Sigma rules for Intellexa / Predator / Cytrox
500 rules · scoped to actor · back to Intellexa / Predator / Cytrox
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Inbox Manipulation Rules
id: ceb55fd0-726e-4656-bf4e-b585b7f7d572
status: test
description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1140
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'mcasSuspiciousInboxManipulationRules'
condition: selection
falsepositives:
- Actual mailbox rules that are moving items based on their workflow.
level: high
title: PowerShell Base64 Encoded FromBase64String Cmdlet
id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
status: test
description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-24
modified: 2023-04-06
tags:
- attack.stealth
- attack.t1140
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains: '::FromBase64String'
# UTF-16 LE
- CommandLine|contains:
- 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
- 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'
- '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'
condition: selection
falsepositives:
- Unknown
level: high
title: MSHTA Execution with Suspicious File Extensions
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: |
Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files
- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
- https://twitter.com/mattifestation/status/1326228491302563846
- https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-02-22
modified: 2025-05-12
tags:
- attack.stealth
- attack.t1140
- attack.t1218.005
- attack.execution
- attack.t1059.007
- cve.2020-1599
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'mshta.exe'
selection_cli:
CommandLine|contains:
- '.7z'
- '.avi'
- '.bat'
- '.bmp'
- '.conf'
- '.csv'
- '.dll'
- '.doc'
- '.gif'
- '.gz'
- '.ini'
- '.jpe'
- '.jpg'
- '.json'
- '.lnk'
- '.log'
- '.mkv'
- '.mp3'
- '.mp4'
- '.pdf'
- '.png'
- '.ppt'
- '.rar'
- '.rtf'
- '.svg'
- '.tar'
- '.tmp'
- '.txt'
- '.xls'
- '.xml'
- '.yaml'
- '.yml'
- '.zip'
- 'vbscript'
# - '.chm' # could be prone to false positives
# - '.exe'
condition: all of selection_*
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
title: OpenCanary - HTTP GET Request
id: af6c3078-84cd-4c68-8842-08b76bd81b13
status: test
description: Detects instances where an HTTP service on an OpenCanary node has received a GET request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 3000
condition: selection
falsepositives:
- Unlikely
level: high
title: OpenCanary - FTP Login Attempt
id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
status: test
description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.exfiltration
- attack.lateral-movement
- attack.t1190
- attack.t1021
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 2000
condition: selection
falsepositives:
- Unlikely
level: high
title: OpenCanary - HTTP POST Login Attempt
id: af1ac430-df6b-4b38-b976-0b52f07a0252
status: test
description: |
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 3001
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential XXE Exploitation Attempt In JVM Based Application
id: c4e06896-e27c-4583-95ac-91ce2279345d
status: test
description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
references:
- https://rules.sonarsource.com/java/RSPEC-2755
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'SAXParseException'
- 'DOMException'
condition: keywords
falsepositives:
- If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.
level: high
title: Potential Local File Read Vulnerability In JVM Based Application
id: e032f5bc-4563-4096-ae3b-064bab588685
status: test
description: |
Detects potential local file read vulnerability in JVM based apps.
If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords_local_file_read:
'|all':
- 'FileNotFoundException'
- '/../../..'
condition: keywords_local_file_read
falsepositives:
- Application bugs
level: high
title: Potential JNDI Injection Exploitation In JVM Based Application
id: bb0e9cec-d4da-46f5-997f-22efc59f3dca
status: test
description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
- https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'com.sun.jndi.ldap.'
- 'org.apache.logging.log4j.core.net.JndiManager'
condition: keywords
falsepositives:
- Application bugs
level: high
title: Potential OGNL Injection Exploitation In JVM Based Application
id: 4d0af518-828e-4a04-a751-a7d03f3046ad
status: test
description: |
Detects potential OGNL Injection exploitation, which may lead to RCE.
OGNL is an expression language that is supported in many JVM based systems.
OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
- cve.2017-5638
- cve.2022-26134
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'org.apache.commons.ognl.OgnlException'
- 'ExpressionSyntaxException'
condition: keywords
falsepositives:
- Application bugs
level: high
title: Process Execution Error In JVM Based Application
id: d65f37da-a26a-48f8-8159-3dde96680ad2
status: test
description: Detects process execution related exceptions in JVM based apps, often relates to RCE
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'Cannot run program'
- 'java.lang.ProcessImpl'
- 'java.lang.ProcessBuilder'
condition: keywords
falsepositives:
- Application bugs
level: high
title: Suspicious SQL Error Messages
id: 8a670c6d-7189-4b1c-8017-a417ca84a086
status: test
description: Detects SQL error messages that indicate probing for an injection attack
references:
- http://www.sqlinjection.net/errors
author: Bjoern Kimminich
date: 2017-11-27
modified: 2023-02-12
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: sql
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL ERROR and above)'
detection:
keywords:
# Oracle
- quoted string not properly terminated
# MySQL
- You have an error in your SQL syntax
# SQL Server
- Unclosed quotation mark
# SQLite
- 'near "*": syntax error'
- SELECTs to the left and right of UNION do not have the same number of result columns
condition: keywords
falsepositives:
- A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.
level: high
title: Potential Server Side Template Injection In Velocity
id: 16c86189-b556-4ee8-b4c7-7e350a195a4f
status: test
description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
references:
- https://antgarsil.github.io/posts/velocity/
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: velocity
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'ParseErrorException'
- 'VelocityException'
- 'TemplateInitException'
condition: keywords
falsepositives:
- Application bugs
- Missing .vm files
level: high
title: Potential RCE Exploitation Attempt In NodeJS
id: 97661d9d-2beb-4630-b423-68985291a8af
status: test
description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: nodejs
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'node:child_process'
condition: keywords
falsepositives:
- Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
level: high
title: Potential SpEL Injection In Spring Framework
id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
status: test
description: Detects potential SpEL Injection exploitation, which may lead to RCE.
references:
- https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: spring
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'org.springframework.expression.ExpressionException'
condition: keywords
falsepositives:
- Application bugs
level: high
title: Suspicious Named Error
id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365
status: test
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml
author: Florian Roth (Nextron Systems)
date: 2018-02-20
modified: 2022-10-05
tags:
- attack.initial-access
- attack.t1190
logsource:
product: linux
service: syslog
detection:
keywords:
- ' dropping source port zero packet from '
- ' denied AXFR from '
- ' exiting (due to fatal error)'
condition: keywords
falsepositives:
- Unknown
level: high
title: DNS Query to External Service Interaction Domains
id: aff715fa-4dd5-497a-8db3-910bea555566
status: test
description: |
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
references:
- https://twitter.com/breakersall/status/1533493587828260866
- https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287
- https://github.com/SigmaHQ/sigma/pull/5724#issuecomment-3466382234
author: Florian Roth (Nextron Systems), Matt Kelly (list of domains)
date: 2022-06-07
modified: 2026-01-24
tags:
- attack.initial-access
- attack.t1190
- attack.reconnaissance
- attack.t1595.002
logsource:
category: dns
detection:
selection:
query|endswith:
- '.burpcollaborator.net' # Portswigger Burpsuite Collaborator
- '.canarytokens.com' # Thinkst Canary Canarytokens
- '.ceye.io'
- '.ddns.1443.eu.org' # dig.pm
- '.ddns.bypass.eu.org' # dig.pm
- '.ddns.xn--gg8h.eu.org' # dig.pm
- '.digimg.store' # dnslog.ink
- '.dns.su18.org' # javaweb.org
- '.dnshook.site' # webhook.site
- '.dnslog.cn'
- '.dnslog.ink' # dnslog.ink
- '.instances.httpworkbench.com' # httpworkbench.com
- '.interact.sh' # Project Discovery Interactsh
- '.log.dnslog.pp.ua' # dnslog.org
- '.log.dnslog.qzz.io' # dnslog.org
- '.log.dnslogs.dpdns.org' # dnslog.org
- '.log.javaweb.org' # javaweb.org
- '.log.nat.cloudns.ph' # dnslog.org
- '.oast.fun' # Project Discovery Interactsh
- '.oast.live' # Project Discovery Interactsh
- '.oast.me' # Project Discovery Interactsh
- '.oast.online' # Project Discovery Interactsh
- '.oast.pro' # Project Discovery Interactsh
- '.oast.site' # Project Discovery Interactsh
- '.oastify.com' # Portswigger Burpsuite Collaborator
- '.p8.lol' # javaweb.org
- '.requestbin.net'
filter_main_polling:
query|contains: 'polling.oastify.com'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate security scanning.
