related
high
Invoke-Obfuscation Via Use Clip - Security
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test
author Nikita Nazarov, oscd.community
id 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation Via Use Clip - Security
id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
related:
- id: 63e3365d-4824-42d8-8b82-e56810fefa0c
type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains: '(Clipboard|i'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation Via Stdin - Security
Detects Obfuscated Powershell via Stdin in Scripts
status test
author Nikita Nazarov, oscd.community
id 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation Via Stdin - Security
id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
related:
- id: 487c7524-f892-4054-b263-8a0ace63fc25
type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'set'
- '&&'
ServiceFileName|contains:
- 'environment'
- 'invoke'
- '${input)'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation Obfuscated IEX Invocation - Security
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
status test
author Daniel Bohannon (@Mandiant/@FireEye), oscd.community
id fd0f5778-d3cb-4c9a-9695-66759d04702a
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation Obfuscated IEX Invocation - Security
id: fd0f5778-d3cb-4c9a-9695-66759d04702a
related:
- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
type: derived
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-11-27
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection_eid:
EventID: 4697
selection_servicefilename:
- ServiceFileName|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ServiceFileName|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ServiceFileName|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ServiceFileName|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ServiceFileName|re: '\\*mdr\*\W\s*\)\.Name'
- ServiceFileName|re: '\$VerbosePreference\.ToString\('
- ServiceFileName|re: '\String\]\s*\$VerbosePreference'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation Via Use Rundll32 - Security
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test
author Nikita Nazarov, oscd.community
id cd0f7229-d16f-42de-8fe3-fba365fbcb3a
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation Via Use Rundll32 - Security
id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
related:
- id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- '&&'
- 'rundll32'
- 'shell32.dll'
- 'shellexec_rundll'
ServiceFileName|contains:
- value
- invoke
- comspec
- iex
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation STDIN+ Launcher - Security
Detects Obfuscated use of stdin to execute PowerShell
status test
author Jonathan Cheong, oscd.community
id 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation STDIN+ Launcher - Security
id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
related:
- id: 72862bf2-0eb1-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'cmd'
- 'powershell'
selection2:
ServiceFileName|contains:
- '${input}'
- 'noexit'
selection3:
ServiceFileName|contains:
- ' /c '
- ' /r '
condition: all of selection*
falsepositives:
- Unknown
level: high
related
high
Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
status test
author Florian Roth (Nextron Systems)
id 571498c8-908e-40b4-910b-d2369159a3da
license Sigma · DRL-1.1
view Sigma YAML
title: Password Protected ZIP File Opened (Email Attachment)
id: 571498c8-908e-40b4-910b-d2369159a3da
status: test
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
- https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
- attack.initial-access
- attack.stealth
- attack.t1027
- attack.t1566.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 5379
TargetName|contains|all:
- 'Microsoft_Windows_Shell_ZipFolder:filename'
- '\Temporary Internet Files\Content.Outlook'
condition: selection
falsepositives:
- Legitimate used of encrypted ZIP files
level: high
related
high
Invoke-Obfuscation VAR+ Launcher - Security
Detects Obfuscated use of Environment Variables to execute PowerShell
status test
author Jonathan Cheong, oscd.community
id dcf2db1f-f091-425b-a821-c05875b8925a
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation VAR+ Launcher - Security
id: dcf2db1f-f091-425b-a821-c05875b8925a
related:
- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
# ServiceFileName|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
# Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
# Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
ServiceFileName|contains|all:
- 'cmd'
- '"set'
- '-f'
ServiceFileName|contains:
- '/c'
- '/r'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation CLIP+ Launcher - Security
Detects Obfuscated use of Clip.exe to execute PowerShell
status test
author Jonathan Cheong, oscd.community
id 4edf51e1-cb83-4e1a-bc39-800e396068e3
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation CLIP+ Launcher - Security
id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
related:
- id: f7385ee2-0e0c-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2022-11-27
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'cmd'
- '&&'
- 'clipboard]::'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation Via Use MSHTA - Security
Detects Obfuscated Powershell via use MSHTA in Scripts
status test
author Nikita Nazarov, oscd.community
id 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation Via Use MSHTA - Security
id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
related:
- id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'mshta'
- 'vbscript:createobject'
- '.run'
- 'window.close'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation CLIP+ Launcher - System
Detects Obfuscated use of Clip.exe to execute PowerShell
status test
author Jonathan Cheong, oscd.community
id f7385ee2-0e0c-11eb-adc1-0242ac120002
