Sigma rules for Cy4Gate
23 rules · scoped to actor · back to Cy4Gate
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: OpenCanary - TFTP Request
id: b4e6b016-a2ac-4759-ad85-8000b300d61e
status: test
description: Detects instances where a TFTP service on an OpenCanary node has had a request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 10001
condition: selection
falsepositives:
- Unlikely
level: high
title: Powershell DNSExfiltration
id: d59d7842-9a21-4bc6-ba98-64bfe0091355
status: test
description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
- https://github.com/Arno0x/DNSExfiltrator
author: frack113
date: 2022-01-07
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
- ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
- ScriptBlockText|contains|all:
- ' -i '
- ' -d '
- ' -p '
- ' -doh '
- ' -t '
condition: selection_cmdlet
falsepositives:
- Legitimate script
level: high
title: Suspicious Redirection to Local Admin Share
id: ab9e3b40-0c85-4ba1-aede-455d226fd124
status: test
description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
references:
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Florian Roth (Nextron Systems)
date: 2022-01-16
modified: 2023-12-28
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection_redirect:
CommandLine|contains: '>'
selection_share:
CommandLine|contains:
- '\\\\127.0.0.1\\admin$\\'
- '\\\\localhost\\admin$\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: PUA - Restic Backup Tool Execution
id: 6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7
status: experimental
description: |
Detects the execution of the Restic backup tool, which can be used for data exfiltration.
Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.
If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
references:
- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
- https://restic.net/
- https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html
author: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-17
tags:
- attack.exfiltration
- attack.t1048
- attack.t1567.002
logsource:
product: windows
category: process_creation
detection:
selection_specific:
- CommandLine|contains|all:
- '--password-file'
- 'init'
- ' -r '
- CommandLine|contains|all:
- '--use-fs-snapshot'
- 'backup'
- ' -r '
selection_restic:
CommandLine|contains:
- 'sftp:'
- 'rest:http'
- 's3:s3.'
- 's3.http'
- 'azure:'
- ' gs:'
- 'rclone:'
- 'swift:'
- ' b2:'
CommandLine|contains|all:
- ' init '
- ' -r '
condition: 1 of selection_*
falsepositives:
- Legitimate use of Restic for backup purposes within the organization.
level: high
title: Okta FastPass Phishing Detection
id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e
status: test
description: Detects when Okta FastPass prevents a known phishing site.
references:
- https://sec.okta.com/fastpassphishingdetection
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2023-05-07
modified: 2026-04-27
tags:
- attack.initial-access
- attack.t1566
logsource:
product: okta
service: okta
detection:
selection:
outcome.reason: 'FastPass declined phishing attempt'
outcome.result: FAILURE
eventType: user.authentication.auth_via_mfa
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential Malicious Usage of CloudTrail System Manager
id: 38e7f511-3f74-41d4-836e-f57dfa18eead
status: test
description: |
Detect when System Manager successfully executes commands against an instance.
references:
- https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
author: jamesc-grafana
date: 2024-07-11
modified: 2025-12-08
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.t1566
- attack.t1566.002
logsource:
product: aws
service: cloudtrail
detection:
selection_event:
eventName: 'SendCommand'
eventSource: 'ssm.amazonaws.com'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event and 1 of selection_status_*
falsepositives:
- There are legitimate uses of SSM to send commands to EC2 instances
- Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them
level: high
title: Phishing Pattern ISO in Archive
id: fcdf69e5-a3d3-452a-9724-26f2308bf2b1
status: test
description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
references:
- https://twitter.com/1ZRR4H/status/1534259727059787783
- https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/
author: Florian Roth (Nextron Systems)
date: 2022-06-07
tags:
- attack.initial-access
- attack.t1566
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\Winrar.exe'
- '\7zFM.exe'
- '\peazip.exe'
Image|endswith:
- '\isoburn.exe'
- '\PowerISO.exe'
- '\ImgBurn.exe'
condition: selection
falsepositives:
- Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction
level: high
title: Suspicious HH.EXE Execution
id: e8a95b5e-c891-46e2-b33a-93937d3abc31
status: test
description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'HH.exe'
- Image|endswith: '\hh.exe'
selection_paths:
CommandLine|contains:
- '.application'
- '\AppData\Local\Temp\'
- '\Content.Outlook\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
# - '\AppData\Local\Temp\Temp?_'
# - '\AppData\Local\Temp\Rar$'
# - '\AppData\Local\Temp\7z'
# - '\AppData\Local\Temp\wz'
# - '\AppData\Local\Temp\peazip-tmp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Microsoft OneNote Child Process
id: c27515df-97a9-4162-8a60-dc0eeb51b775
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50 # Generic rule for suspicious office application child processes
type: derived
status: test
description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18
- https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0
author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
date: 2022-10-21
modified: 2023-02-10
tags:
- attack.t1566
- attack.t1566.001
- attack.initial-access
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\onenote.exe'
selection_opt_img:
- OriginalFileName:
- 'bitsadmin.exe'
- 'CertOC.exe'
- 'CertUtil.exe'
- 'Cmd.Exe'
- 'CMSTP.EXE'
- 'cscript.exe'
- 'curl.exe'
- 'HH.exe'
- 'IEExec.exe'
- 'InstallUtil.exe'
- 'javaw.exe'
- 'Microsoft.Workflow.Compiler.exe'
- 'msdt.exe'
- 'MSHTA.EXE'
- 'msiexec.exe'
- 'Msxsl.exe'
- 'odbcconf.exe'
- 'pcalua.exe'
- 'PowerShell.EXE'
- 'RegAsm.exe'
- 'RegSvcs.exe'
- 'REGSVR32.exe'
- 'RUNDLL32.exe'
- 'schtasks.exe'
- 'ScriptRunner.exe'
- 'wmic.exe'
- 'WorkFolders.exe'
- 'wscript.exe'
- Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certoc.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cmstp.exe'
- '\control.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\ieexec.exe'
- '\installutil.exe'
- '\javaw.exe'
- '\mftrace.exe'
- '\Microsoft.Workflow.Compiler.exe'
- '\msbuild.exe'
- '\msdt.exe'
- '\mshta.exe'
- '\msidb.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\odbcconf.exe'
- '\pcalua.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regasm.exe'
- '\regsvcs.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\svchost.exe'
- '\verclsid.exe'
- '\wmic.exe'
- '\workfolders.exe'
- '\wscript.exe'
selection_opt_explorer:
Image|endswith: '\explorer.exe'
CommandLine|contains:
- '.hta'
- '.vb'
- '.wsh'
- '.js'
- '.ps'
- '.scr'
- '.pif'
- '.bat'
- '.cmd'
selection_opt_paths:
Image|contains:
- '\AppData\'
- '\Users\Public\'
- '\ProgramData\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
- '\Windows\System32\Tasks\'
filter_teams:
Image|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
CommandLine|endswith: '-Embedding'
filter_onedrive:
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
Image|endswith: '\FileCoAuth.exe'
CommandLine|endswith: '-Embedding'
condition: selection_parent and 1 of selection_opt_* and not 1 of filter_*
falsepositives:
- File located in the AppData folder with trusted signature
level: high
title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\hh.exe'
Image|endswith:
- '\CertReq.exe'
- '\CertUtil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\installutil.exe'
- '\MSbuild.exe'
- '\MSHTA.EXE'
- '\msiexec.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious External WebDAV Execution
id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398
related:
- id: 4c55738d-72d8-490e-a2db-7969654e375f
type: similar
status: test
description: |
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
references:
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
author: Ahmed Farouk
date: 2024-05-10
tags:
- attack.initial-access
- attack.resource-development
- attack.t1584
- attack.t1566
logsource:
category: proxy
detection:
selection_webdav:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
selection_execution:
c-uri|endswith:
- '.7z'
- '.bat'
- '.dat'
- '.cmd'
- '.exe'
- '.js'
- '.lnk'
- '.ps1'
- '.rar'
- '.url'
- '.vbe'
- '.vbs'
- '.zip'
filter_main_local_ips:
dst_ip|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Network Communication Initiated To Portmap.IO Domain
id: 07837ab9-60e1-481f-a74d-c31fb496a94c
status: test
description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
references:
- https://portmap.io/
- https://github.com/rapid7/metasploit-framework/issues/11337
- https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
author: Florian Roth (Nextron Systems)
date: 2024-05-31
tags:
- attack.t1041
- attack.command-and-control
- attack.t1090.002
- attack.exfiltration
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith: '.portmap.io'
