Sigma rules for LAPSUS$
516 rules · scoped to actor · back to LAPSUS$
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: HackTool - Covenant PowerShell Launcher
id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
status: test
description: Detects suspicious command lines used in Covenant luanchers
references:
- https://posts.specterops.io/covenant-v0-5-eee0507b85ba
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2020-06-04
modified: 2023-02-21
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- '-Sta'
- '-Nop'
- '-Window'
- 'Hidden'
CommandLine|contains:
- '-Command'
- '-EncodedCommand'
selection_2:
CommandLine|contains:
- 'sv o (New-Object IO.MemorySteam);sv d '
- 'mshta file.hta'
- 'GruntHTTP'
- '-EncodedCommand cwB2ACAAbwAgA'
condition: 1 of selection_*
level: high
title: Suspicious PowerShell Parameter Substring
id: 36210e0d-5b19-485d-a087-c096088885f0
status: test
description: Detects suspicious PowerShell invocation with a parameter substring
references:
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
date: 2019-01-16
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -windowstyle h '
- ' -windowstyl h'
- ' -windowsty h'
- ' -windowst h'
- ' -windows h'
- ' -windo h'
- ' -wind h'
- ' -win h'
- ' -wi h'
- ' -win h '
- ' -win hi '
- ' -win hid '
- ' -win hidd '
- ' -win hidde '
- ' -NoPr '
- ' -NoPro '
- ' -NoProf '
- ' -NoProfi '
- ' -NoProfil '
- ' -nonin '
- ' -nonint '
- ' -noninte '
- ' -noninter '
- ' -nonintera '
- ' -noninterac '
- ' -noninteract '
- ' -noninteracti '
- ' -noninteractiv '
- ' -ec '
- ' -encodedComman '
- ' -encodedComma '
- ' -encodedComm '
- ' -encodedCom '
- ' -encodedCo '
- ' -encodedC '
- ' -encoded '
- ' -encode '
- ' -encod '
- ' -enco '
- ' -en '
- ' -executionpolic '
- ' -executionpoli '
- ' -executionpol '
- ' -executionpo '
- ' -executionp '
- ' -execution bypass'
- ' -executio bypass'
- ' -executi bypass'
- ' -execut bypass'
- ' -execu bypass'
- ' -exec bypass'
- ' -exe bypass'
- ' -ex bypass'
- ' -ep bypass'
- ' /windowstyle h '
- ' /windowstyl h'
- ' /windowsty h'
- ' /windowst h'
- ' /windows h'
- ' /windo h'
- ' /wind h'
- ' /win h'
- ' /wi h'
- ' /win h '
- ' /win hi '
- ' /win hid '
- ' /win hidd '
- ' /win hidde '
- ' /NoPr '
- ' /NoPro '
- ' /NoProf '
- ' /NoProfi '
- ' /NoProfil '
- ' /nonin '
- ' /nonint '
- ' /noninte '
- ' /noninter '
- ' /nonintera '
- ' /noninterac '
- ' /noninteract '
- ' /noninteracti '
- ' /noninteractiv '
- ' /ec '
- ' /encodedComman '
- ' /encodedComma '
- ' /encodedComm '
- ' /encodedCom '
- ' /encodedCo '
- ' /encodedC '
- ' /encoded '
- ' /encode '
- ' /encod '
- ' /enco '
- ' /en '
- ' /executionpolic '
- ' /executionpoli '
- ' /executionpol '
- ' /executionpo '
- ' /executionp '
- ' /execution bypass'
- ' /executio bypass'
- ' /executi bypass'
- ' /execut bypass'
- ' /execu bypass'
- ' /exec bypass'
- ' /exe bypass'
- ' /ex bypass'
- ' /ep bypass'
condition: selection
falsepositives:
- Unknown
level: high
title: PowerShell Base64 Encoded FromBase64String Cmdlet
id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
status: test
description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-24
modified: 2023-04-06
tags:
- attack.stealth
- attack.t1140
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains: '::FromBase64String'
# UTF-16 LE
- CommandLine|contains:
- 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
- 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'
- '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use MSHTA
id: ac20ae82-8758-4f38-958e-b44a3140ca88
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-03-08
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'set'
- '&&'
- 'mshta'
- 'vbscript:createobject'
- '.run'
- '(window.close)'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Powershell ReverseShell Connection
id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
status: stable
description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1
author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-04-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cli:
CommandLine|contains|all:
- ' Net.Sockets.TCPClient'
- '.GetStream('
- '.Write('
condition: all of selection_*
falsepositives:
- In rare administrative cases, this function might be used to check network connectivity
level: high
title: Potential PowerShell Command Line Obfuscation
id: d7bcd677-645d-4691-a8d4-7a5602b780d1
status: test
description: Detects the PowerShell command lines with special characters
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)
date: 2020-10-15
modified: 2024-04-15
tags:
- attack.execution
- attack.stealth
- attack.t1027
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_re:
# TODO: Optimize for PySIGMA
- CommandLine|re: '\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+'
- CommandLine|re: '\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{'
- CommandLine|re: '\^.*\^.*\^.*\^.*\^'
- CommandLine|re: '`.*`.*`.*`.*`'
filter_optional_amazonSSM:
ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe
filter_optional_defender_atp:
CommandLine|contains:
- 'new EventSource("Microsoft.Windows.Sense.Client.Management"'
- 'public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Amazon SSM Document Worker
- Windows Defender ATP
level: high
title: Net WebClient Casing Anomalies
id: c86133ad-4725-4bd0-8170-210788e0a7ba
status: test
description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
references:
- https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
author: Florian Roth (Nextron Systems)
date: 2022-05-24
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_encoded:
CommandLine|contains:
- 'TgBlAFQALgB3AEUAQg'
- '4AZQBUAC4AdwBFAEIA'
- 'OAGUAVAAuAHcARQBCA'
- 'bgBFAHQALgB3AGUAYg'
- '4ARQB0AC4AdwBlAGIA'
- 'uAEUAdAAuAHcAZQBiA'
- 'TgBFAHQALgB3AGUAYg'
- 'OAEUAdAAuAHcAZQBiA'
- 'bgBlAFQALgB3AGUAYg'
- '4AZQBUAC4AdwBlAGIA'
- 'uAGUAVAAuAHcAZQBiA'
- 'TgBlAFQALgB3AGUAYg'
- 'OAGUAVAAuAHcAZQBiA'
- 'bgBFAFQALgB3AGUAYg'
- '4ARQBUAC4AdwBlAGIA'
- 'uAEUAVAAuAHcAZQBiA'
- 'bgBlAHQALgBXAGUAYg'
- '4AZQB0AC4AVwBlAGIA'
- 'uAGUAdAAuAFcAZQBiA'
- 'bgBFAHQALgBXAGUAYg'
- '4ARQB0AC4AVwBlAGIA'
- 'uAEUAdAAuAFcAZQBiA'
- 'TgBFAHQALgBXAGUAYg'
- 'OAEUAdAAuAFcAZQBiA'
- 'bgBlAFQALgBXAGUAYg'
- '4AZQBUAC4AVwBlAGIA'
- 'uAGUAVAAuAFcAZQBiA'
- 'TgBlAFQALgBXAGUAYg'
- 'OAGUAVAAuAFcAZQBiA'
- 'bgBFAFQALgBXAGUAYg'
- '4ARQBUAC4AVwBlAGIA'
- 'uAEUAVAAuAFcAZQBiA'
- 'bgBlAHQALgB3AEUAYg'
- '4AZQB0AC4AdwBFAGIA'
- 'uAGUAdAAuAHcARQBiA'
- 'TgBlAHQALgB3AEUAYg'
- 'OAGUAdAAuAHcARQBiA'
- 'bgBFAHQALgB3AEUAYg'
- '4ARQB0AC4AdwBFAGIA'
- 'uAEUAdAAuAHcARQBiA'
- 'TgBFAHQALgB3AEUAYg'
- 'OAEUAdAAuAHcARQBiA'
- 'bgBlAFQALgB3AEUAYg'
- '4AZQBUAC4AdwBFAGIA'
- 'uAGUAVAAuAHcARQBiA'
- 'TgBlAFQALgB3AEUAYg'
- 'OAGUAVAAuAHcARQBiA'
- 'bgBFAFQALgB3AEUAYg'
- '4ARQBUAC4AdwBFAGIA'
- 'uAEUAVAAuAHcARQBiA'
- 'TgBFAFQALgB3AEUAYg'
- 'OAEUAVAAuAHcARQBiA'
- 'bgBlAHQALgBXAEUAYg'
- '4AZQB0AC4AVwBFAGIA'
- 'uAGUAdAAuAFcARQBiA'
- 'TgBlAHQALgBXAEUAYg'
- 'OAGUAdAAuAFcARQBiA'
- 'bgBFAHQALgBXAEUAYg'
- '4ARQB0AC4AVwBFAGIA'
- 'uAEUAdAAuAFcARQBiA'
- 'TgBFAHQALgBXAEUAYg'
- 'OAEUAdAAuAFcARQBiA'
- 'bgBlAFQALgBXAEUAYg'
- '4AZQBUAC4AVwBFAGIA'
- 'uAGUAVAAuAFcARQBiA'
- 'TgBlAFQALgBXAEUAYg'
- 'OAGUAVAAuAFcARQBiA'
- 'bgBFAFQALgBXAEUAYg'
- '4ARQBUAC4AVwBFAGIA'
- 'uAEUAVAAuAFcARQBiA'
- 'TgBFAFQALgBXAEUAYg'
- 'OAEUAVAAuAFcARQBiA'
- 'bgBlAHQALgB3AGUAQg'
- '4AZQB0AC4AdwBlAEIA'
- 'uAGUAdAAuAHcAZQBCA'
- 'TgBlAHQALgB3AGUAQg'
- 'OAGUAdAAuAHcAZQBCA'
- 'bgBFAHQALgB3AGUAQg'
- '4ARQB0AC4AdwBlAEIA'
- 'uAEUAdAAuAHcAZQBCA'
- 'TgBFAHQALgB3AGUAQg'
- 'OAEUAdAAuAHcAZQBCA'
- 'bgBlAFQALgB3AGUAQg'
- '4AZQBUAC4AdwBlAEIA'
- 'uAGUAVAAuAHcAZQBCA'
- 'TgBlAFQALgB3AGUAQg'
- 'OAGUAVAAuAHcAZQBCA'
- 'bgBFAFQALgB3AGUAQg'
- '4ARQBUAC4AdwBlAEIA'
- 'uAEUAVAAuAHcAZQBCA'
- 'TgBFAFQALgB3AGUAQg'
- 'OAEUAVAAuAHcAZQBCA'
- 'bgBlAHQALgBXAGUAQg'
- '4AZQB0AC4AVwBlAEIA'
- 'uAGUAdAAuAFcAZQBCA'
- 'TgBlAHQALgBXAGUAQg'
- 'OAGUAdAAuAFcAZQBCA'
- 'bgBFAHQALgBXAGUAQg'
- '4ARQB0AC4AVwBlAEIA'
- 'uAEUAdAAuAFcAZQBCA'
- 'TgBFAHQALgBXAGUAQg'
- 'OAEUAdAAuAFcAZQBCA'
- 'bgBlAFQALgBXAGUAQg'
- '4AZQBUAC4AVwBlAEIA'
- 'uAGUAVAAuAFcAZQBCA'
- 'TgBlAFQALgBXAGUAQg'
- 'OAGUAVAAuAFcAZQBCA'
- 'bgBFAFQALgBXAGUAQg'
- '4ARQBUAC4AVwBlAEIA'
- 'uAEUAVAAuAFcAZQBCA'
- 'TgBFAFQALgBXAGUAQg'
- 'OAEUAVAAuAFcAZQBCA'
- 'bgBlAHQALgB3AEUAQg'
- '4AZQB0AC4AdwBFAEIA'
- 'uAGUAdAAuAHcARQBCA'
- 'TgBlAHQALgB3AEUAQg'
- 'OAGUAdAAuAHcARQBCA'
- 'bgBFAHQALgB3AEUAQg'
- '4ARQB0AC4AdwBFAEIA'
- 'uAEUAdAAuAHcARQBCA'
- 'TgBFAHQALgB3AEUAQg'
- 'OAEUAdAAuAHcARQBCA'
- 'bgBlAFQALgB3AEUAQg'
