Sigma rules for Intellexa / Predator / Cytrox
500 rules · scoped to actor · back to Intellexa / Predator / Cytrox
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Provlaunch.EXE Child Process
id: f9999590-1f94-4a34-a91e-951e47bedefd
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\provlaunch.exe'
selection_child:
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- Image|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\AppData\Temp\'
- '\Windows\System32\Tasks\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Renamed MegaSync Execution
id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
status: test
description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
references:
- https://redcanary.com/blog/rclone-mega-extortion/
author: Sittikorn S
date: 2021-06-22
modified: 2023-02-03
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection:
OriginalFileName: 'megasync.exe'
filter:
Image|endswith: '\megasync.exe'
condition: selection and not filter
falsepositives:
- Software that illegally integrates MegaSync in a renamed form
- Administrators that have renamed MegaSync
level: high
title: Uncommon Child Process Of Setres.EXE
id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
status: test
description: |
Detects uncommon child process of Setres.EXE.
Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Setres/
- https://twitter.com/0gtweet/status/1583356502340870144
- https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)'
date: 2022-12-11
modified: 2024-06-26
tags:
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\setres.exe'
Image|contains: '\choice'
filter_main_legit_location:
Image|endswith:
- 'C:\Windows\System32\choice.exe'
- 'C:\Windows\SysWOW64\choice.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
title: Suspicious AddinUtil.EXE CommandLine Execution
id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8
status: test
description: |
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\addinutil.exe'
- OriginalFileName: 'AddInUtil.exe'
selection_susp_1_flags:
CommandLine|contains:
- '-AddInRoot:'
- '-PipelineRoot:'
selection_susp_1_paths:
CommandLine|contains:
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
selection_susp_2:
CommandLine|contains:
- '-AddInRoot:.'
- '-AddInRoot:"."'
- '-PipelineRoot:.'
- '-PipelineRoot:"."'
CurrentDirectory|contains:
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
condition: selection_img and (all of selection_susp_1_* or selection_susp_2)
falsepositives:
- Unknown
level: high
title: Execution via stordiag.exe
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
status: test
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
references:
- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
- https://twitter.com/eral4m/status/1451112385041911809
author: Austin Songer (@austinsonger)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\stordiag.exe'
Image|endswith:
- '\schtasks.exe'
- '\systeminfo.exe'
- '\fltmc.exe'
filter:
ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
- 'c:\windows\system32\'
- 'c:\windows\syswow64\'
condition: selection and not filter
falsepositives:
- Legitimate usage of stordiag.exe.
level: high
title: Suspicious Child Process Of BgInfo.EXE
id: 811f459f-9231-45d4-959a-0266c6311987
related:
- id: aaf46cdc-934e-4284-b329-34aa701e3771
type: similar
status: test
description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\bginfo.exe'
- '\bginfo64.exe'
selection_child:
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- Image|contains:
- '\AppData\Local\'
- '\AppData\Roaming\'
- ':\Users\Public\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\PerfLogs\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Potentially Suspicious Child Processes Spawned by ConHost
id: dfa03a09-8b92-4d83-8e74-f72839b1c407
related:
- id: 7dc2dedd-7603-461a-bc13-15803d132355
type: similar
status: experimental
description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.stealth
- attack.t1202
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\conhost.exe'
selection_child:
- Image|endswith:
- '\cmd.exe' # Windows Command Prompt
- '\cscript.exe' # Windows Script Host (used for scripting exploits)
- '\mshta.exe' # MSHTA (HTML Application Host, often abused)
- '\powershell_ise.exe' # PowerShell ISE
- '\powershell.exe' # Windows PowerShell
- '\pwsh.exe' # PowerShell Core