condition: selection
falsepositives:
- Legitimate use of portmap.io domains
level: medium
title: DNS TOR Proxies
id: a8322756-015c-42e7-afb1-436e85ed3ff5
related:
- id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
type: similar
- id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
type: similar
status: test
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
references:
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: Saw Winn Naung , Azure-Sentinel
date: 2021-08-15
modified: 2025-09-12
tags:
- attack.exfiltration
- attack.t1048
logsource:
service: dns
product: zeek
detection:
selection:
query|endswith:
- '.hiddenservice.net'
- '.onion.ca'
- '.onion.cab'
- '.onion.casa'
- '.onion.city'
- '.onion.direct'
- '.onion.dog'
- '.onion.glass'
- '.onion.gq'
- '.onion.guide'
- '.onion.in.net'
- '.onion.ink'
- '.onion.it'
- '.onion.link'
- '.onion.lt'
- '.onion.lu'
- '.onion.ly'
- '.onion.mn'
- '.onion.network'
- '.onion.nu'
- '.onion.pet'
- '.onion.plus'
- '.onion.pt'
- '.onion.pw'
- '.onion.rip'
- '.onion.sh'
- '.onion.si'
- '.onion.to'
- '.onion.top'
- '.onion.ws'
- '.onion'
- '.s1.tor-gateways.de'
- '.s2.tor-gateways.de'
- '.s3.tor-gateways.de'
- '.s4.tor-gateways.de'
- '.s5.tor-gateways.de'
- '.t2w.pw'
- '.tor2web.ae.org'
- '.tor2web.blutmagie.de'
- '.tor2web.com'
- '.tor2web.fi'
- '.tor2web.io'
- '.tor2web.org'
- '.tor2web.xyz'
- '.torlink.co'
condition: selection
falsepositives:
- Unknown
level: medium
title: Copy From Or To Admin Share Or Sysvol Folder
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: test
description: Detects a copy command or a copy utility execution to or from an Admin share or remote
references:
- https://twitter.com/SBousseaden/status/1211636381086339073
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
date: 2019-12-30
modified: 2025-10-22
tags:
- attack.lateral-movement
- attack.collection
- attack.exfiltration
- attack.t1039
- attack.t1048
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_target:
CommandLine|contains:
- '\\\\*\\*$' # example \\SVR_NAME\ADMIN$
- '\Sysvol\'
selection_other_tools:
- Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
- OriginalFileName:
- 'robocopy.exe'
- 'XCOPY.EXE'
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_cli:
CommandLine|contains: 'copy'
selection_pwsh_img:
- Image|contains:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- 'copy-item'
- 'copy '
- 'cpi '
- ' cp '
- 'move '
- ' move-item'
- ' mi '
- ' mv '
condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
falsepositives:
- Administrative scripts
level: medium
title: Tap Installer Execution
id: 99793437-3e16-439b-be0f-078782cf953d
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
references:
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2023-12-11
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\tapinstall.exe'
filter_optional_avast:
Image|contains:
- ':\Program Files\Avast Software\SecureLine VPN\'
- ':\Program Files (x86)\Avast Software\SecureLine VPN\'
filter_optional_openvpn:
Image|contains: ':\Program Files\OpenVPN Connect\drivers\tap\'
filter_optional_protonvpn:
Image|contains: ':\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate OpenVPN TAP installation
level: medium
title: Data Export From MSSQL Table Via BCP.EXE
id: c615d676-f655-46b9-b913-78729021e5d7
status: test
description: |
Detects the execution of the BCP utility in order to export data from the database.
Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
references:
- https://docs.microsoft.com/en-us/sql/tools/bcp-utility
- https://asec.ahnlab.com/en/61000/
- https://asec.ahnlab.com/en/78944/
- https://www.huntress.com/blog/attacking-mssql-servers
- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
date: 2024-08-20
tags:
- attack.execution
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcp.exe'
- OriginalFileName: 'BCP.exe'
selection_cli:
CommandLine|contains:
- ' out ' # Export data from a table
- ' queryout ' # Export data based on a SQL query
condition: all of selection_*
falsepositives:
- Legitimate data export operations.
level: medium
title: Tap Driver Installation
id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
references:
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2022-12-25
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains: 'tap0901'
condition: selection
falsepositives:
- Legitimate OpenVPN TAP installation
level: medium
title: Suspicious Execution via macOS Script Editor
id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
status: test
description: Detects when the macOS Script Editor utility spawns an unusual child process.