- 'uAGUAVAAuAHcARQBCA'
- 'bgBFAFQALgB3AEUAQg'
- '4ARQBUAC4AdwBFAEIA'
- 'uAEUAVAAuAHcARQBCA'
- 'TgBFAFQALgB3AEUAQg'
- 'OAEUAVAAuAHcARQBCA'
- 'TgBlAHQALgBXAEUAQg'
- '4AZQB0AC4AVwBFAEIA'
- 'OAGUAdAAuAFcARQBCA'
- 'bgBFAHQALgBXAEUAQg'
- '4ARQB0AC4AVwBFAEIA'
- 'uAEUAdAAuAFcARQBCA'
- 'TgBFAHQALgBXAEUAQg'
- 'OAEUAdAAuAFcARQBCA'
- 'bgBlAFQALgBXAEUAQg'
- '4AZQBUAC4AVwBFAEIA'
- 'uAGUAVAAuAFcARQBCA'
- 'TgBlAFQALgBXAEUAQg'
- 'OAGUAVAAuAFcARQBCA'
- 'bgBFAFQALgBXAEUAQg'
- '4ARQBUAC4AVwBFAEIA'
- 'uAEUAVAAuAFcARQBCA'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious PowerShell IEX Execution Patterns
id: 09576804-7a05-458e-a817-eb718ca91f54
status: test
description: Detects suspicious ways to run Invoke-Execution using IEX alias
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-24
modified: 2022-11-28
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_combined_1:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' | iex;'
- ' | iex '
- ' | iex}'
- ' | IEX ;'
- ' | IEX -Error'
- ' | IEX (new'
- ');IEX '
selection_combined_2:
CommandLine|contains:
- '::FromBase64String'
- '.GetString([System.Convert]::'
selection_standalone:
CommandLine|contains:
- ')|iex;$'
- ');iex($'
- ');iex $'
- ' | IEX | '
- ' | iex\"'
condition: all of selection_combined_* or selection_standalone
falsepositives:
- Legitimate scripts that use IEX
level: high
title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Product|contains: 'SharpHound'
- Description|contains: 'SharpHound'
- Company|contains:
- 'SpecterOps'
- 'evil corp'
- Image|contains:
- '\Bloodhound.exe'
- '\SharpHound.exe'
selection_cli_1:
CommandLine|contains:
- ' -CollectionMethod All '
- ' --CollectionMethods Session '
- ' --Loop --Loopduration '
- ' --PortScanTimeout '
- '.exe -c All -d '
- 'Invoke-Bloodhound'
- 'Get-BloodHoundData'
selection_cli_2:
CommandLine|contains|all:
- ' -JsonFolder '
- ' -ZipFileName '
selection_cli_3:
CommandLine|contains|all:
- ' DCOnly '
- ' --NoSaveCache '
condition: 1 of selection_*
falsepositives:
- Other programs that use these command line option and accepts an 'All' parameter
level: high
title: PowerShell Base64 Encoded WMI Classes
id: 1816994b-42e1-4fb1-afd2-134d88184f71
related:
- id: 47688f1b-9f51-4656-b013-3cc49a166a36
type: obsolete
status: test
description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_shadowcopy:
# Win32_ShadowCopy
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ'
- 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA'
- 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A'
- 'V2luMzJfU2hhZG93Y29we'
- 'dpbjMyX1NoYWRvd2NvcH'
- 'XaW4zMl9TaGFkb3djb3B5'
selection_cli_scheduledJob:
# Win32_ScheduledJob
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA'
- 'cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA'
- 'XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg'
- 'V2luMzJfU2NoZWR1bGVkSm9i'
- 'dpbjMyX1NjaGVkdWxlZEpvY'
- 'XaW4zMl9TY2hlZHVsZWRKb2'
selection_cli_process:
# Win32_Process
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw'
- 'cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA'
- 'XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA'
- 'V2luMzJfUHJvY2Vzc'
- 'dpbjMyX1Byb2Nlc3'
- 'XaW4zMl9Qcm9jZXNz'
selection_cli_useraccount:
# Win32_UserAccount
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A'
- 'cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA'
- 'XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA'
- 'V2luMzJfVXNlckFjY291bn'
- 'dpbjMyX1VzZXJBY2NvdW50'
- 'XaW4zMl9Vc2VyQWNjb3Vud'
selection_cli_loggedonuser:
# Win32_LoggedOnUser
CommandLine|contains:
- 'VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA'
- 'cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA'
- 'XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg'
- 'V2luMzJfTG9nZ2VkT25Vc2Vy'
- 'dpbjMyX0xvZ2dlZE9uVXNlc'
- 'XaW4zMl9Mb2dnZWRPblVzZX'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
title: Suspicious Schtasks Execution AppData Folder
id: c5c00f49-b3f9-45a6-997e-cfdecc6e1967
status: test
description: 'Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local'
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-15
modified: 2022-07-28
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- '/RU'
- '/TR'
- 'C:\Users\'
