'Microsoft.Workflow.Compiler.exe'
- 'msdt.exe'
- 'MSHTA.EXE'
- 'msiexec.exe'
- 'Msxsl.exe'
- 'odbcconf.exe'
- 'pcalua.exe'
- 'PowerShell.EXE'
- 'RegAsm.exe'
- 'RegSvcs.exe'
- 'REGSVR32.exe'
- 'RUNDLL32.exe'
- 'schtasks.exe'
- 'ScriptRunner.exe'
- 'wmic.exe'
- 'WorkFolders.exe'
- 'wscript.exe'
- Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certoc.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cmstp.exe'
- '\control.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\ieexec.exe'
- '\installutil.exe'
- '\javaw.exe'
- '\mftrace.exe'
- '\Microsoft.Workflow.Compiler.exe'
- '\msbuild.exe'
- '\msdt.exe'
- '\mshta.exe'
- '\msidb.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\odbcconf.exe'
- '\pcalua.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regasm.exe'
- '\regsvcs.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\svchost.exe'
- '\verclsid.exe'
- '\wmic.exe'
- '\workfolders.exe'
- '\wscript.exe'
selection_child_susp_paths: # Idea: Laiali Kazalbach, Mohamed Elsayed (#4142)
Image|contains:
- '\AppData\'
- '\Users\Public\'
- '\ProgramData\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
- '\Windows\System32\Tasks\'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Unknown
level: high
title: Script Event Consumer Spawning Process
id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
status: test
description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
references:
- https://redcanary.com/blog/child-processes/
- https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
author: Sittikorn S
date: 2021-06-21
modified: 2022-07-14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\scrcons.exe'
Image|endswith:
- '\svchost.exe'
- '\dllhost.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\schtasks.exe'
- '\regsvr32.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\msbuild.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Windows Defender Tampering Via Wmic.EXE
id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
status: test
description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
- https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
author: frack113
date: 2022-12-11
modified: 2023-02-14
tags:
- attack.execution
- attack.defense-impairment
- attack.t1047
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious WMIC Execution Via Office Process
id: e1693bc8-7168-4eab-8718-cdcaa68a1738
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50
type: derived
- id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
type: obsolete
- id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
type: obsolete
- id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
type: obsolete
- id: 04f5363a-6bca-42ff-be70-0d28bf629ead
type: obsolete
status: test
description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov, Cyb3rEng
date: 2021-08-23
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\MSACCESS.EXE'
- '\EQNEDT32.EXE'
- '\ONENOTE.EXE'
- '\wordpad.exe'
- '\wordview.exe'
selection_wmic_img:
- Image|endswith: '\wbem\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains|all:
- 'process'
- 'create'
- 'call'
CommandLine|contains:
# Add more suspicious LOLBINs as you see fit
- 'regsvr32'
- 'rundll32'
- 'msiexec'
- 'mshta'
- 'verclsid'
- 'wscript'
- 'cscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\hh.exe'
Image|endswith:
- '\CertReq.exe'
- '\CertUtil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\installutil.exe'
- '\MSbuild.exe'
- '\MSHTA.EXE'
- '\msiexec.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - CrackMapExec Execution Patterns
id: 058f4380-962d-40a5-afce-50207d36d7e2
status: stable
description: Detects various execution patterns of the CrackMapExec pentesting framework
references:
- https://github.com/byt3bl33d3r/CrackMapExec
author: Thomas Patzke
date: 2020-05-22
modified: 2023-11-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1047
- attack.t1053
- attack.t1059.003
- attack.t1059.001
- attack.s0106
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
- 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:109 (fileless output via share)
- 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:111 (fileless output via share)
- 'cmd.exe /C * > *\\Temp\\* 2>&1'
# https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L136 (PowerShell execution with obfuscation)
- 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
# https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L160 (PowerShell execution without obfuscation)
- 'powershell.exe -noni -nop -w 1 -enc '
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Remote SquiblyTwo Technique Execution
id: 8d63dadf-b91b-4187-87b6-34a1114577ea
related:
- id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
type: similar
- id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
type: similar
status: test
description: |
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)
to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process
malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.