level: high
title: Suspicious MSExchangeMailboxReplication ASPX Write
id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
status: test
description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
tags:
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\MSExchangeMailboxReplication.exe'
TargetFilename|endswith:
- '.aspx'
- '.asp'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious File Write to SharePoint Layouts Directory
id: 1f0489be-b496-4ddf-b3a9-5900f2044e9c
status: experimental
description: |
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
references:
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-24
tags:
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\w3wp.exe'
TargetFilename|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
TargetFilename|contains:
- '\15\TEMPLATE\LAYOUTS\'
- '\16\TEMPLATE\LAYOUTS\'
TargetFilename|endswith:
- '.asax'
- '.ascx'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cmd'
- '.cer'
- '.config'
- '.hta'
- '.js'
- '.jsp'
- '.jspx'
- '.php'
- '.ps1'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Child Process Of SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
related:
- id: 344482e4-a477-436c-aa70-7536d18a48c7
type: obsolete
status: test
description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
references:
- Internal Research
author: FPT.EagleEye Team, wagga
date: 2020-12-11
modified: 2023-05-04
tags:
- attack.t1505.003
- attack.t1190
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sqlservr.exe'
Image|endswith:
# You can add other uncommon or suspicious processes
- '\bash.exe'
- '\bitsadmin.exe'
- '\cmd.exe'
- '\netstat.exe'
- '\nltest.exe'
- '\ping.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\tasklist.exe'
- '\wsl.exe'
filter_optional_datev:
ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
Image: 'C:\Windows\System32\cmd.exe'
CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
condition: selection and not 1 of filter_optional_*
level: high
title: Suspicious Process By Web Server Process
id: 8202070f-edeb-4d31-a010-a26c72ac5600
status: test
description: |
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
references:
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-11-26
tags:
- attack.persistence
- attack.initial-access
- attack.t1505.003
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\php.exe'
- '\tomcat.exe'
- '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
- '\w3wp.exe'
- '\ws_TomcatService.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentCommandLine|contains:
- 'CATALINA_HOME'
- 'catalina.home'
- 'catalina.jar'
selection_anomaly_children:
Image|endswith:
- '\arp.exe'
- '\at.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\dsget.exe'
- '\hostname.exe'
- '\nbtstat.exe'
- '\net.exe'
- '\net1.exe'
- '\netdom.exe'
- '\netsh.exe'
- '\nltest.exe'
- '\ntdsutil.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\qprocess.exe'
- '\query.exe'
- '\qwinsta.exe'
- '\reg.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\sh.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wusa.exe'
filter_main_fp_1:
ParentImage|endswith: '\java.exe'
CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
filter_main_fp_2:
ParentImage|endswith: '\java.exe'
CommandLine|contains|all:
- 'sc query'
- 'ADManager Plus'
condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
falsepositives:
- Particular web applications may spawn a shell process legitimately
level: high
title: Suspicious Processes Spawned by WinRM
id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
status: test
description: Detects suspicious processes including shells spawnd from WinRM host process
author: Andreas Hunkeler (@Karneades), Markus Neis
references:
- Internal Research
date: 2021-05-20
modified: 2022-07-14
tags:
- attack.t1190
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wsmprovhost.exe'
Image|endswith:
- '\cmd.exe'
- '\sh.exe'
- '\bash.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wsl.exe'
- '\schtasks.exe'
- '\certutil.exe'
- '\whoami.exe'
- '\bitsadmin.exe'
condition: selection
falsepositives:
- Legitimate WinRM usage
level: high
title: Terminal Service Process Spawn
id: 1012f107-b8f1-4271-af30-5aed2de89b39
status: test
description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
references:
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
author: Florian Roth (Nextron Systems)
date: 2019-05-22
modified: 2023-01-25
tags:
- attack.initial-access
- attack.t1190
- attack.lateral-movement
- attack.t1210
- car.2013-07-002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentCommandLine|contains|all:
- '\svchost.exe'
- 'termsvcs'
filter_img:
Image|endswith:
- '\rdpclip.exe'
- ':\Windows\System32\csrss.exe'
- ':\Windows\System32\wininit.exe'
- ':\Windows\System32\winlogon.exe'
filter_null:
Image: null
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
title: Remote Access Tool - ScreenConnect Server Web Shell Execution
id: b19146a3-25d4-41b4-928b-1e2a92641b1b
status: test
description: Detects potential web shell execution from the ScreenConnect server process.