- '\AppData\Local\'
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter:
# FP from test set in SIGMA
ParentImage|contains|all:
- '\AppData\Local\Temp\'
- 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/TN TVInstallRestore'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Cmd.EXE Missing Space Characters Execution Anomaly
id: a16980c2-0c56-4de0-9a79-17971979efdd
status: test
description: |
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
references:
- https://twitter.com/cyb3rops/status/1562072617552678912
- https://ss64.com/nt/cmd.html
author: Florian Roth (Nextron Systems)
date: 2022-08-23
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection1: # missing space before the /c
CommandLine|contains:
- 'cmd.exe/c'
- '\cmd/c' # just cmd/c would be prone to false positives
- '"cmd/c'
- 'cmd.exe/k'
- '\cmd/k' # just cmd/k would be prone to false positives
- '"cmd/k'
- 'cmd.exe/r'
- '\cmd/r' # just cmd/r would be prone to false positives
- '"cmd/r'
selection2: # special cases verified via Virustotal Enterprise search
CommandLine|contains:
- '/cwhoami'
- '/cpowershell'
- '/cschtasks'
- '/cbitsadmin'
- '/ccertutil'
- '/kwhoami'
- '/kpowershell'
- '/kschtasks'
- '/kbitsadmin'
- '/kcertutil'
selection3: # missing space after the /c
CommandLine|contains:
- 'cmd.exe /c'
- 'cmd /c'
- 'cmd.exe /k'
- 'cmd /k'
- 'cmd.exe /r'
- 'cmd /r'
filter_generic:
CommandLine|contains:
- 'cmd.exe /c '
- 'cmd /c '
- 'cmd.exe /k '
- 'cmd /k '
- 'cmd.exe /r '
- 'cmd /r '
filter_fp:
- CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
- CommandLine|endswith: 'cmd.exe/c .'
- CommandLine: 'cmd.exe /c'
condition: 1 of selection* and not 1 of filter_*
falsepositives:
- Unknown
level: high
title: Potential PowerShell Obfuscation Via WCHAR/CHAR
id: e312efd0-35a1-407f-8439-b8d434b438a6
status: test
description: Detects suspicious encoded character syntax often used for defense evasion
references:
- https://twitter.com/0gtweet/status/1281103918693482496
author: Florian Roth (Nextron Systems)
date: 2020-07-09
modified: 2025-03-03
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '[char]0x'
- '(WCHAR)0x'
condition: selection
falsepositives:
- Unknown
level: high
title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
status: test
description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
references:
- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
author: John Lambert (rule)
date: 2019-01-16
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_hidden:
CommandLine|contains: ' hidden '
selection_encoded:
CommandLine|contains:
- 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
- 'aXRzYWRtaW4gL3RyYW5zZmVy'
- 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
- 'JpdHNhZG1pbiAvdHJhbnNmZX'
- 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
- 'Yml0c2FkbWluIC90cmFuc2Zlc'
- 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
- 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
- 'JGNodW5rX3Npem'
- 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
- 'RjaHVua19zaXpl'
- 'Y2h1bmtfc2l6Z'
- 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
- 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
- 'lPLkNvbXByZXNzaW9u'
- 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
- 'SU8uQ29tcHJlc3Npb2'
- 'Ty5Db21wcmVzc2lvb'
- 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
- 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
- 'lPLk1lbW9yeVN0cmVhb'
- 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
- 'SU8uTWVtb3J5U3RyZWFt'
- 'Ty5NZW1vcnlTdHJlYW'
- '4ARwBlAHQAQwBoAHUAbgBrA'
- '5HZXRDaHVua'
- 'AEcAZQB0AEMAaAB1AG4Aaw'
- 'LgBHAGUAdABDAGgAdQBuAGsA'
- 'LkdldENodW5r'
- 'R2V0Q2h1bm'
- 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
- 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
- 'RIUkVBRF9JTkZPNj'
- 'SFJFQURfSU5GTzY0'
- 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
- 'VEhSRUFEX0lORk82N'
- 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
- 'cmVhdGVSZW1vdGVUaHJlYW'
- 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
- 'NyZWF0ZVJlbW90ZVRocmVhZ'
- 'Q3JlYXRlUmVtb3RlVGhyZWFk'
- 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
- '0AZQBtAG0AbwB2AGUA'
- '1lbW1vdm'
- 'AGUAbQBtAG8AdgBlA'
- 'bQBlAG0AbQBvAHYAZQ'