- '\regsvr32.exe' # Windows Registry Server (commonly used for exploits)
- '\wscript.exe' # Windows Script Host (for executing scripts)
- OriginalFileName:
- 'cmd.exe'
- 'cscript.exe'
- 'mshta.exe'
- 'powershell_ise.exe'
- 'powershell.exe'
- 'pwsh.dll'
- 'regsvr32.exe'
- 'wscript.exe'
condition: all of selection_*
falsepositives:
- Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
level: high
title: Suspicious AgentExecutor PowerShell Execution
id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab
related:
- id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61
type: similar
status: test
description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
author: Nasreddine Bencherchali (Nextron Systems), memory-shards
references:
- https://twitter.com/lefterispan/status/1286259016436514816
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/
- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
- https://twitter.com/jseerden/status/1247985304667066373/photo/1
date: 2022-12-24
modified: 2024-08-07
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\AgentExecutor.exe'
- OriginalFileName: 'AgentExecutor.exe'
selection_cli:
# Example:
# AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]
# Note:
# - If [timeoutSeconds] is NULL then it defaults to 60000
# - If [enforceSignatureCheck] is:
# - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file "
# - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file "
# - [powershellPath] is always concatendated to "powershell.exe"
CommandLine|contains:
- ' -powershell' # Also covers the "-powershellDetection" flag
- ' -remediationScript'
filter_main_pwsh:
CommandLine|contains:
- 'C:\Windows\System32\WindowsPowerShell\v1.0\'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\'
filter_main_intune:
ParentImage|endswith: '\Microsoft.Management.Services.IntuneWindowsAgent.exe'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Suspicious HH.EXE Execution
id: e8a95b5e-c891-46e2-b33a-93937d3abc31
status: test
description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'HH.exe'
- Image|endswith: '\hh.exe'
selection_paths:
CommandLine|contains:
- '.application'
- '\AppData\Local\Temp\'
- '\Content.Outlook\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
# - '\AppData\Local\Temp\Temp?_'
# - '\AppData\Local\Temp\Rar$'
# - '\AppData\Local\Temp\7z'
# - '\AppData\Local\Temp\wz'
# - '\AppData\Local\Temp\peazip-tmp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Winrs Local Command Execution
id: bcfece3d-56fe-4545-9931-3b8e92927db1
status: experimental
description: |
Detects the execution of Winrs.exe where it is used to execute commands locally.
Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
references:
- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs
author: Liran Ravich, Nasreddine Bencherchali
date: 2025-10-22
tags:
- attack.lateral-movement
- attack.stealth
- attack.t1021.006
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
# Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" calc.exe
- Image|endswith: '\winrs.exe'
- OriginalFileName: 'winrs.exe'
selection_local_ip:
CommandLine|contains|windash:
- '/r:localhost'
- '/r:127.0.0.1'
- '/r:[::1]'
- '/remote:localhost'
- '/remote:127.0.0.1'
- '/remote:[::1]'
filter_main_remote:
CommandLine|contains|windash:
- "/r:"
- "/remote:"
condition: all of selection_* or (selection_img and not 1 of filter_main_*)
falsepositives:
- Unlikely
level: high
title: Potential Suspicious Mofcomp Execution
id: 1dd05363-104e-4b4a-b963-196a534b03a1
status: test
description: |
Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
Attackers abuse this utility to install malicious MOF scripts
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
- https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2023-04-11
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mofcomp.exe'
- OriginalFileName: 'mofcomp.exe'
selection_case:
- ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wsl.exe'
- '\wscript.exe'
- '\cscript.exe'
- CommandLine|contains:
- '\AppData\Local\Temp'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- '%temp%'
- '%tmp%'
- '%appdata%'
filter_main_wmiprvse:
ParentImage: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
CommandLine|contains: 'C:\Windows\TEMP\'
CommandLine|endswith: '.mof'
filter_optional_null_parent:
# Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provider.