references:
- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
author: Jason Rathbun (Blackpoint Cyber)
date: 2024-02-26
tags:
- attack.initial-access
- attack.t1190
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\ScreenConnect.Service.exe'
Image|endswith:
- '\cmd.exe'
- '\csc.exe'
condition: selection
falsepositives:
- Unlikely
level: high
title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-07-07
tags:
- attack.initial-access
- attack.t1190
- attack.credential-access
- attack.t1110
logsource:
category: proxy
detection:
selection:
c-useragent|contains:
# Vulnerability scanner and brute force tools
- '(hydra)'
- ' arachni/'
- ' BFAC '
- ' brutus '
- ' cgichk '
- 'core-project/1.0'
- ' crimscanner/'
- 'datacha0s'
- 'dirbuster'
- 'domino hunter'
- 'dotdotpwn'
- 'FHScan Core'
- 'floodgate'
- 'get-minimal'
- 'gootkit auto-rooter scanner'
- 'grendel-scan'
- ' inspath '
- 'internet ninja'
- 'jaascois'
- ' zmeu '
- 'masscan'
- ' metis '
- 'morfeus fucking scanner'
- 'n-stealth'
- 'nsauditor'
- 'pmafind'
- 'security scan'
- 'springenwerk'
- 'teh forest lobster'
- 'toata dragostea'
- ' vega/'
- 'voideye'
- 'webshag'
- 'webvulnscan'
- ' whcc/'
# SQL Injection
- ' Havij'
- 'absinthe'
- 'bsqlbf'
- 'mysqloit'
- 'pangolin'
- 'sql power injector'
- 'sqlmap'
- 'sqlninja'
- 'uil2pn'
# Hack tool
- 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper
condition: selection
falsepositives:
- Unknown
level: high
title: Java Payload Strings
id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
status: test
description: Detects possible Java payloads in web access logs
references:
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
- https://twitter.com/httpvoid0x2f/status/1532924261035384832
- https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
author: frack113, Harjot Singh, "@cyb3rjy0t" (update)
date: 2022-06-04
modified: 2023-01-19
tags:
- cve.2022-26134
- cve.2021-26084
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
keywords:
- '%24%7B%28%23a%3D%40'
- '${(#a=@'
- '%24%7B%40java'
- '${@java'
- 'u0022java'
- '%2F%24%7B%23'
- '/${#'
- 'new+java.'
- 'getRuntime().exec('
- 'getRuntime%28%29.exec%28'
condition: keywords
falsepositives:
- Legitimate apps
level: high
title: SQL Injection Strings In URI
id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
status: test
description: Detects potential SQL injection attempts via GET requests in access logs.