- 'bWVtbW92Z'
- 'ZW1tb3Zl'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Stdin
id: 9c14c9fa-1a63-4a64-8e57-d19280559490
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|re: '(?i)(?:set).*&&\s?set.*(?:environment|invoke|\$\{?input).*&&.*"'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
id: e9f55347-2928-4c06-88e5-1a7f8169942e
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-16
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# CommandLine|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
# Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
# Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
CommandLine|contains|all:
- '&&set'
- 'cmd'
- '/c'
- '-f'
CommandLine|contains:
- '{0}'
- '{1}'
- '{2}'
- '{3}'
- '{4}'
- '{5}'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential PowerShell Obfuscation Via Reversed Commands
id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4
status: test
description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
references:
- https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-05-31
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains:
- 'hctac'
- 'kaerb'
- 'dnammoc'
- 'ekovn' # Also covers 'ekovni'
- 'eliFd'
- 'rahc'
- 'etirw'
- 'golon'
- 'tninon'
- 'eddih'
- 'tpircS'
- 'ssecorp'
- 'llehsrewop'
- 'esnopser'
- 'daolnwod'
- 'tneilCbeW'
- 'tneilc'
- 'ptth'
- 'elifotevas'
- '46esab'
- 'htaPpmeTteG'
- 'tcejbO'
- 'maerts'
- 'hcaerof'
- 'retupmoc'
filter_main_encoded_keyword:
# We exclude usage of encoded commands as they might generate FPs as shown here:
# https://github.com/SigmaHQ/sigma/pull/2720
# https://github.com/SigmaHQ/sigma/issues/4270
CommandLine|contains:
- ' -EncodedCommand '
- ' -enc '
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
title: PowerShell Base64 Encoded Invoke Keyword
id: 6385697e-9f1b-40bd-8817-f4a91f40508e
related:
- id: fd6e2919-3936-40c9-99db-0aa922c356f7
type: obsolete
status: test
description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
references:
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t
date: 2022-05-20
modified: 2023-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_enc:
CommandLine|contains: ' -e'
selection_cli_invoke:
CommandLine|contains:
# Invoke-
# UTF-16LE
- 'SQBuAHYAbwBrAGUALQ'
- 'kAbgB2AG8AawBlAC0A'
- 'JAG4AdgBvAGsAZQAtA'
# UTF-8
- 'SW52b2tlL'
- 'ludm9rZS'
- 'JbnZva2Ut'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation STDIN+ Launcher
id: 6c96fc76-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-15
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -"
# Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )"
CommandLine|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious PowerShell Parent Process
id: 754ed792-634f-40ae-b3bc-e0448d33f695
related:
- id: 692f0bec-83ba-4d04-af7e-e884a96059b6
type: derived
status: test
description: Detects a suspicious or uncommon parent processes of PowerShell
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
author: Teymur Kheirkhabarov, Harish Segar
date: 2020-03-20
modified: 2023-02-04
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
- ParentImage|contains: 'tomcat'
- ParentImage|endswith:
- '\amigo.exe'
- '\browser.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\httpd.exe'
- '\iexplore.exe'
- '\jbosssvc.exe'
- '\microsoftedge.exe'
- '\microsoftedgecp.exe'
- '\MicrosoftEdgeSH.exe'
- '\mshta.exe'
- '\nginx.exe'
- '\outlook.exe'
- '\php-cgi.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\safari.exe'
- '\services.exe'
- '\sqlagent.exe'
- '\sqlserver.exe'
- '\sqlservr.exe'
- '\vivaldi.exe'
- '\w3wp.exe'
selection_powershell:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- CommandLine|contains:
- '/c powershell' # FPs with sub processes that contained "powershell" somewhere in the command line
- '/c pwsh'
- Description: 'Windows PowerShell'
- Product: 'PowerShell Core 6'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
condition: all of selection_*
falsepositives:
- Other scripts
level: high
title: Invoke-Obfuscation CLIP+ Launcher
id: b222df08-0e07-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2022-11-17
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# CommandLine|re: 'cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