CommandLine|contains: 'C:\Windows\TEMP\'
CommandLine|endswith: '.mof'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
title: File Download Via Windows Defender MpCmpRun.EXE
id: 46123129-1024-423e-9fae-43af4a0fa9a5
status: test
description: Detects the use of Windows Defender MpCmdRun.EXE to download files
references:
- https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
author: Matthew Matchen
date: 2020-09-04
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'MpCmdRun.exe'
- Image|endswith: '\MpCmdRun.exe'
- CommandLine|contains: 'MpCmdRun.exe'
- Description: 'Microsoft Malware Protection Command Line Utility'
selection_cli:
CommandLine|contains|all:
- 'DownloadFile'
- 'url'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Sensitive File Dump Via Print.EXE
id: 2fcda7e2-8c57-4904-86ac-37fc3157e09d
status: test
description: |
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
references:
- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
- https://www.huntress.com/blog/credential-theft-expanding-your-reach-pt-2
- https://lolbas-project.github.io/lolbas/Binaries/Print/
author: Ayush Anand (Securityinbits)
date: 2026-04-28
tags:
- attack.credential-access
- attack.stealth
- attack.t1003.003
- attack.t1003.002
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\print.exe'
- OriginalFileName: 'Print.EXE'
selection_cli:
CommandLine|contains|windash: '/D'
CommandLine|contains:
- '\config\SAM'
- '\config\SECURITY'
- '\config\SYSTEM'
- '\windows\ntds\ntds.dit'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_print_dump_sensitive_files/info.yml
title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution
id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'SOFTWARE\Microsoft\Provisioning\Commands\'
condition: selection
falsepositives:
- Unknown
level: high
title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
related:
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Invoke-ATHRemoteFXvGPUDisablementCommand'
- 'Invoke-ATHRemoteFXvGPUDisableme'
condition: selection
falsepositives:
- Unknown
level: high
title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
id: b2b048b0-7857-4380-b0fb-d3f0ab820b71
status: test
description: |
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
This behavior has been observed in-the-wild by different threat actors.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-05
modified: 2024-06-04
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
# VT Query: behavior_processes:"iexpress.exe" and behavior_processes:"/n /q /m" and behavior_processes:"*.sed*" and p:5+
selection_img:
- Image|endswith: '\iexpress.exe'
- OriginalFileName: 'IEXPRESS.exe'
selection_cli:
CommandLine|contains|windash: ' /n '
selection_paths:
CommandLine|contains:
# Note: Add more uncommon paths that fit your organizational needs.
- ':\ProgramData\'
- ':\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
condition: all of selection_*
falsepositives:
- Administrators building packages using iexpress.exe
level: high
title: Arbitrary File Download Via IMEWDBLD.EXE
id: 863218bd-c7d0-4c52-80cd-0a96c09f54af
related:
- id: 8d7e392e-9b28-49e1-831d-5949c6281228
type: derived
status: test
description: Detects usage of "IMEWDBLD.exe" to download arbitrary files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
- https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\IMEWDBLD.exe'
- OriginalFileName: 'imewdbld.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
# Note: Please reduce this to medium if you find legitimate use case of this utility with a URL
level: high
title: MSDT Execution Via Answer File
id: 9c8c7000-3065-44a8-a555-79bcba5d9955
status: test
description: |
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
modified: 2025-10-29
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
CommandLine|contains|windash: ' -af '
filter_main_pcwrun:
ParentImage|endswith: '\pcwrun.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Possible undocumented parents of "msdt" other than "pcwrun".
level: high
title: Suspicious BitLocker Access Agent Update Utility Execution
id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512
related:
- id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984 # BaaUpdate.exe Suspicious DLL Load
type: similar
status: experimental
description: |
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.
Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
references:
- https://github.com/rtecCyberSec/BitlockMove
author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\baaupdate.exe'
Image|endswith:
- '\bitsadmin.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious DLL Loaded via CertOC.EXE
id: 84232095-ecca-4015-b0d7-7726507ee793
related:
- id: 242301bc-f92f-4476-8718-78004a6efd9f
type: similar
status: test
description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file.