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation CLIP+ Launcher - System
id: f7385ee2-0e0c-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2023-02-20
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'cmd'
- '&&'
- 'clipboard]::'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation Via Use Rundll32 - System
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test
author Nikita Nazarov, oscd.community
id 641a4bfb-c017-44f7-800c-2aee0184ce9b
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation Via Use Rundll32 - System
id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- '&&'
- 'rundll32'
- 'shell32.dll'
- 'shellexec_rundll'
ImagePath|contains:
- 'value'
- 'invoke'
- 'comspec'
- 'iex'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation Via Stdin - System
Detects Obfuscated Powershell via Stdin in Scripts
status test
author Nikita Nazarov, oscd.community
id 487c7524-f892-4054-b263-8a0ace63fc25
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation Via Stdin - System
id: 487c7524-f892-4054-b263-8a0ace63fc25
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
# ImagePath|re: '(?i)(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
ImagePath|contains|all:
- 'set'
- '&&'
ImagePath|contains:
- 'environment'
- 'invoke'
- 'input'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation Via Use Clip - System
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test
author Nikita Nazarov, oscd.community
id 63e3365d-4824-42d8-8b82-e56810fefa0c
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation Via Use Clip - System
id: 63e3365d-4824-42d8-8b82-e56810fefa0c
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains: '(Clipboard|i'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation STDIN+ Launcher - System
Detects Obfuscated use of stdin to execute PowerShell
status test
author Jonathan Cheong, oscd.community
id 72862bf2-0eb1-11eb-adc1-0242ac120002
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation STDIN+ Launcher - System
id: 72862bf2-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection_main:
Provider_Name: 'Service Control Manager'
EventID: 7045
# ImagePath|re: 'cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
# Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -"
# Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )"
ImagePath|contains|all:
- 'cmd'
- 'powershell'
ImagePath|contains:
- '/c'
- '/r'
selection_other:
- ImagePath|contains: 'noexit'
- ImagePath|contains|all:
- 'input'
- '$'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation Via Use MSHTA - System
Detects Obfuscated Powershell via use MSHTA in Scripts
status test
author Nikita Nazarov, oscd.community
id 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation Via Use MSHTA - System
id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'mshta'
- 'vbscript:createobject'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test
author Timur Zinniatullin, oscd.community
id 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
# ImagePath|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
# Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
# Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
ImagePath|contains|all:
- '&&set'
- 'cmd'
- '/c'
- '-f'
ImagePath|contains:
- '{0}'
- '{1}'
- '{2}'
- '{3}'
- '{4}'
- '{5}'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation Obfuscated IEX Invocation - System
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
status test
author Daniel Bohannon (@Mandiant/@FireEye), oscd.community
id 51aa9387-1c53-4153-91cc-d73c59ae1ca9
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation Obfuscated IEX Invocation - System
id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-11-27
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
service: system
detection:
selection_eid:
EventID: 7045
selection_imagepath:
- ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
- ImagePath|re: '\$VerbosePreference\.ToString\('
- ImagePath|re: '\String\]\s*\$VerbosePreference'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Invoke-Obfuscation VAR+ Launcher - System
Detects Obfuscated use of Environment Variables to execute PowerShell
status test
author Jonathan Cheong, oscd.community
id 8ca7004b-e620-4ecb-870e-86129b5b8e75
license Sigma · DRL-1.1
view Sigma YAML
title: Invoke-Obfuscation VAR+ Launcher - System
id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
# ImagePath|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
# Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
# Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
ImagePath|contains|all:
- 'cmd'
- '"set'
- '-f'
ImagePath|contains:
- '/c'
- '/r'
condition: selection
falsepositives:
- Unknown
level: high
related
high
PUA - DefenderCheck Execution
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
status test
author Florian Roth (Nextron Systems)
id f0ca6c24-3225-47d5-b1f5-352bf07ecfa7
license Sigma · DRL-1.1
view Sigma YAML
title: PUA - DefenderCheck Execution
id: f0ca6c24-3225-47d5-b1f5-352bf07ecfa7
status: test
description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
references:
- https://github.com/matterpreter/DefenderCheck
author: Florian Roth (Nextron Systems)
date: 2022-08-30
modified: 2023-02-04
tags:
- attack.stealth
- attack.t1027.005
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\DefenderCheck.exe'
- Description: 'DefenderCheck'
condition: selection
falsepositives:
- Unlikely
level: high
related
high
HackTool - CrackMapExec PowerShell Obfuscation
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
status test
author Thomas Patzke
id 6f8b3439-a203-45dc-a88b-abf57ea15ccf
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - CrackMapExec PowerShell Obfuscation
id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
status: test
description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
references:
- https://github.com/byt3bl33d3r/CrackMapExec
- https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
author: Thomas Patzke
date: 2020-05-22
modified: 2023-02-21
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains:
- 'join*split'
# Line 343ff
- '( $ShellId[1]+$ShellId[13]+''x'')'
- '( $PSHome[*]+$PSHOME[*]+'
- '( $env:Public[13]+$env:Public[5]+''x'')'
- '( $env:ComSpec[4,*,25]-Join'''')'
- '[1,3]+''x''-Join'''')'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
SharpHound Recon Sessions
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
status test
author Sagie Dulce, Dekel Paz
id 6d580420-ff3f-4e0e-b6b0-41b90c787e28
license Sigma · DRL-1.1
view Sigma YAML
title: SharpHound Recon Sessions
id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
- attack.t1033
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
OpNum: 12
condition: selection
falsepositives:
- Unknown
level: high
related
high
Possible DCSync Attack
Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
status test
author Sagie Dulce, Dekel Paz
id 56fda488-113e-4ce9-8076-afc2457922c3
license Sigma · DRL-1.1
view Sigma YAML
title: Possible DCSync Attack
id: 56fda488-113e-4ce9-8076-afc2457922c3
status: test
description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1033
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2
filter:
OpNum:
- 0
- 1
- 12
condition: selection and not filter
falsepositives:
- Unknown
level: high
related
high
Webshell Detection With Command Line Keywords
Detects certain command line parameters often used during reconnaissance activity via web shells
status test
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
id bed2a484-9348-4143-8a8a-b801c979301c
license Sigma · DRL-1.1
view Sigma YAML
title: Webshell Detection With Command Line Keywords
id: bed2a484-9348-4143-8a8a-b801c979301c
status: test
description: Detects certain command line parameters often used during reconnaissance activity via web shells
references:
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
date: 2017-01-01
modified: 2024-12-14
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_webserver_image:
ParentImage|endswith:
- '\w3wp.exe'
- '\php-cgi.exe'
- '\nginx.exe'
- '\httpd.exe'
- '\caddy.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'catalina.jar'
- 'CATALINA_HOME'
selection_susp_net_utility:
OriginalFileName:
- 'net.exe'
- 'net1.exe'
CommandLine|contains:
- ' user '
- ' use '
- ' group '
selection_susp_ping_utility:
OriginalFileName: 'ping.exe'
CommandLine|contains: ' -n '
selection_susp_change_dir:
CommandLine|contains:
- '&cd&echo' # china chopper web shell
- 'cd /d ' # https://www.computerhope.com/cdhlp.htm
selection_susp_wmic_utility:
OriginalFileName: 'wmic.exe'
CommandLine|contains: ' /node:'
selection_susp_powershell_cli:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -enc '
- ' -EncodedCommand '
- ' -w hidden '
- ' -windowstyle hidden'
- '.WebClient).Download'
selection_susp_misc_discovery_binaries:
- Image|endswith:
- '\dsquery.exe'
- '\find.exe'
- '\findstr.exe'
- '\ipconfig.exe'
- '\netstat.exe'
- '\nslookup.exe'
- '\pathping.exe'
- '\quser.exe'
- '\schtasks.exe'
- '\systeminfo.exe'
- '\tasklist.exe'
- '\tracert.exe'
- '\ver.exe'
- '\wevtutil.exe'
- '\whoami.exe'
- OriginalFileName:
- 'dsquery.exe'
- 'find.exe'
- 'findstr.exe'
- 'ipconfig.exe'
- 'netstat.exe'
- 'nslookup.exe'
- 'pathping.exe'
- 'quser.exe'
- 'schtasks.exe'
- 'sysinfo.exe'
- 'tasklist.exe'
- 'tracert.exe'
- 'ver.exe'
- 'VSSADMIN.EXE'
- 'wevtutil.exe'
- 'whoami.exe'
selection_susp_misc_discovery_commands:
CommandLine|contains:
- ' Test-NetConnection '
- 'dir \' # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
condition: 1 of selection_webserver_* and 1 of selection_susp_*
falsepositives:
- Unknown
level: high
related
high
Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
status test
author Florian Roth (Nextron Systems), MSTI (query)
id fa3c117a-bc0d-416e-a31b-0c0e80653efb
license Sigma · DRL-1.1
view Sigma YAML
title: Chopper Webshell Process Pattern
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
status: test
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
author: Florian Roth (Nextron Systems), MSTI (query)
date: 2022-10-01
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_origin:
- Image|endswith: '\w3wp.exe'
- ParentImage|endswith: '\w3wp.exe'
selection_cmdline:
CommandLine|contains:
- '&ipconfig&echo'
- '&quser&echo'
- '&whoami&echo'
- '&c:&echo'
- '&cd&echo'
- '&dir&echo'
- '&echo [E]'
- '&echo [S]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Webshell Hacking Activity Patterns
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
status test
author Florian Roth (Nextron Systems)
id 4ebc877f-4612-45cb-b3a5-8e3834db36c9
license Sigma · DRL-1.1
view Sigma YAML
title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
- https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
# Webserver
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'catalina.jar'
- 'CATALINA_HOME'
# Suspicious child processes
selection_child_1:
# Process dumping
CommandLine|contains|all:
- 'rundll32'
- 'comsvcs'
selection_child_2:
# Winrar exfil
CommandLine|contains|all:
- ' -hp'
- ' a '
- ' -m'
selection_child_3:
# User add
CommandLine|contains|all:
- 'net'
- ' user '
- ' /add'
selection_child_4:
CommandLine|contains|all:
- 'net'
- ' localgroup '
- ' administrators '
- '/add'
selection_child_5:
Image|endswith:
# Credential stealing
- '\ntdsutil.exe'
# AD recon
- '\ldifde.exe'
- '\adfind.exe'
# Process dumping
- '\procdump.exe'
- '\Nanodump.exe'
# Destruction / ransom groups
- '\vssadmin.exe'
- '\fsutil.exe'
selection_child_6:
# SUspicious patterns
CommandLine|contains:
- ' -decode ' # Used with certutil
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' /decode ' # Used with certutil
- ' /ticket:' # Rubeus
- ' sekurlsa' # Mimikatz
- '.dmp full' # Process dumping method apart from procdump