# Example 1: Cmd /c" echo/Invoke-Expression (New-Object Net.WebClient).DownloadString |cLiP&& POWerSheLl -Nolog -sT . (\"{1}{2}{0}\"-f'pe','Ad',(\"{1}{0}\" -f'Ty','d-' ) ) -Assemb ( \"{5}{1}{3}{0}{2}{4}\" -f'ows','y','.F',(\"{0}{1}{2}\" -f'stem.W','i','nd'),( \"{0}{1}\"-f 'o','rms' ),'S' ) ; ([SySTEM.wiNDows.FoRmS.CLiPbOArd]::( \"{1}{0}\" -f (\"{1}{0}\" -f'T','TTeX' ),'gE' ).\"invO`Ke\"( ) ) ^| ^&( \"{5}{1}{2}{4}{3}{0}\" -f 'n',( \"{1}{0}\"-f'KE-','o' ),(\"{2}{1}{0}\"-f 'pRESS','x','e' ),'o','i','iNV') ; [System.Windows.Forms.Clipboard]::(\"{0}{1}\" -f( \"{1}{0}\"-f'e','SetT' ),'xt').\"InV`oKe\"( ' ')"
# Example 2: CMD/c " ECho Invoke-Expression (New-Object Net.WebClient).DownloadString|c:\WiNDowS\SySteM32\cLip && powershElL -noPRO -sTa ^& (\"{2}{0}{1}\" -f 'dd',(\"{1}{0}\"-f 'ype','-T' ),'A' ) -AssemblyN (\"{0}{3}{2}{1}{4}\"-f'Pr','nCo',(\"{0}{1}\"-f'e','ntatio'),'es','re' ) ; ^& ( ( [StRinG]${ve`RB`OSE`pr`e`FeReNCE} )[1,3] + 'x'-JoiN'') ( ( [sySTem.WInDOWs.ClipbOaRD]::( \"{1}{0}\" -f(\"{0}{1}\" -f'tTe','xt' ),'ge' ).\"IN`Vo`Ke\"( ) ) ) ; [System.Windows.Clipboard]::( \"{2}{1}{0}\" -f't',( \"{0}{1}\" -f 'tT','ex' ),'Se' ).\"In`V`oKe\"( ' ' )"
CommandLine|contains|all:
- 'cmd'
- '&&'
- 'clipboard]::'
- '-f'
CommandLine|contains:
- '/c'
- '/r'
condition: selection
falsepositives:
- Unknown
level: high
title: PowerShell Base64 Encoded IEX Cmdlet
id: 88f680b8-070e-402c-ae11-d2914f2257f1
status: test
description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-23
modified: 2023-04-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains:
- 'IEX (['
- 'iex (['
- 'iex (New'
- 'IEX (New'
- 'IEX(['
- 'iex(['
- 'iex(New'
- 'IEX(New'
- "IEX(('"
- "iex(('"
# UTF16 LE
- CommandLine|contains:
- 'SQBFAFgAIAAoAFsA'
- 'kARQBYACAAKABbA'
- 'JAEUAWAAgACgAWw'
- 'aQBlAHgAIAAoAFsA'
- 'kAZQB4ACAAKABbA'
- 'pAGUAeAAgACgAWw'
- 'aQBlAHgAIAAoAE4AZQB3A'
- 'kAZQB4ACAAKABOAGUAdw'
- 'pAGUAeAAgACgATgBlAHcA'
- 'SQBFAFgAIAAoAE4AZQB3A'
- 'kARQBYACAAKABOAGUAdw'
- 'JAEUAWAAgACgATgBlAHcA'
condition: selection
falsepositives:
- Unknown
level: high
title: DSInternals Suspicious PowerShell Cmdlets
id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
related:
- id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
type: similar
status: test
description: |
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri
date: 2024-06-26
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Add-ADDBSidHistory'
- 'Add-ADNgcKey'
- 'Add-ADReplNgcKey'
- 'ConvertFrom-ADManagedPasswordBlob'
- 'ConvertFrom-GPPrefPassword'
- 'ConvertFrom-ManagedPasswordBlob'
- 'ConvertFrom-UnattendXmlPassword'
- 'ConvertFrom-UnicodePassword'
- 'ConvertTo-AADHash'
- 'ConvertTo-GPPrefPassword'
- 'ConvertTo-KerberosKey'
- 'ConvertTo-LMHash'
- 'ConvertTo-MsoPasswordHash'
- 'ConvertTo-NTHash'
- 'ConvertTo-OrgIdHash'
- 'ConvertTo-UnicodePassword'
- 'Disable-ADDBAccount'
- 'Enable-ADDBAccount'
- 'Get-ADDBAccount'
- 'Get-ADDBBackupKey'
- 'Get-ADDBDomainController'
- 'Get-ADDBGroupManagedServiceAccount'
- 'Get-ADDBKdsRootKey'
- 'Get-ADDBSchemaAttribute'
- 'Get-ADDBServiceAccount'
- 'Get-ADDefaultPasswordPolicy'
- 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
- 'Get-ADPasswordPolicy'
- 'Get-ADReplAccount'
- 'Get-ADReplBackupKey'
- 'Get-ADReplicationAccount'
- 'Get-ADSIAccount'
- 'Get-AzureADUserEx'
- 'Get-BootKey'
- 'Get-KeyCredential'
- 'Get-LsaBackupKey'
- 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
- 'Get-SamPasswordPolicy'
- 'Get-SysKey'
- 'Get-SystemKey'
- 'New-ADDBRestoreFromMediaScript'
- 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
- 'New-ADNgcKey'
- 'New-NTHashSet'
- 'Remove-ADDBObject'
- 'Save-DPAPIBlob'
- 'Set-ADAccountPasswordHash'
- 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
- 'Set-ADDBBootKey'
- 'Set-ADDBDomainController'
- 'Set-ADDBPrimaryGroup'
- 'Set-ADDBSysKey'
- 'Set-AzureADUserEx'
- 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
- 'Set-SamAccountPasswordHash'
- 'Set-WinUserPasswordHash'
- 'Test-ADDBPasswordQuality'
- 'Test-ADPasswordQuality'
- 'Test-ADReplPasswordQuality'
- 'Test-PasswordQuality'
- 'Unlock-ADDBAccount'
- 'Write-ADNgcKey'
- 'Write-ADReplNgcKey'
condition: selection
falsepositives:
- Legitimate usage of DSInternals for administration or audit purpose.