references:
- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2
- https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certoc.exe'
- OriginalFileName: 'CertOC.exe'
selection_cli:
CommandLine|contains|windash: ' -LoadDLL '
selection_paths:
CommandLine|contains:
- '\Appdata\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Users\Public\'
- 'C:\Windows\Tasks\'
- 'C:\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Devtoolslauncher.exe Executes Specified Binary
id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
status: test
description: The Devtoolslauncher.exe executes other binary
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/
- https://twitter.com/_felamos/status/1179811992841797632
author: Beyu Denis, oscd.community (rule), @_felamos (idea)
date: 2019-10-12
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\devtoolslauncher.exe'
CommandLine|contains: 'LaunchForDeploy'
condition: selection
falsepositives:
- Legitimate use of devtoolslauncher.exe by legitimate user
level: high
title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\hh.exe'
Image|endswith:
- '\CertReq.exe'
- '\CertUtil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\installutil.exe'
- '\MSbuild.exe'
- '\MSHTA.EXE'
- '\msiexec.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: MpiExec Lolbin
id: 729ce0ea-5d8f-4769-9762-e35de441586d
status: test
description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
references:
- https://twitter.com/mrd0x/status/1465058133303246867
- https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2024-11-23
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_binary:
- Image|endswith: '\mpiexec.exe'
- Hashes|contains: 'IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217'
selection_flags:
CommandLine|contains:
- ' /n 1 '
- ' -n 1 '
condition: all of selection*
falsepositives:
- Unknown
level: high
title: Potential NTLM Coercion Via Certutil.EXE
id: 6c6d9280-e6d0-4b9d-80ac-254701b64916
status: test
description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag
references:
- https://github.com/LOLBAS-Project/LOLBAS/issues/243
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|all:
- ' -syncwithWU '
- ' \\\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml
title: Windows Shell/Scripting Processes Spawning Suspicious Programs
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2018-04-06
modified: 2023-05-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1059.001
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
# - '\cmd.exe' # too many false positives
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\wmiprvse.exe'
- '\regsvr32.exe'
Image|endswith:
- '\schtasks.exe'
- '\nslookup.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\mshta.exe'
filter_ccmcache:
CurrentDirectory|contains: '\ccmcache\'
filter_amazon:
ParentCommandLine|contains:
# FP - Amazon Workspaces
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
- '\nessus_' # Tenable/Nessus VA Scanner
filter_nessus:
CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
filter_sccm_install:
ParentImage|endswith: '\mshta.exe'
Image|endswith: '\mshta.exe'
ParentCommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\splash.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
CommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\SMSSETUP\BIN\'
- '\autorun.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
condition: selection and not 1 of filter_*
falsepositives:
- Administrative scripts
- Microsoft SCCM
level: high
title: OpenWith.exe Executes Specified Binary
id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
status: test
description: The OpenWith.exe executes other binary
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml
- https://twitter.com/harr0ey/status/991670870384021504
author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
date: 2019-10-12
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\OpenWith.exe'
CommandLine|contains: '/c'
condition: selection
falsepositives:
- Unknown
level: high
title: Proxy Execution Via Wuauclt.EXE
id: af77cf95-c469-471c-b6a0-946c685c4798
related:
- id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
type: obsolete
- id: d7825193-b70a-48a4-b992-8b5b3015cc11
type: obsolete
status: test
description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
references:
- https://dtm.uk/wuauclt/
- https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
date: 2020-10-12
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wuauclt.exe'
- OriginalFileName: 'wuauclt.exe'
selection_cli:
CommandLine|contains|all:
- 'UpdateDeploymentProvider'
- 'RunHandlerComServer'
filter_main_generic:
# Note: Please enhance this if you find the full path
CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
filter_main_wuaueng:
# Note: Please enhance this if you find the full path
CommandLine|contains: ' wuaueng.dll '
filter_main_uus:
CommandLine|contains:
- ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
- ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
filter_main_winsxs:
CommandLine|contains|all:
- ':\Windows\WinSxS\'
- '\UpdateDeploy.dll /ClassId '
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Curl Download And Execute Combination
id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
status: test
description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
references:
- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-13
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|windash: ' -c '
CommandLine|contains|all:
- 'curl '
- 'http'
- '-o'
- '&'
condition: selection
falsepositives:
- Unknown
level: high
title: Time Travel Debugging Utility Usage - Image
id: e76c8240-d68f-4773-8880-5c6f63595aaf
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-12-02
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith:
- '\ttdrecord.dll'
- '\ttdwriter.dll'
- '\ttdloader.dll'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
title: BaaUpdate.exe Suspicious DLL Load
id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984
related:
- id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512 # Suspicious BitLocker Access Agent Update Utility Execution
type: similar
status: experimental
description: |