references:
- https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
- https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
- https://brightsec.com/blog/sql-injection-payloads/
- https://github.com/payloadbox/sql-injection-payload-list
- https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)
date: 2020-02-22
modified: 2023-09-04
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
keywords:
- '@@version'
- '%271%27%3D%271'
- '=select '
- '=select('
- '=select%20'
- 'concat_ws('
- 'CONCAT(0x'
- 'from mysql.innodb_table_stats'
- 'from%20mysql.innodb_table_stats'
- 'group_concat('
- 'information_schema.tables'
- 'json_arrayagg('
- 'or 1=1#'
- 'or%201=1#'
- 'order by '
- 'order%20by%20'
- 'select * '
- 'select database()'
- 'select version()'
- 'select%20*%20'
- 'select%20database()'
- 'select%20version()'
- 'select%28sleep%2810%29'
- 'SELECTCHAR('
- 'table_schema'
- 'UNION ALL SELECT'
- 'UNION SELECT'
- 'UNION%20ALL%20SELECT'
- 'UNION%20SELECT'
- "'1'='1"
filter_main_status:
sc-status: 404
condition: selection and keywords and not 1 of filter_main_*
falsepositives:
- Java scripts and CSS Files
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
title: JNDIExploit Pattern
id: 412d55bc-7737-4d25-9542-5b396867ce55
status: test
description: Detects exploitation attempt using the JNDI-Exploit-Kit
references:
- https://github.com/pimps/JNDI-Exploit-Kit
- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
author: Florian Roth (Nextron Systems)
date: 2021-12-12
modified: 2022-12-25
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
keywords:
- '/Basic/Command/Base64/'
- '/Basic/ReverseShell/'
- '/Basic/TomcatMemshell'
- '/Basic/JettyMemshell'
- '/Basic/WeblogicMemshell'
- '/Basic/JBossMemshell'
- '/Basic/WebsphereMemshell'
- '/Basic/SpringMemshell'
- '/Deserialization/URLDNS/'
- '/Deserialization/CommonsCollections1/Dnslog/'
- '/Deserialization/CommonsCollections2/Command/Base64/'
- '/Deserialization/CommonsBeanutils1/ReverseShell/'
- '/Deserialization/Jre8u20/TomcatMemshell'
- '/TomcatBypass/Dnslog/'
- '/TomcatBypass/Command/'
- '/TomcatBypass/ReverseShell/'
- '/TomcatBypass/TomcatMemshell'
- '/TomcatBypass/SpringMemshell'
- '/GroovyBypass/Command/'
- '/WebsphereBypass/Upload/'
condition: keywords
falsepositives:
- Legitimate apps the use these paths
level: high
title: Suspicious Download and Execute Pattern via Curl/Wget
id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
status: experimental
description: |
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
references:
- https://gtfobins.github.io/gtfobins/wget/
- https://gtfobins.github.io/gtfobins/curl/
author: Aayush Gupta
date: 2025-06-17
tags:
- attack.execution
- attack.t1059.004
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection_downloader:
CommandLine|contains:
- '/curl'
- '/wget'
selection_tmp:
CommandLine|contains:
- '/tmp/'
- '/dev/shm/'
selection_executor:
CommandLine|contains: 'sh -c'
condition: all of selection_*
falsepositives:
- System update scripts using temporary files
- Installer scripts or automated provisioning tools
level: high
title: Network Connection Initiated By Eqnedt32.EXE
id: a66bc059-c370-472c-a0d7-f8fd1bf9d583
status: test
description: Detects network connections from the Equation Editor process "eqnedt32.exe".
references:
- https://twitter.com/forensicitguy/status/1513538712986079238
- https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/
- https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/
author: Max Altgelt (Nextron Systems)
date: 2022-04-14
modified: 2024-05-31
tags:
- attack.execution
- attack.t1203
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\eqnedt32.exe'
condition: selection
falsepositives:
- Unlikely
level: high
title: Suspicious HWP Sub Processes
id: 023394c4-29d5-46ab-92b8-6a534c6f447b
status: test
description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
references:
- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
- https://twitter.com/cyberwar_15/status/1187287262054076416
- https://blog.alyac.co.kr/1901
- https://en.wikipedia.org/wiki/Hangul_(word_processor)
author: Florian Roth (Nextron Systems)
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1566.001
- attack.execution
- attack.t1203
- attack.t1059.003
- attack.g0032
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Hwp.exe'
Image|endswith: '\gbb.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2021-08-16
modified: 2024-11-02
tags:
- attack.execution
- attack.t1204
logsource:
category: antivirus
detection:
selection:
- Signature|startswith:
- 'ATK/' # Sophos
- 'Exploit.Script.CVE'
- 'HKTL'
- 'HTOOL'
- 'PWS.'