level: high
title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\hh.exe'
Image|endswith:
- '\CertReq.exe'
- '\CertUtil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\installutil.exe'
- '\MSbuild.exe'
- '\MSHTA.EXE'
- '\msiexec.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - CrackMapExec Execution Patterns
id: 058f4380-962d-40a5-afce-50207d36d7e2
status: stable
description: Detects various execution patterns of the CrackMapExec pentesting framework
references:
- https://github.com/byt3bl33d3r/CrackMapExec
author: Thomas Patzke
date: 2020-05-22
modified: 2023-11-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1047
- attack.t1053
- attack.t1059.003
- attack.t1059.001
- attack.s0106
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
- 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:109 (fileless output via share)
- 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:111 (fileless output via share)
- 'cmd.exe /C * > *\\Temp\\* 2>&1'
# https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L136 (PowerShell execution with obfuscation)
- 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
# https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L160 (PowerShell execution without obfuscation)
- 'powershell.exe -noni -nop -w 1 -enc '
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - CrackMapExec PowerShell Obfuscation
id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
status: test
description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
references:
- https://github.com/byt3bl33d3r/CrackMapExec
- https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
author: Thomas Patzke
date: 2020-05-22
modified: 2023-02-21
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains:
- 'join*split'
# Line 343ff
- '( $ShellId[1]+$ShellId[13]+''x'')'
- '( $PSHome[*]+$PSHOME[*]+'
- '( $env:Public[13]+$env:Public[5]+''x'')'
- '( $env:ComSpec[4,*,25]-Join'''')'
- '[1,3]+''x''-Join'''')'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: HackTool - Default PowerSploit/Empire Scheduled Task Creation
id: 56c217c3-2de2-479b-990f-5c109ba8458f
status: test
description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
references:
- https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py
author: Markus Neis, @Karneades
date: 2018-03-06
modified: 2023-03-03
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.s0111
- attack.g0022
- attack.g0060
- car.2013-08-001
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- 'powershell.exe -NonI'
- '/TN Updater /TR'
CommandLine|contains:
- '/SC ONLOGON'
- '/SC DAILY /ST'
- '/SC ONIDLE'
- '/SC HOURLY'
condition: selection
falsepositives:
- Unlikely
level: high
title: Windows Shell/Scripting Processes Spawning Suspicious Programs
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2018-04-06
modified: 2023-05-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1059.001
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
# - '\cmd.exe' # too many false positives
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\wmiprvse.exe'
- '\regsvr32.exe'
Image|endswith:
- '\schtasks.exe'
- '\nslookup.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\mshta.exe'
filter_ccmcache:
CurrentDirectory|contains: '\ccmcache\'
filter_amazon:
ParentCommandLine|contains:
# FP - Amazon Workspaces
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
- '\nessus_' # Tenable/Nessus VA Scanner
filter_nessus:
CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
filter_sccm_install:
ParentImage|endswith: '\mshta.exe'
Image|endswith: '\mshta.exe'
ParentCommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\splash.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
CommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\SMSSETUP\BIN\'
- '\autorun.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
condition: selection and not 1 of filter_*
falsepositives:
- Administrative scripts
- Microsoft SCCM
level: high
title: Exchange PowerShell Snap-Ins Usage
id: 25676e10-2121-446e-80a4-71ff8506af47
status: test
description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.intrinsec.com/apt27-analysis/
author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-03-24
tags:
- attack.execution
- attack.t1059.001
- attack.collection
- attack.t1114
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains: 'Add-PSSnapin'
selection_module:
CommandLine|contains:
- 'Microsoft.Exchange.Powershell.Snapin'
- 'Microsoft.Exchange.Management.PowerShell.SnapIn'
filter_msiexec:
# ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000
ParentImage: 'C:\Windows\System32\msiexec.exe'
CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: high
title: Suspicious File Execution From Internet Hosted WebDav Share
id: f0507c0f-a3a2-40f5-acc6-7f543c334993
status: test
description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
references:
- https://twitter.com/ShadowChasing1/status/1552595370961944576
- https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior
author: pH-T (Nextron Systems)
date: 2022-09-01
modified: 2023-02-21
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\cmd.exe'
- OriginalFileName: 'Cmd.EXE'
selection_base:
CommandLine|contains|all:
- ' net use http'
- '& start /b '
- '\DavWWWRoot\'
selection_ext:
CommandLine|contains:
- '.exe '
- '.dll '
- '.bat '
- '.vbs '
- '.ps1 '
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
related:
- id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
# ServiceFileName|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
# Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
# Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
ServiceFileName|contains|all:
- '&&set'
- 'cmd'
- '/c'
- '-f'
ServiceFileName|contains:
- '{0}'
- '{1}'
- '{2}'
- '{3}'
- '{4}'
- '{5}'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Clip - Security
id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
related:
- id: 63e3365d-4824-42d8-8b82-e56810fefa0c
type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains: '(Clipboard|i'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Stdin - Security
id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
related:
- id: 487c7524-f892-4054-b263-8a0ace63fc25
type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'set'
- '&&'
ServiceFileName|contains:
- 'environment'
- 'invoke'
- '${input)'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Rundll32 - Security
id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
related:
- id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- '&&'
- 'rundll32'
- 'shell32.dll'
- 'shellexec_rundll'
ServiceFileName|contains:
- value
- invoke