author: Tim Rauch (rule), Elastic (idea)
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685
- https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
date: 2022-10-21
modified: 2022-12-28
logsource:
category: process_creation
product: macos
tags:
- attack.defense-impairment
- attack.t1566
- attack.t1566.002
- attack.initial-access
- attack.t1059
- attack.t1059.002
- attack.t1204
- attack.t1204.001
- attack.execution
- attack.persistence
- attack.t1553
detection:
selection_parent:
ParentImage|endswith: '/Script Editor'
selection_img:
- Image|endswith:
- '/curl'
- '/bash'
- '/sh'
- '/zsh'
- '/dash'
- '/fish'
- '/osascript'
- '/mktemp'
- '/chmod'
- '/php'
- '/nohup'
- '/openssl'
- '/plutil'
- '/PlistBuddy'
- '/xattr'
- '/sqlite'
- '/funzip'
- '/popen'
- Image|contains:
- 'python'
- 'perl'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Potential Initial Access via DLL Search Order Hijacking
id: dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
status: test
description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc
- https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-21
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1566
- attack.t1566.001
- attack.initial-access
- attack.t1574
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# add more processes when you find them
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\MSACCESS.EXE'
- '\MSPUB.EXE'
- '\fltldr.exe'
- '\cmd.exe'
- '\certutil.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\curl.exe'
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|endswith: '.dll'
TargetFilename|contains|all:
- '\Users\'
- '\AppData\'
TargetFilename|contains:
# add more suspicious paths when you find them
- '\Microsoft\OneDrive\'
- '\Microsoft OneDrive\'
- '\Microsoft\Teams\'
- '\Local\slack\app-'
- '\Local\Programs\Microsoft VS Code\'
filter:
Image|endswith: '\cmd.exe'
TargetFilename|contains|all:
- '\Users\'
- '\AppData\'
- '\Microsoft\OneDrive\'
- '\api-ms-win-core-'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
title: Suspicious Email Delivered In Microsoft 365
id: 3569aefd-e535-4391-8c18-24bd01a21eaf
status: experimental
description: |
Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder.
It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.
references:
- https://learn.microsoft.com/en-us/defender-office-365/threat-explorer-real-time-detections-about
- https://research.splunk.com/cloud/605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2/
- https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/e7250648cb16d4a497ae8737943bf010ea96d2e6/Defender%20For%20Cloud%20Apps/MaliciousEmailDeliveredInMailbox.md
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-01-27
tags:
- attack.initial-access
- attack.t1566.001
- attack.t1566.002
logsource:
service: audit
product: m365
detection:
selection:
Workload: 'ThreatIntelligence'
Operation: 'TIMailData'
Directionality: 'Inbound'
filter_main_blocked:
DeliveryAction: 'Blocked'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: medium
title: Tap Driver Installation - Security
id: 9c8afa4d-0022-48f0-9456-3712466f9701
related:
- id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
type: derived
status: test
description: |
Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
references:
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2022-11-29
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
service: security
definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
detection:
selection:
EventID: 4697
ServiceFileName|contains: 'tap0901'
condition: selection
falsepositives:
- Legitimate OpenVPN TAP installation
level: low
title: Download From Suspicious TLD - Blacklist
id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
related:
- id: b5de2919-b74a-4805-91a7-5049accbaefe
type: similar
status: test
description: Detects download of certain file types from hosts in suspicious TLDs
references:
- https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
- https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
- https://www.spamhaus.org/statistics/tlds/
- https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
author: Florian Roth (Nextron Systems)
date: 2017-11-07
modified: 2023-05-18
tags:
- attack.initial-access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
cs-host|endswith:
# Symantec / Chris Larsen analysis
- '.country'
- '.stream'
- '.gdn'
- '.mom'
- '.xin'
- '.kim'
- '.men'
- '.loan'
- '.download'
- '.racing'
- '.online'
- '.science'
- '.ren'
- '.gb'
- '.win'
- '.top'
- '.review'
- '.vip'
- '.party'
- '.tech'
- '.xyz'
- '.date'
- '.faith'
- '.zip'
- '.cricket'
- '.space'
# McAfee report
- '.info'
- '.vn'
- '.cm'
- '.am'
- '.cc'
- '.asia'
- '.ws'
- '.tk'
- '.biz'
- '.su'
- '.st'
- '.ro'
- '.ge'
- '.ms'
- '.pk'
- '.nu'
- '.me'
- '.ph'
- '.to'
- '.tt'
- '.name'
- '.tv'
- '.kz'
- '.tc'
- '.mobi'
# Spamhaus
- '.study'
- '.click'
- '.link'
- '.trade'
- '.accountant'
# Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
- '.cf'
- '.gq'
- '.ml'
- '.ga'
# Custom
- '.pw'
condition: selection
falsepositives:
- All kinds of software downloads
level: low
title: Download From Suspicious TLD - Whitelist
id: b5de2919-b74a-4805-91a7-5049accbaefe
related:
- id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
type: similar
status: test
description: Detects executable downloads from suspicious remote systems
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2023-05-18
tags:
- attack.initial-access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
cs-host|endswith:
- '.com'
- '.org'
- '.net'
- '.edu'
- '.gov'
- '.uk'
- '.ca'
- '.de'
- '.jp'
- '.fr'
- '.au'
- '.us'
- '.ch'
- '.it'
- '.nl'
- '.se'
- '.no'
- '.es'
# Extend this list as needed
condition: selection and not filter
falsepositives:
- All kind of software downloads
level: low