- 'PWSX'
- 'SecurityTool'
# - 'FRP.'
- Signature|contains:
- 'Adfind'
- 'Brutel'
- 'BruteR'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'DumpCreds'
- 'FastReverseProxy'
- 'Hacktool'
- 'Havoc'
- 'Impacket'
- 'Keylogger'
- 'Koadic'
- 'Mimikatz'
- 'Nighthawk'
- 'PentestPowerShell'
- 'Potato'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'Rozena'
- 'Rusthound'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool'
- 'SharpDump'
- 'SharpHound'
- 'Shellcode'
- 'Sliver'
- 'Snaffler'
- 'SOAPHound'
- 'Splinter'
- 'Swrort'
- 'TurtleLoader'
condition: selection
falsepositives:
- Unlikely
level: high
title: Suspicious Binaries and Scripts in Public Folder
id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e
status: experimental
description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
references:
- https://intel.thedfirreport.com/events/view/30032 # Private Report
- https://intel.thedfirreport.com/eventReports/view/70 # Private Report
- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
author: 'The DFIR Report'
date: 2025-01-23
tags:
- attack.execution
- attack.t1204
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: ':\Users\Public\'
TargetFilename|endswith:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.ps1'
- '.vbe'
- '.vbs'
condition: selection
falsepositives:
- Administrators deploying legitimate binaries to public folders.
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml
title: Symlink Etc Passwd
id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
status: test
description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
references:
- https://www.qualys.com/2021/05/04/21nails/21nails.txt
author: Florian Roth (Nextron Systems)
date: 2019-04-05
modified: 2021-11-27
tags:
- attack.t1204.001
- attack.execution
logsource:
product: linux
detection:
keywords:
- 'ln -s -f /etc/passwd'
- 'ln -s /etc/passwd'
condition: keywords
falsepositives:
- Unknown
level: high
title: Suspicious ClickFix/FileFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
related:
- id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
type: similar
status: experimental
description: |
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).
Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
references:
- https://github.com/JohnHammond/recaptcha-phish
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/ # filefix variant
author: montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
- attack.execution
- attack.t1204.001
- attack.t1204.004
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: '#'
selection_cli_captcha:
CommandLine|contains:
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Potential ClickFix Execution Pattern - Registry
id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
related:
- id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
type: similar
status: experimental
description: |
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
such as one-liners that execute remotely hosted malicious files or scripts.
references:
- https://github.com/JohnHammond/recaptcha-phish
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
- https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
- https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
- https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-25
modified: 2025-11-19
tags:
- attack.execution
- attack.t1204.001
logsource:
category: registry_set
product: windows
detection:
selection_registry:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
selection_details:
Details|contains:
- 'http://'
- 'https://'
selection_susp_pattern:
- Details|contains:
# Add more suspicious keywords
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
- Details|contains:
- '%comspec%'
- 'bitsadmin'
- 'certutil'
- 'cmd'
- 'cscript'
- 'curl'
- 'finger'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'schtasks'
- 'wget'
- 'wscript'
condition: all of selection_*
falsepositives:
- Legitimate applications using RunMRU with HTTP links
level: high
title: OpenCanary - GIT Clone Request
id: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8
status: test
description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.collection
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 16001
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential RemoteFXvGPUDisablement.EXE Abuse
id: f65e22f9-819e-4f96-9c7b-498364ae7a25
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
service: powershell-classic
definition: fields have to be extract from event
detection:
selection:
Data|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
id: cacef8fc-9d3d-41f7-956d-455c6e881bc5
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|startswith: 'function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
title: Network Connection Initiated By AddinUtil.EXE
id: 5205613d-2a63-4412-a895-3a2458b587b3
status: test
description: |
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
modified: 2024-07-16
tags:
- attack.stealth
- attack.t1218
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\addinutil.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
status: test
description: Detects programs on a Windows system that should not write scripts to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.ps1'
- '.bat'