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- 'FromBase64String' # PowerShell encoded payload
- 'process call create' # WMIC process creation
- 'reg save ' # save registry SAM - syskey extraction
- 'whoami /priv'
condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
- Unlikely
level: high
related
high
Whoami.EXE Execution From Privileged Process
Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
status test
author Florian Roth (Nextron Systems), Teymur Kheirkhabarov
id 79ce34ca-af29-4d0e-b832-fc1b377020db
license Sigma · DRL-1.1
view Sigma YAML
title: Whoami.EXE Execution From Privileged Process
id: 79ce34ca-af29-4d0e-b832-fc1b377020db
related:
- id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
type: obsolete
status: test
description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
date: 2022-01-28
modified: 2023-12-04
tags:
- attack.privilege-escalation
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'whoami.exe'
- Image|endswith: '\whoami.exe'
selection_user:
User|contains:
- 'AUTHORI'
- 'AUTORI'
- 'TrustedInstaller'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
WhoAmI as Parameter
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
status test
author Florian Roth (Nextron Systems)
id e9142d84-fbe0-401d-ac50-3e519fb00c89
license Sigma · DRL-1.1
view Sigma YAML
title: WhoAmI as Parameter
id: e9142d84-fbe0-401d-ac50-3e519fb00c89
status: test
description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
references:
- https://twitter.com/blackarrowsec/status/1463805700602224645?s=12
author: Florian Roth (Nextron Systems)
date: 2021-11-29
modified: 2022-12-25
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '.exe whoami'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Security Privileges Enumeration Via Whoami.EXE
Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
status test
author Florian Roth (Nextron Systems)
id 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
license Sigma · DRL-1.1
view Sigma YAML
title: Security Privileges Enumeration Via Whoami.EXE
id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
status: test
description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
author: Florian Roth (Nextron Systems)
date: 2021-05-05
modified: 2023-02-28
tags:
- attack.privilege-escalation
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_cli:
CommandLine|contains:
- ' /priv'
- ' -priv'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
HackTool - SharpLdapWhoami Execution
Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
status test
author Florian Roth (Nextron Systems)
id d9367cbb-c2e0-47ce-bdc0-128cb6da898d
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - SharpLdapWhoami Execution
id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d
status: test
description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
references:
- https://github.com/bugch3ck/SharpLdapWhoami
author: Florian Roth (Nextron Systems)
date: 2022-08-29
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection_name:
Image|endswith: '\SharpLdapWhoami.exe'
selection_pe: # in case the file has been renamed after compilation
- OriginalFileName|contains: 'SharpLdapWhoami'
- Product: 'SharpLdapWhoami'
selection_flags1:
CommandLine|endswith:
- ' /method:ntlm'
- ' /method:kerb'
- ' /method:nego'
- ' /m:nego'
- ' /m:ntlm'
- ' /m:kerb'
condition: 1 of selection*
falsepositives:
- Programs that use the same command line flags
level: high
related
high
HackTool - SharpView Execution
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
status test
author frack113
id b2317cfa-4a47-4ead-b3ff-297438c0bc2d
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - SharpView Execution
id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
related:
- id: dcd74b95-3f36-4ed9-9598-0490951643aa
type: similar
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
- https://github.com/tevora-threat/SharpView/
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
author: frack113
date: 2021-12-10
modified: 2023-02-14
tags:
- attack.discovery
- attack.t1049
- attack.t1069.002
- attack.t1482
- attack.t1135
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'SharpView.exe'
- Image|endswith: '\SharpView.exe'
- CommandLine|contains:
# - 'Add-DomainGroupMember'
# - 'Add-DomainObjectAcl'
# - 'Add-ObjectAcl'
- 'Add-RemoteConnection'
- 'Convert-ADName'
- 'ConvertFrom-SID'
- 'ConvertFrom-UACValue'
- 'Convert-SidToName'
# - 'ConvertTo-SID'
- 'Export-PowerViewCSV'
# - 'Find-DomainLocalGroupMember'
- 'Find-DomainObjectPropertyOutlier'
- 'Find-DomainProcess'
- 'Find-DomainShare'
- 'Find-DomainUserEvent'
- 'Find-DomainUserLocation'
- 'Find-ForeignGroup'
- 'Find-ForeignUser'
- 'Find-GPOComputerAdmin'
- 'Find-GPOLocation'
- 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile'
- 'Find-LocalAdminAccess'
- 'Find-ManagedSecurityGroups'
# - 'Get-ADObject'
- 'Get-CachedRDPConnection'
- 'Get-DFSshare'
# - 'Get-DNSRecord'
# - 'Get-DNSZone'
# - 'Get-Domain'
- 'Get-DomainComputer'
- 'Get-DomainController'
- 'Get-DomainDFSShare'
- 'Get-DomainDNSRecord'
# - 'Get-DomainDNSZone'
- 'Get-DomainFileServer'
- 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser'
- 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping'
- 'Get-DomainGroup' # 'Get-DomainGroupMember'
- 'Get-DomainGUIDMap'
- 'Get-DomainManagedSecurityGroup'
- 'Get-DomainObject' # 'Get-DomainObjectAcl'
- 'Get-DomainOU'
- 'Get-DomainPolicy' # 'Get-DomainPolicyData'
- 'Get-DomainSID'
- 'Get-DomainSite'
- 'Get-DomainSPNTicket'
- 'Get-DomainSubnet'
- 'Get-DomainTrust' # 'Get-DomainTrustMapping'
# - 'Get-DomainUser'
- 'Get-DomainUserEvent'
# - 'Get-Forest'
- 'Get-ForestDomain'
- 'Get-ForestGlobalCatalog'
- 'Get-ForestTrust'
- 'Get-GptTmpl'
- 'Get-GroupsXML'
# - 'Get-GUIDMap'
# - 'Get-IniContent'
# - 'Get-IPAddress'
- 'Get-LastLoggedOn'
- 'Get-LoggedOnLocal'
- 'Get-NetComputer' # 'Get-NetComputerSiteName'