The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it
with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common
LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
references:
- https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
- https://twitter.com/mattifestation/status/986280382042595328 # Deleted
- https://atomicredteam.io/defense-evasion/T1220/
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
- https://x.com/byrne_emmy12099/status/1932346420226658668
author: Markus Neis, Florian Roth, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-01-16
modified: 2026-01-24
tags:
- attack.stealth
- attack.t1047
- attack.t1220
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_pe:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
- Hashes|contains: # Sysmon field hashes contains all types
- 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
- 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
- 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
- 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
- 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
selection_cli:
CommandLine|contains|windash: '/format:'
CommandLine|contains:
- '://'
- '\\\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: PSExec and WMI Process Creations Block
id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
status: test
description: Detects blocking of process creations originating from PSExec and WMI commands
references:
- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
- https://twitter.com/duff22b/status/1280166329660497920
author: Bhabesh Raj
date: 2020-07-14
modified: 2022-12-25
tags:
- attack.execution
- attack.lateral-movement
- attack.t1047
- attack.t1569.002
logsource:
product: windows
service: windefend
definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
detection:
selection:
EventID: 1121
ProcessName|endswith:
- '\wmiprvse.exe'
- '\psexesvc.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Powershell DNSExfiltration
id: d59d7842-9a21-4bc6-ba98-64bfe0091355
status: test
description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
- https://github.com/Arno0x/DNSExfiltrator
author: frack113
date: 2022-01-07
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
- ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
- ScriptBlockText|contains|all:
- ' -i '
- ' -d '
- ' -p '
- ' -doh '
- ' -t '
condition: selection_cmdlet
falsepositives:
- Legitimate script
level: high
title: Suspicious Redirection to Local Admin Share
id: ab9e3b40-0c85-4ba1-aede-455d226fd124
status: test
description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
references:
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Florian Roth (Nextron Systems)
date: 2022-01-16
modified: 2023-12-28
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection_redirect:
CommandLine|contains: '>'
selection_share:
CommandLine|contains:
- '\\\\127.0.0.1\\admin$\\'
- '\\\\localhost\\admin$\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: PUA - Restic Backup Tool Execution
id: 6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7
status: experimental
description: |
Detects the execution of the Restic backup tool, which can be used for data exfiltration.
Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.
If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
references:
- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
- https://restic.net/
- https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html
author: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-17
tags:
- attack.exfiltration
- attack.t1048
- attack.t1567.002
logsource:
product: windows
category: process_creation
detection:
selection_specific:
- CommandLine|contains|all:
- '--password-file'
- 'init'
- ' -r '
- CommandLine|contains|all:
- '--use-fs-snapshot'
- 'backup'
- ' -r '
selection_restic:
CommandLine|contains:
- 'sftp:'
- 'rest:http'
- 's3:s3.'
- 's3.http'
- 'azure:'
- ' gs:'
- 'rclone:'
- 'swift:'
- ' b2:'
CommandLine|contains|all:
- ' init '
- ' -r '
condition: 1 of selection_*
falsepositives:
- Legitimate use of Restic for backup purposes within the organization.
level: high
title: Suspicious WebDav Client Execution Via Rundll32.EXE
id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
status: test
description: |
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
references:
- https://twitter.com/aceresponder/status/1636116096506818562
- https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
- https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/
- https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png
- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-03-16
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1048.003
- cve.2023-23397
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
ParentCommandLine|contains: '-s WebClient'
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
filter_local_ips:
CommandLine|contains:
- '://10.' # 10.0.0.0/8
- '://192.168.' # 192.168.0.0/16
- '://172.16.' # 172.16.0.0/12
- '://172.17.'
- '://172.18.'
- '://172.19.'
- '://172.20.'
- '://172.21.'
- '://172.22.'
- '://172.23.'
- '://172.24.'
- '://172.25.'
- '://172.26.'
- '://172.27.'
- '://172.28.'
- '://172.29.'
- '://172.30.'
- '://172.31.'