- comspec
- iex
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation STDIN+ Launcher - Security
id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
related:
- id: 72862bf2-0eb1-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'cmd'
- 'powershell'
selection2:
ServiceFileName|contains:
- '${input}'
- 'noexit'
selection3:
ServiceFileName|contains:
- ' /c '
- ' /r '
condition: all of selection*
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR+ Launcher - Security
id: dcf2db1f-f091-425b-a821-c05875b8925a
related:
- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
# ServiceFileName|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
# Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
# Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
ServiceFileName|contains|all:
- 'cmd'
- '"set'
- '-f'
ServiceFileName|contains:
- '/c'
- '/r'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation CLIP+ Launcher - Security
id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
related:
- id: f7385ee2-0e0c-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2022-11-27
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'cmd'
- '&&'
- 'clipboard]::'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use MSHTA - Security
id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
related:
- id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'mshta'
- 'vbscript:createobject'
- '.run'
- 'window.close'
condition: selection
falsepositives:
- Unknown
level: high
title: Remote PowerShell Sessions Network Connections (WinRM)
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
status: test
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestPort:
- 5985
- 5986
LayerRTID: 44
condition: selection
falsepositives:
- Legitimate use of remote PowerShell execution
level: high
title: Invoke-Obfuscation CLIP+ Launcher - System
id: f7385ee2-0e0c-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2023-02-20
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'cmd'
- '&&'
- 'clipboard]::'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Rundll32 - System
id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- '&&'
- 'rundll32'
- 'shell32.dll'
- 'shellexec_rundll'
ImagePath|contains:
- 'value'
- 'invoke'
- 'comspec'
- 'iex'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Stdin - System
id: 487c7524-f892-4054-b263-8a0ace63fc25
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
# ImagePath|re: '(?i)(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
ImagePath|contains|all:
- 'set'
- '&&'
ImagePath|contains:
- 'environment'
- 'invoke'
- 'input'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Clip - System
id: 63e3365d-4824-42d8-8b82-e56810fefa0c
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains: '(Clipboard|i'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation STDIN+ Launcher - System
id: 72862bf2-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection_main:
Provider_Name: 'Service Control Manager'
EventID: 7045
# ImagePath|re: 'cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
# Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -"
# Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )"
ImagePath|contains|all:
- 'cmd'
- 'powershell'
ImagePath|contains:
- '/c'
- '/r'
selection_other:
- ImagePath|contains: 'noexit'
- ImagePath|contains|all:
- 'input'
- '$'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use MSHTA - System
id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'mshta'
- 'vbscript:createobject'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
# ImagePath|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
# Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
# Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
ImagePath|contains|all:
- '&&set'
- 'cmd'
- '/c'
- '-f'
ImagePath|contains:
- '{0}'
- '{1}'
- '{2}'
- '{3}'
- '{4}'
- '{5}'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR+ Launcher - System
id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
# ImagePath|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
# Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
# Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
ImagePath|contains|all:
- 'cmd'
- '"set'
- '-f'
ImagePath|contains:
- '/c'
- '/r'
condition: selection
falsepositives:
- Unknown
level: high
title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
related:
- id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
type: derived
status: test
description: |
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
references:
- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
- https://www.forensafe.com/blogs/runmrukey.html
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
author: Ahmed Farouk, Nasreddine Bencherchali
date: 2024-11-01
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: registry_set
detection:
selection_key:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
selection_powershell_command:
Details|contains:
- 'powershell'
- 'pwsh'
selection_powershell_susp_keywords:
Details|contains:
- ' -e '
- ' -ec '
- ' -en '
- ' -enc '
- ' -enco'
- 'ftp'
- 'Hidden'
- 'http'
- 'iex'
- 'Invoke-'
selection_wmic_command:
Details|contains: 'wmic'
selection_wmic_susp_keywords:
Details|contains:
- 'shadowcopy'
- 'process call create'
condition: selection_key and (all of selection_powershell_* or all of selection_wmic_*)
falsepositives:
- Unknown
level: high
title: Network Connection Initiated via Finger.EXE
id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
related:
- id: c082c2b0-525b-4dbc-9a26-a57dc4692074
type: similar
- id: af491bca-e752-4b44-9c86-df5680533dbc
type: similar
status: experimental
description: |
Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such network connections can also help identify potential malicious infrastructure used by threat actors
references:
- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
- attack.command-and-control
- attack.t1071.004
- attack.execution
- attack.t1059.003
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Unlikely
level: high
title: DNS Query by Finger Utility
id: c082c2b0-525b-4dbc-9a26-a57dc4692074
related:
- id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
type: similar
- id: af491bca-e752-4b44-9c86-df5680533dbc
type: similar
status: experimental
description: |
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
references:
- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
- attack.command-and-control
- attack.t1071.004
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: dns_query
detection:
selection:
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Unlikely
level: high