- 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust'
- 'Get-NetFileServer'
- 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust'
- 'Get-NetGPO' # 'Get-NetGPOGroup'
# - 'Get-NetGroup'
- 'Get-NetGroupMember'
- 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember'
- 'Get-NetLoggedon'
- 'Get-NetOU'
- 'Get-NetProcess'
- 'Get-NetRDPSession'
- 'Get-NetSession'
- 'Get-NetShare'
- 'Get-NetSite'
- 'Get-NetSubnet'
- 'Get-NetUser'
# - 'Get-ObjectAcl'
- 'Get-PathAcl'
- 'Get-PrincipalContext'
# - 'Get-Proxy'
- 'Get-RegistryMountedDrive'
- 'Get-RegLoggedOn'
# - 'Get-SiteName'
# - 'Get-UserEvent'
# - 'Get-WMIProcess'
- 'Get-WMIRegCachedRDPConnection'
- 'Get-WMIRegLastLoggedOn'
- 'Get-WMIRegMountedDrive'
- 'Get-WMIRegProxy'
- 'Invoke-ACLScanner'
- 'Invoke-CheckLocalAdminAccess'
- 'Invoke-Kerberoast'
- 'Invoke-MapDomainTrust'
- 'Invoke-RevertToSelf'
- 'Invoke-Sharefinder'
- 'Invoke-UserImpersonation'
# - 'New-DomainGroup'
# - 'New-DomainUser'
- 'Remove-DomainObjectAcl'
- 'Remove-RemoteConnection'
- 'Request-SPNTicket'
# - 'Resolve-IPAddress'
# - 'Set-ADObject'
- 'Set-DomainObject'
# - 'Set-DomainUserPassword'
- 'Test-AdminAccess'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Windows Binaries Write Suspicious Extensions
Detects Windows executables that write files with suspicious extensions
status test
author Nasreddine Bencherchali (Nextron Systems)
id b8fd0e93-ff58-4cbd-8f48-1c114e342e62
license Sigma · DRL-1.1
view Sigma YAML
title: Windows Binaries Write Suspicious Extensions
id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
related:
- id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
type: derived
status: test
description: Detects Windows executables that write files with suspicious extensions
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1036
logsource:
category: file_event
product: windows
detection:
selection_generic:
Image|endswith:
- '\csrss.exe'
- '\lsass.exe'
- '\RuntimeBroker.exe'
- '\sihost.exe'
- '\smss.exe'
- '\wininit.exe'
- '\winlogon.exe'
TargetFilename|endswith:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.iso'
- '.ps1'
- '.txt'
- '.vbe'
- '.vbs'
selection_special:
Image|endswith:
- '\dllhost.exe'
- '\rundll32.exe'
- '\svchost.exe'
TargetFilename|endswith:
- '.bat'
- '.hta'
- '.iso'
- '.ps1'
- '.vbe'
- '.vbs'
filter_main_AppLockerPolicyTest:
Image: 'C:\Windows\System32\dllhost.exe'
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\__PSScriptPolicyTest_'
TargetFilename|endswith: '.ps1'
filter_main_script_gpo_machine:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Windows\System32\GroupPolicy\DataStore\'
- '\sysvol\'
- '\Policies\'
- '\Machine\Scripts\Startup\'
TargetFilename|endswith:
- '.ps1'
- '.bat'
filter_main_clipchamp:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Program Files\WindowsApps\Clipchamp'
- '.ps1'
filter_main_powershell_preview:
Image:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|startswith:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
TargetFilename|endswith: '.ps1'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
related
high
Renamed CreateDump Utility Execution
Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
status test
author Florian Roth (Nextron Systems)
id 1a1ed54a-2ba4-4221-94d5-01dee560d71e
license Sigma · DRL-1.1
view Sigma YAML
title: Renamed CreateDump Utility Execution
id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
related:
- id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
type: similar
status: test
description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems)
date: 2022-09-20
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_pe:
OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
- CommandLine|contains|all:
- ' -u ' # Short version of '--full'
- ' -f ' # Short version of '--name'
- '.dmp'
- CommandLine|contains|all:
- ' --full ' # Short version of '--full'
- ' --name ' # Short version of '--name'
- '.dmp'
filter:
Image|endswith: '\createdump.exe'
condition: 1 of selection_* and not filter
falsepositives:
- Command lines that use the same flags
level: high
related
high
Forfiles.EXE Child Process Masquerading
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
status test
author Nasreddine Bencherchali (Nextron Systems), Anish Bogati
id f53714ec-5077-420e-ad20-907ff9bb2958
license Sigma · DRL-1.1
view Sigma YAML
title: Forfiles.EXE Child Process Masquerading
id: f53714ec-5077-420e-ad20-907ff9bb2958
status: test
description: |
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
references:
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2024-01-05
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
# Notes:
# - The parent must not have CLI options
# - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
# - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
ParentCommandLine|endswith:
- '.exe'
- '.exe"'
Image|endswith: '\cmd.exe'
CommandLine|startswith: '/c echo "'
filter_main_parent_not_sys:
ParentImage|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
ParentImage|endswith: '\forfiles.exe'
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
Image|endswith: '\cmd.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
related
high
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
status test
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
id 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
license Sigma · DRL-1.1
view Sigma YAML
title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
- id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-04
modified: 2022-08-19
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\createdump.exe'
- OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
CommandLine|contains:
- ' -u ' # Short version of '--full'
- ' --full '
- ' -f ' # Short version of '--name'
- ' --name '
- '.dmp '
condition: all of selection_*
falsepositives:
- Command lines that use the same flags