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
references:
- https://github.com/rtecCyberSec/BitlockMove
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1021.003
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\BaaUpdate.exe'
ImageLoaded|endswith: '.dll'
ImageLoaded|contains:
- ':\Perflogs\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Favorites\'
- '\Favourites\'
- '\Links\'
- '\Music\'
- '\Pictures\'
- '\ProgramData\'
- '\Temporary Internet'
- '\Videos\'
condition: selection
falsepositives:
- Unknown
level: high
title: Execution DLL of Choice Using WAB.EXE
id: fc014922-5def-4da9-a0fc-28c973f41bfb
status: test
description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml
- https://twitter.com/Hexacorn/status/991447379864932352
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
author: oscd.community, Natalia Shornikova
date: 2020-10-13
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1218
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
filter:
Details: '%CommonProgramFiles%\System\wab32.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
id: 7021255e-5db3-4946-a8b9-0ba7a4644a69
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
status: test
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Swachchhanda Shrawan Poudel
date: 2023-08-02
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1218
logsource:
category: registry_set
product: windows
definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored'
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\'
condition: selection
falsepositives:
- Unknown
level: high
title: PUA - Process Hacker Driver Load
id: 67add051-9ee7-4ad3-93ba-42935615ae8d
related:
- id: 10cb6535-b31d-4512-9962-513dcbc42cc1
type: similar
status: test
description: Detects driver load of the Process Hacker tool
references:
- https://processhacker.sourceforge.io/
author: Florian Roth (Nextron Systems)
date: 2022-11-16
modified: 2024-11-23
tags:
- attack.persistence
- attack.privilege-escalation
- cve.2021-21551
- attack.t1543
logsource:
category: driver_load
product: windows
detection:
selection:
- ImageLoaded|endswith: '\kprocesshacker.sys'
- Hashes|contains:
- 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
- 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
- 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
- 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
condition: selection
falsepositives:
- Legitimate use of process hacker or system informer by developers or system administrators
level: high
title: CodeIntegrity - Blocked Driver Load With Revoked Certificate
id: 9b72b82d-f1c5-4632-b589-187159bc6ec1
status: test
description: Detects blocked load attempts of revoked drivers
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID: 3023 # The driver %2 is blocked from loading as the driver has been revoked by Microsoft.
condition: selection
falsepositives:
- Unknown
level: high
title: CodeIntegrity - Blocked Image/Driver Load For Policy Violation
id: e4be5675-4a53-426a-8c81-a8bb2387e947
status: test
description: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
references:
- https://twitter.com/wdormann/status/1590434950335320065
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
modified: 2023-06-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID: 3077 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy (Policy ID:%XX).
condition: selection
falsepositives:
- Unknown
level: high
title: Service Installed By Unusual Client - Security
id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
related:
- id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
type: similar
status: test
description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
references:
- https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
- https://www.x86matthew.com/view_post?id=create_svc_rpc
- https://twitter.com/SBousseaden/status/1490608838701166596
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-15
modified: 2023-01-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
service: security
product: windows
definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
detection:
selection_eid:
EventID: 4697
selection_pid:
- ClientProcessId: 0
- ParentProcessId: 0
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: KrbRelayUp Service Installation
id: e97d9903-53b2-41fc-8cb9-889ed4093e80
status: test
description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
references:
- https://github.com/Dec0ne/KrbRelayUp
author: Sittikorn S, Tim Shelton
date: 2022-05-11
modified: 2022-10-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
ServiceName: 'KrbSCM'
condition: selection
falsepositives:
- Unknown
level: high
title: Service Installed By Unusual Client - System
id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
related:
- id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
type: similar
status: test
description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
references:
- https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-15
modified: 2023-01-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ProcessId: 0
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Persistence Via PlistBuddy
id: 65d506d3-fcfe-4071-b4b2-bcefe721bbbb
status: test
description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
references:
- https://redcanary.com/blog/clipping-silver-sparrows-wings/
- https://www.manpagez.com/man/8/PlistBuddy/
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.001
- attack.t1543.004
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/PlistBuddy'
CommandLine|contains|all:
- 'RunAtLoad'
- 'true'
CommandLine|contains:
- 'LaunchAgents'
- 'LaunchDaemons'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential RipZip Attack on Startup Folder
id: a6976974-ea6f-4e97-818e-ea08625c52cb
status: test
description: |
Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
references:
- https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
author: Greg (rule)
date: 2022-07-21
modified: 2023-01-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: file_event
product: windows
detection:
selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk
TargetFilename|contains|all:
- '\Microsoft\Windows\Start Menu\Programs\Startup'
- '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'
Image|endswith: '\explorer.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious GrpConv Execution
id: f14e169e-9978-4c69-acb3-1cff8200bc36
status: test
description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
references:
- https://twitter.com/0gtweet/status/1526833181831200770
author: Florian Roth (Nextron Systems)
date: 2022-05-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'grpconv.exe -o'
- 'grpconv -o'
condition: selection
falsepositives:
- Unknown
level: high
title: Registry Persistence Mechanisms in Recycle Bin
id: 277efb8f-60be-4f10-b4d3-037802f37167
status: test
description: Detects persistence registry keys for Recycle Bin
references:
- https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf
- https://persistence-info.github.io/Data/recyclebin.html
- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
author: frack113
date: 2021-11-18
modified: 2022-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: registry_event
product: windows
detection:
selection_create:
EventType: RenameKey
NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open'
selection_set:
EventType: SetValue
TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: WINEKEY Registry Modification
id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
status: test
description: Detects potential malicious modification of run keys by winekey or team9 backdoor
references:
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
condition: selection
falsepositives:
- Unknown
level: high
title: Abused Debug Privilege by Arbitrary Parent Processes
id: d522eca2-2973-4391-a3e0-ef0374321dae
status: test
description: Detection of unusual child processes by different system processes
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
author: 'Semanur Guneysu @semanurtg, oscd.community'
date: 2020-10-28
modified: 2022-11-11
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\winlogon.exe'
- '\services.exe'
- '\lsass.exe'
- '\csrss.exe'
- '\smss.exe'
- '\wininit.exe'
- '\spoolsv.exe'
- '\searchindexer.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
filter:
CommandLine|contains|all:
- ' route '
- ' ADD '
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high
title: Regedit as Trusted Installer
id: 883835a7-df45-43e4-bf1d-4268768afda4
status: test
description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
references:
- https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
ParentImage|endswith:
- '\TrustedInstaller.exe'
- '\ProcessHacker.exe'
condition: selection
falsepositives:
- Unlikely
level: high
title: Credential Dumping Attempt Via Svchost
id: 174afcfa-6e40-4ae9-af64-496546389294
status: test
description: Detects when a process tries to access the memory of svchost to potentially dump credentials.
references:
- Internal Research
author: Florent Labouyrie
date: 2021-04-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\svchost.exe'
GrantedAccess: '0x143a'
filter_main_known_processes:
SourceImage|endswith:
- '\services.exe'
- '\msiexec.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Potential Privilege Escalation via Local Kerberos Relay over LDAP
id: 749c9f5e-b353-4b90-a9c1-05243357ca4b
status: test
description: |
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.
This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
references:
- https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g
- https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38
author: Elastic, @SBousseaden
date: 2022-04-27
modified: 2024-08-13
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.t1548
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
AuthenticationPackageName: 'Kerberos'
IpAddress: '127.0.0.1'
TargetUserSid|startswith: 'S-1-5-21-'
TargetUserSid|endswith: '-500'
filter_main_ip_null:
IpPort: '0'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Vulnerable Netlogon Secure Channel Connection Allowed
id: a0cb7110-edf0-47a4-9177-541a4083128a
status: test
description: Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
references:
- https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
author: NVISO
date: 2020-09-15
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: NetLogon # Active Directory: NetLogon ETW GUID {F33959B4-DBEC-11D2-895B-00C04F79AB69}
EventID: 5829
condition: selection
falsepositives:
- Unknown
level: high
title: COM Hijack via Sdclt
id: 07743f65-7ec9-404a-a519-913db7118a8d
status: test
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
references:
- http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
- https://www.exploit-db.com/exploits/47696
author: Omkar Gudhate
date: 2020-09-27
modified: 2023-09-28
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546
- attack.t1548
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Software\Classes\Folder\shell\open\command\DelegateExecute'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Okta Password in AlternateID Field
id: 91b76b84-8589-47aa-9605-c837583b82a9
status: test
description: |
Detects when a user has potentially entered their password into the
username field, which will cause the password to be retained in log files.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data
- https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm
author: kelnage
date: 2023-04-03
modified: 2026-04-27
tags:
- attack.credential-access
- attack.t1552
logsource:
product: okta
service: okta
detection:
selection:
legacyEventType: 'core.user_auth.login_failed'
filter_main:
# Okta service account names start with 0oa
# Email addresses are the default format for Okta usernames, so attempt
# to exclude alternateIds that look like valid emails
# If your Okta configuration uses different character restrictions, you
# will need to update this regular expression to reflect that or disable the rule for your environment
# Possible false negatives are failed login attempts with a password that looks like a valid email address
actor.alternateId|re: '(^0oa.*|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,10})'
condition: selection and not filter_main
falsepositives:
- Unlikely
level: high