- '.vbs'
- '.scf'
- '.wsf'
- '.wsh'
condition: selection
falsepositives:
- Unknown
level: high
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: Detects programs on a Windows system that should not write executables to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious DotNET CLR Usage Log Artifact
id: e0b06658-7d1d-4cd3-bf15-03467507ff7c
related:
- id: 4508a70e-97ef-4300-b62b-ff27992990ea
type: derived
- id: e4b63079-6198-405c-abd7-3fe8b0ce3263
type: obsolete
status: test
description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
references:
- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
- https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml
- https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
author: frack113, omkar72, oscd.community, Wojciech Lesicki
date: 2022-11-18
modified: 2023-02-23
tags:
- attack.stealth
- attack.t1218
logsource:
category: file_event
product: windows
definition: 'Requirements: UsageLogs folder must be monitored by the sysmon configuration'
detection:
selection:
TargetFilename|endswith:
- '\UsageLogs\cmstp.exe.log'
- '\UsageLogs\cscript.exe.log'
- '\UsageLogs\mshta.exe.log'
- '\UsageLogs\msxsl.exe.log'
- '\UsageLogs\regsvr32.exe.log'
- '\UsageLogs\rundll32.exe.log'
- '\UsageLogs\svchost.exe.log'
- '\UsageLogs\wscript.exe.log'
- '\UsageLogs\wmic.exe.log'
filter_main_rundll32:
# This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity
ParentImage|endswith: '\MsiExec.exe'
ParentCommandLine|contains: ' -Embedding'
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- 'Temp'
- 'zzzzInvokeManagedCustomActionOutOfProc'
condition: selection and not 1 of filter_main_*
falsepositives:
- Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
level: high
title: Legitimate Application Writing Files In Uncommon Location
id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
related:
- id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule
type: similar
status: experimental
description: |
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
references:
- https://lolbas-project.github.io/#/download
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-10
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection_img:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\cmdl32.exe'
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
- '\bitsadmin.exe'
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
- '\expand.exe'
- '\extrac32.exe'
- '\replace.exe'
- '\mshta.exe'
- '\ftp.exe'
- '\Ldifde.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
- '\findstr.exe'
selection_locations:
TargetFilename|contains:
- ':\Perflogs'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\'
- '\$Recycle.Bin\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml
title: Legitimate Application Dropped Archive
id: 654fcc6d-840d-4844-9b07-2c3300e54a26
status: test
description: Detects programs on a Windows system that should not write an archive to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth
date: 2022-08-21
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables
- \winword.exe
- \excel.exe
- \powerpnt.exe
- \msaccess.exe
- \mspub.exe
- \eqnedt32.exe
- \visio.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- \finger.exe
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- \notepad.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \mshta.exe
- \hh.exe
TargetFilename|endswith:
- '.zip'
- '.rar'
- '.7z'
- '.diagcab'
- '.appx'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Speech Runtime Binary Child Process
id: 78f10490-f2f4-4d19-a75b-4e0683bf3b8d
status: experimental
description: |
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
references:
- https://github.com/rtecCyberSec/SpeechRuntimeMove
author: andrewdanis
date: 2025-10-23
logsource:
category: process_creation
product: windows
tags:
- attack.lateral-movement
- attack.stealth
- attack.t1021.003
- attack.t1218
detection:
selection:
ParentImage|endswith: '\SpeechRuntime.exe'
condition: selection
falsepositives:
- Unlikely.
level: high
title: Execution via WorkFolders.exe
id: 0bbc6369-43e3-453d-9944-cae58821c173
status: test
description: Detects using WorkFolders.exe to execute an arbitrary control.exe
references:
- https://twitter.com/elliotkillick/status/1449812843772227588
author: Maxime Thiebaut (@0xThiebaut)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\control.exe'
ParentImage|endswith: '\WorkFolders.exe'
filter:
Image: 'C:\Windows\System32\control.exe'
condition: selection and not filter
falsepositives:
- Legitimate usage of the uncommon Windows Work Folders feature.
level: high
title: Execute Pcwrun.EXE To Leverage Follina
id: 6004abd0-afa4-4557-ba90-49d172e0a299
status: test
description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
references:
- https://twitter.com/nas_bench/status/1535663791362519040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\pcwrun.exe'
CommandLine|contains: '../'
condition: selection
falsepositives:
- Unlikely
level: high
title: Time Travel Debugging Utility Usage
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
related:
- id: e76c8240-d68f-4773-8880-5c6f63595aaf
type: derived
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\tttracer.exe'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high