level: high
related
high
Process Memory Dump Via Comsvcs.DLL
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
status test
author Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
id 646ea171-dded-4578-8a4d-65e9822892e3
license Sigma · DRL-1.1
view Sigma YAML
title: Process Memory Dump Via Comsvcs.DLL
id: 646ea171-dded-4578-8a4d-65e9822892e3
related:
- id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
type: obsolete
status: test
description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
- https://twitter.com/pythonresponder/status/1385064506049630211?s=21
- https://twitter.com/Hexacorn/status/1224848930795552769
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
- https://twitter.com/SBousseaden/status/1167417096374050817
- https://twitter.com/Wietze/status/1542107456507203586
- https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py
- https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2020-02-18
modified: 2025-02-23
tags:
- attack.credential-access
- attack.stealth
- attack.t1036
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
- CommandLine|contains: 'rundll32'
selection_cli_1:
CommandLine|contains|all:
- 'comsvcs'
- 'full'
CommandLine|contains:
- '#-'
- '#+'
- '#24'
- '24 '
- 'MiniDump' # Matches MiniDump and MinidumpW
- '#65560' # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around. for e.g ordinal 24 can be also represented by 65560 (65536+24)
selection_generic:
CommandLine|contains|all:
- '24'
- 'comsvcs'
- 'full'
CommandLine|contains:
- ' #'
- ',#'
- ', #'
- '"#'
condition: (selection_img and 1 of selection_cli_*) or selection_generic
falsepositives:
- Unlikely
level: high
related
high
Process Execution From A Potentially Suspicious Folder
Detects a potentially suspicious execution from an uncommon folder.
status test
author Florian Roth (Nextron Systems), Tim Shelton
id 3dfd06d2-eaf4-4532-9555-68aca59f57c4
license Sigma · DRL-1.1
view Sigma YAML
title: Process Execution From A Potentially Suspicious Folder
id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
status: test
description: Detects a potentially suspicious execution from an uncommon folder.
references:
- https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
- https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-01-16
modified: 2024-07-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- ':\Perflogs\'
- ':\Users\All Users\'
- ':\Users\Default\'
- ':\Users\NetworkService\'
- ':\Windows\addins\'
- ':\Windows\debug\'
- ':\Windows\Fonts\'
- ':\Windows\Help\'
- ':\Windows\IME\'
- ':\Windows\Media\'
- ':\Windows\repair\'
- ':\Windows\security\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- '$Recycle.bin'
- '\config\systemprofile\'
- '\Intel\Logs\'
- '\RSA\MachineKeys\'
filter_optional_ibm:
Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\'
filter_optional_citrix:
Image|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\'
Image|endswith: '\CitrixReceiverUpdater.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
related
high
Taskmgr as LOCAL_SYSTEM
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
status test
author Florian Roth (Nextron Systems)
id 9fff585c-c33e-4a86-b3cd-39312079a65f
license Sigma · DRL-1.1
view Sigma YAML
title: Taskmgr as LOCAL_SYSTEM
id: 9fff585c-c33e-4a86-b3cd-39312079a65f
status: test
description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-03-18
modified: 2022-05-27
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Image|endswith: '\taskmgr.exe'
condition: selection
falsepositives:
- Unknown
level: high
related
high
HackTool - XORDump Execution
Detects suspicious use of XORDump process memory dumping utility
status test
author Florian Roth (Nextron Systems)
id 66e563f9-1cbd-4a22-a957-d8b7c0f44372
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - XORDump Execution
id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
status: test
description: Detects suspicious use of XORDump process memory dumping utility
references:
- https://github.com/audibleblink/xordump
author: Florian Roth (Nextron Systems)
date: 2022-01-28
modified: 2023-02-08
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\xordump.exe'
- CommandLine|contains:
- ' -process lsass.exe '
- ' -m comsvcs '
- ' -m dbghelp '
- ' -m dbgcore '
condition: selection
falsepositives:
- Another tool that uses the command line switches of XORdump
level: high
related
high
Suspicious DumpMinitool Execution
Detects suspicious ways to use the "DumpMinitool.exe" binary
status test
author Florian Roth (Nextron Systems)
id eb1c4225-1c23-4241-8dd4-051389fde4ce
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious DumpMinitool Execution
id: eb1c4225-1c23-4241-8dd4-051389fde4ce
status: test
description: Detects suspicious ways to use the "DumpMinitool.exe" binary
references:
- https://twitter.com/mrd0x/status/1511415432888131586
- https://twitter.com/mrd0x/status/1511489821247684615
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
author: Florian Roth (Nextron Systems)
date: 2022-04-06
modified: 2023-04-12
tags:
- attack.credential-access
- attack.stealth
- attack.t1036
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\DumpMinitool.exe'
- '\DumpMinitool.x86.exe'
- '\DumpMinitool.arm64.exe'
- OriginalFileName:
- 'DumpMinitool.exe'
- 'DumpMinitool.x86.exe'
- 'DumpMinitool.arm64.exe'
filter_folder:
Image|contains:
- '\Microsoft Visual Studio\'
- '\Extensions\' # https://github.com/microsoft/vstest/blob/b2e2126f1aa7e5753cafe9515563c99ade6a59ce/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159
susp_flags:
CommandLine|contains: '.txt'
cmd_has_flags:
CommandLine|contains:
- ' Full'
- ' Mini'
- ' WithHeap'
filter_cmd_misses_flags:
CommandLine|contains: '--dumpType'
condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )
falsepositives:
- Unknown
level: high
related
high
Potential SysInternals ProcDump Evasion
Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
status test
author Florian Roth (Nextron Systems)
id 79b06761-465f-4f88-9ef2-150e24d3d737
license Sigma · DRL-1.1
view Sigma YAML
title: Potential SysInternals ProcDump Evasion
id: 79b06761-465f-4f88-9ef2-150e24d3d737
status: test
description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
references:
- https://twitter.com/mrd0x/status/1480785527901204481
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'copy procdump'
- 'move procdump'
selection_2:
CommandLine|contains|all:
- 'copy '
- '.dmp '
CommandLine|contains:
- '2.dmp'
- 'lsass'
- 'out.dmp'
selection_3:
CommandLine|contains:
- 'copy lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
- 'move lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
condition: 1 of selection_*
falsepositives:
- False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming
level: high
related
high
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
status test
author Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
id e4a6b256-3e47-40fc-89d2-7a477edd6915
license Sigma · DRL-1.1
view Sigma YAML
title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
related:
- id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
type: derived
status: test
description: |
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
references:
- https://twitter.com/GelosSnake/status/934900723426439170
- https://asec.ahnlab.com/en/39828/
- https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2017-11-27
modified: 2026-02-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\atbroker.exe'
- '\audiodg.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\certreq.exe'
- '\certutil.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\consent.exe'
- '\cscript.exe'
- '\csrss.exe'
- '\dashost.exe'
- '\defrag.exe'
- '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
- '\dism.exe'
- '\dllhost.exe'
- '\dllhst3g.exe'
- '\dwm.exe'
- '\eventvwr.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\finger.exe'
- '\logonui.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\ntoskrnl.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\runonce.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\services.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\userinit.exe'
- '\werfault.exe'
- '\werfaultsecure.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winver.exe'
- '\wlanext.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
filter_main_generic:
Image|startswith:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\uus\'
- 'C:\Windows\WinSxS\'
filter_optional_system32:
Image|contains: '\SystemRoot\System32\'
filter_main_powershell:
Image|contains:
- 'C:\Program Files\PowerShell\7\'
- 'C:\Program Files\PowerShell\7-preview\'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
Image|endswith: '\pwsh.exe'
filter_main_wsl_programfiles:
Image|startswith:
- 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
- 'C:\Program Files\WSL\'
Image|endswith: '\wsl.exe'
filter_main_wsl_appdata:
Image|startswith: C:\Users\'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
Image|endswith: '\wsl.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
related
high
Suspicious MSDT Parent Process
Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
status test
author Nextron Systems
id 7a74da6b-ea76-47db-92cc-874ad90df734
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious MSDT Parent Process
id: 7a74da6b-ea76-47db-92cc-874ad90df734
status: test
description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
author: Nextron Systems
date: 2022-06-01
modified: 2023-02-06
tags:
- attack.stealth
- attack.t1036
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
# Note: office applications are covered by: 438025f9-5856-4663-83f7-52f878a70a50
selection_msdt:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Suspicious Windows Update Agent Empty Cmdline
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
status test
author Florian Roth (Nextron Systems)
id 52d097e2-063e-4c9c-8fbb-855c8948d135
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Windows Update Agent Empty Cmdline
id: 52d097e2-063e-4c9c-8fbb-855c8948d135
status: test
description: |
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-26
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Wuauclt.exe'
- OriginalFileName: 'Wuauclt.exe'
selection_cli:
CommandLine|endswith:
- 'Wuauclt'
- 'Wuauclt.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
related
high
Suspicious Calculator Usage
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
status test
author Florian Roth (Nextron Systems)
id 737e618a-a410-49b5-bec3-9e55ff7fbc15
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Calculator Usage
id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
status: test
description: |
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
references:
- https://twitter.com/ItsReallyNick/status/1094080242686312448
author: Florian Roth (Nextron Systems)
date: 2019-02-09
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains: '\calc.exe '
selection_2:
Image|endswith: '\calc.exe'
filter_main_known_locations:
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
condition: selection_1 or ( selection_2 and not filter_main_known_locations )
falsepositives:
- Unknown
level: high
related
high
Potential LSASS Process Dump Via Procdump
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
status stable
author Florian Roth (Nextron Systems)
id 5afee48e-67dd-4e03-a783-f74259dcf998
license Sigma · DRL-1.1
view Sigma YAML
title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
- https://x.com/wietze/status/1958302556033065292?s=12
author: Florian Roth (Nextron Systems)
date: 2018-10-30
modified: 2025-10-19
tags:
- attack.stealth
- attack.t1036
- attack.credential-access
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_flags:
CommandLine|contains|windash:
- ' -ma '
- ' -mm ' # Mini dump
- ' -mp ' # Miniplus dump
selection_process:
CommandLine|contains:
- ' ls' # Short for lsass
- ' keyiso'
- ' samss'
condition: all of selection_*
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses command line flags similar to ProcDump
level: high
related
high
Suspicious Child Process Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
status test
author Florian Roth (Nextron Systems)
id 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Child Process Of Wermgr.EXE
id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
related:
- id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
type: similar
status: test
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
references:
- https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
- https://www.echotrail.io/insights/search/wermgr.exe
- https://github.com/binderlabs/DirCreate2System
author: Florian Roth (Nextron Systems)
date: 2022-10-14
modified: 2024-08-29
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wermgr.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\ipconfig.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\netstat.exe'
- '\nslookup.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\systeminfo.exe'
- '\whoami.exe'
- '\wscript.exe'
filter_main_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- 'C:\Windows\system32\WerConCpl.dll'
- 'LaunchErcApp '
CommandLine|contains:
- '-queuereporting'
- '-responsepester'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
related
high
Renamed ZOHO Dctask64 Execution
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
status test
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
id 340a090b-c4e9-412e-bb36-b4b16fe96f9b
license Sigma · DRL-1.1
view Sigma YAML
title: Renamed ZOHO Dctask64 Execution
id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
status: test
description: |
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
references:
- https://twitter.com/gN3mes1s/status/1222088214581825540
- https://twitter.com/gN3mes1s/status/1222095963789111296
- https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1036
- attack.t1055.001
- attack.t1202
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Hashes|contains:
- 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
- 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
- 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
- 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
filter_main_legit_name:
Image|endswith: '\dctask64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
related
high
Sdiagnhost Calling Suspicious Child Process
Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
status test
author Nextron Systems, @Kostastsale
id f3d39c45-de1a-4486-a687-ab126124f744
license Sigma · DRL-1.1
view Sigma YAML
title: Sdiagnhost Calling Suspicious Child Process
id: f3d39c45-de1a-4486-a687-ab126124f744
status: test
description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
- https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
- https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
author: Nextron Systems, @Kostastsale
date: 2022-06-01
modified: 2024-08-23
tags:
- attack.stealth
- attack.t1036
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sdiagnhost.exe'
Image|endswith:
# Add more suspicious LOLBins
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\taskkill.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
# - '\csc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
- '\calc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
filter_main_cmd_bits:
Image|endswith: '\cmd.exe'
CommandLine|contains: 'bits'
filter_main_powershell_noprofile:
Image|endswith: '\powershell.exe'
CommandLine|endswith:
- '-noprofile -'
- '-noprofile'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
related
high
Suspicious Process Parents
Detects suspicious parent processes that should not have any children or should only have a single possible child program
status test
author Florian Roth (Nextron Systems)
id cbec226f-63d9-4eca-9f52-dfb6652f24df
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Process Parents
id: cbec226f-63d9-4eca-9f52-dfb6652f24df
status: test
description: Detects suspicious parent processes that should not have any children or should only have a single possible child program
references:
- https://twitter.com/x86matthew/status/1505476263464607744?s=12
- https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
author: Florian Roth (Nextron Systems)
date: 2022-03-21
modified: 2022-09-08
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\minesweeper.exe'
- '\winver.exe'
- '\bitsadmin.exe'
selection_special:
ParentImage|endswith:
- '\csrss.exe'
- '\certutil.exe'
# - '\schtasks.exe'
- '\eventvwr.exe'
- '\calc.exe'
- '\notepad.exe'
filter_special:
Image|endswith:
- '\WerFault.exe'
- '\wermgr.exe'
- '\conhost.exe' # csrss.exe, certutil.exe
- '\mmc.exe' # eventvwr.exe
- '\win32calc.exe' # calc.exe
- '\notepad.exe'
filter_null:
Image: null
condition: selection or ( selection_special and not 1 of filter_* )
falsepositives:
- Unknown
level: high
related
high
Renamed Plink Execution
Detects the execution of a renamed version of the Plink binary
status test
author Nasreddine Bencherchali (Nextron Systems)
id 1c12727d-02bf-45ff-a9f3-d49806a3cf43
license Sigma · DRL-1.1
view Sigma YAML
title: Renamed Plink Execution
id: 1c12727d-02bf-45ff-a9f3-d49806a3cf43
status: test
description: Detects the execution of a renamed version of the Plink binary
references:
- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
- https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
modified: 2023-02-03
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'Plink'
- CommandLine|contains|all:
- ' -l forward'
- ' -P '
- ' -R '
filter:
Image|endswith: '\plink.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high