- '://127.' # 127.0.0.0/8
- '://169.254.' # 169.254.0.0/16
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
title: Remote Schedule Task Lateral Movement via ATSvc
id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
status: test
description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.lateral-movement
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
OpNum:
- 0
- 1
condition: selection
falsepositives:
- Unknown
level: high
title: Remote Schedule Task Lateral Movement via SASec
id: aff229ab-f8cd-447b-b215-084d11e79eb0
status: test
description: Detects remote RPC calls to create or execute a scheduled task via SASec
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.lateral-movement
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
OpNum:
- 0
- 1
condition: selection
falsepositives:
- Unknown
level: high
title: Remote Schedule Task Lateral Movement via ITaskSchedulerService
id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
status: test
description: Detects remote RPC calls to create or execute a scheduled task
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.lateral-movement
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
OpNum:
- 1
- 3
- 4
- 10
- 11
- 12
- 13
- 14
- 15
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Scheduled Task Write to System32 Tasks
id: 80e1f67a-4596-4351-98f5-a9c3efabac95
status: test
description: Detects the creation of tasks from processes executed from suspicious locations
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-16
modified: 2022-01-12
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\System32\Tasks'
Image|contains:
- '\AppData\'
- 'C:\PerfLogs'
- '\Windows\System32\config\systemprofile'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - SharPersist Execution
id: 26488ad0-f9fd-4536-876f-52fea846a2e4
status: test
description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
references:
- https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
- https://github.com/mandiant/SharPersist
author: Florian Roth (Nextron Systems)
date: 2022-09-15
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SharPersist.exe'
- Product: 'SharPersist'
selection_cli_1:
CommandLine|contains:
- ' -t schtask -c '
- ' -t startupfolder -c '
selection_cli_2:
CommandLine|contains|all:
- ' -t reg -c '
- ' -m add'
selection_cli_3:
CommandLine|contains|all:
- ' -t service -c '
- ' -m add'
selection_cli_4:
CommandLine|contains|all:
- ' -t schtask -c '
- ' -m add'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: Scheduled TaskCache Change by Uncommon Program
id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
status: test
description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://labs.f-secure.com/blog/scheduled-task-tampering/
author: Syed Hasan (@syedhasan009)
date: 2021-06-18
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.005
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_other:
TargetObject|contains:
- 'Microsoft\Windows\UpdateOrchestrator'
- 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
- 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index'
filter_main_mousocoreworker:
Image|endswith: 'C:\Windows\System32\MoUsoCoreWorker.exe'
filter_main_services:
Image|endswith: 'C:\Windows\System32\services.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\'
Image|endswith: '\TiWorker.exe'
filter_main_svchost:
Image: 'C:\WINDOWS\system32\svchost.exe'
filter_main_ngen:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\
Image|endswith: '\ngen.exe'
TargetObject|contains:
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN'
filter_main_office:
Image:
- 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe'
- 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
- 'C:\Program Files (x86)\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
filter_main_msiexec:
Image: 'C:\Windows\System32\msiexec.exe'
filter_main_explorer:
Image: 'C:\Windows\explorer.exe'
TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\'
filter_main_system:
Image: 'System'
filter_main_runtimebroker:
Image: 'C:\Windows\System32\RuntimeBroker.exe'
filter_optional_dropbox_updater:
Image:
- 'C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe'
- 'C:\Program Files\Dropbox\Update\DropboxUpdate.exe'
filter_optional_edge:
Image|endswith:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
- 'C:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
filter_optional_onedrive:
Image|endswith:
- 'C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe'
- 'C:\Program Files\Microsoft OneDrive\OneDrive.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
title: Renamed Schtasks Execution
id: f91e51c9-f344-4b32-969b-0b6f6b8537d4
status: experimental
description: |
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
references:
- https://x.com/JangPr0/status/1932034543026065833
- https://ss64.com/nt/schtasks.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1036.003
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection_cmd_operation:
CommandLine|contains|windash:
- ' /create '
- ' /delete '
- ' /query '
- ' /change '
- ' /run '
- ' /end '
selection_cmd_flags:
CommandLine|contains|windash:
- ' /tn '
- ' /tr '
- ' /sc '
- ' /st '
- ' /ru '
- ' /fo '
selection_pe:
OriginalFileName: 'schtasks.exe'
filter_main_cmd:
CommandLine|contains: 'schtasks'
filter_main_img:
Image|endswith: '\schtasks.exe'
condition: (all of selection_cmd_* and not filter_main_cmd) or (selection_pe and not filter_main_img)
falsepositives:
- Unlikely
level: high
title: Schtasks Creation Or Modification With SYSTEM Privileges
id: 89ca78fd-b37c-4310-b3d3-81a023f83936
status: test
description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
references:
- https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2025-02-15
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_root:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- ' /change '
- ' /create '
selection_run:
CommandLine|contains: '/ru '
selection_user:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter_optional_teamviewer:
# FP from test set in SIGMA
# Cannot use ParentImage on all OSes for 4688 events
# ParentImage|contains|all:
# - '\AppData\Local\Temp\'
# - 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/TN TVInstallRestore'
- '\TeamViewer_.exe'
filter_optional_office:
CommandLine|contains|all:
# https://answers.microsoft.com/en-us/msoffice/forum/all/office-15-subscription-heartbeat-task-created-on/43ab5e53-a9fb-47c6-8c14-44889974b9ff
- 'Subscription Heartbeat'
- '\HeartbeatConfig.xml'
- '\Microsoft Shared\OFFICE'
filter_optional_avira:
CommandLine|contains:
- '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
- ':\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe'
- '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high