Sigma rules for MuddyWater
501 rules · scoped to actor · back to MuddyWater
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Metasploit SMB Authentication
id: 72124974-a68b-4366-b990-d30e0b2a190d
status: test
description: Alerts on Metasploit host's authentications on the domain.
references:
- https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020-05-06
modified: 2024-01-25
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4625
- 4624
LogonType: 3
AuthenticationPackageName: 'NTLM'
WorkstationName|re: '^[A-Za-z0-9]{16}$'
selection2:
EventID: 4776
Workstation|re: '^[A-Za-z0-9]{16}$'
condition: 1 of selection*
falsepositives:
- Linux hostnames composed of 16 characters.
level: high
title: Protected Storage Service Access
id: 45545954-4016-43c6-855e-eae8f1c369dc
status: test
description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
references:
- https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2021-11-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|contains: 'IPC'
RelativeTargetName: 'protected_storage'
condition: selection
falsepositives:
- Unknown
level: high
title: Metasploit Or Impacket Service Installation Via SMB PsExec
id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
related:
- id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
type: derived
status: test
description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-21
modified: 2022-10-05
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1570
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
ServiceStartType: 3 # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
ServiceType: '0x10'
filter:
ServiceName: 'PSEXESVC'
condition: selection and not filter
falsepositives:
- Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
level: high
title: CobaltStrike Service Installations - Security
id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
related:
- id: 5a105d34-05fc-401e-8553-272b45c1522d
type: derived
status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
references:
- https://www.sans.org/webcasts/119395
- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-26
modified: 2022-11-27
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
event_id:
EventID: 4697
selection1:
ServiceFileName|contains|all:
- 'ADMIN$'
- '.exe'
selection2:
ServiceFileName|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
selection3:
ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
selection4:
ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
condition: event_id and 1 of selection*
falsepositives:
- Unknown
level: high
title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
id: c39f0c81-7348-4965-ab27-2fde35a1b641
status: test
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-11-26
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Impacket PsExec Execution
id: 32d56ea1-417f-44ff-822b-882873f5f43b
status: test
description: Detects execution of Impacket's psexec.py.
references:
- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Bhabesh Raj
date: 2020-12-14
modified: 2022-09-22
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName|contains:
- 'RemCom_stdin'
- 'RemCom_stdout'
- 'RemCom_stderr'
condition: selection1
falsepositives:
- Unknown
level: high
title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
- https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden
date: 2019-04-03
modified: 2023-03-14
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
false_positives:
RelativeTargetName:
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'lsass'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
- 'sql\query'
- 'eventlog'
condition: selection1 and not false_positives
falsepositives:
- Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
title: T1047 Wmiprvse Wbemcomn DLL Hijack
id: f6c68d5f-e101-4b86-8c84-7d96851fd65c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-02-24
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|endswith: '\wbem\wbemcomn.dll'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: smbexec.py Service Installation
id: 52a85084-6989-40c3-8f32-091e12e13f09
status: test
description: Detects the use of smbexec.py tool by detecting a specific service installation
references:
- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
- https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
- https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name
author: Omer Faruk Celik
date: 2018-03-20
modified: 2023-11-09
tags:
- attack.lateral-movement
- attack.execution
- attack.t1021.002
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service_name:
ServiceName: 'BTOBTO'
selection_service_image:
ImagePath|contains:
- '.bat & del '
- '__output 2^>^&1 >'
condition: selection_eid and 1 of selection_service_*
falsepositives:
- Unknown
level: high
title: Potential CobaltStrike Service Installations - Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
status: test
description: |
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
references:
- https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
author: Wojciech Lesicki
date: 2021-06-29
modified: 2024-03-25
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
category: registry_set
product: windows
detection:
selection_key:
- TargetObject|contains: '\System\CurrentControlSet\Services'
- TargetObject|contains|all:
- '\System\ControlSet'
- '\Services'
selection_details:
- Details|contains|all:
- 'ADMIN$'
- '.exe'
- Details|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Remote PowerShell Session (PS Module)
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
status: test
description: Detects remote PowerShell sessions
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019-08-10
modified: 2023-01-20
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
ContextInfo|contains|all:
- ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte =
- 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte =
filter_pwsh_archive:
ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate use remote PowerShell sessions
level: high
title: Potential Remote PowerShell Session Initiated
id: c539afac-c12a-46ed-b1bd-5a5567c9f045
status: test
description: |
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.
This could potentially indicates a remote PowerShell connection.
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2024-02-02
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort:
- 5985
- 5986
Initiated: 'true' # only matches of the initiating system can be evaluated
SourceIsIpv6: 'false'
filter_main_service_users:
- User|contains: # covers many language settings for Network Service. Please expand
- 'NETWORK SERVICE'
- 'NETZWERKDIENST'
- 'SERVICIO DE RED'
- 'SERVIZIO DI RETE'
- User|contains|all:
- 'SERVICE R'
- 'SEAU'
filter_main_localhost:
SourceIp:
- '::1'
- '127.0.0.1'
DestinationIp:
- '::1'
- '127.0.0.1'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
- Network Service user name of a not-covered localization
level: high
title: Winrs Local Command Execution
id: bcfece3d-56fe-4545-9931-3b8e92927db1
status: experimental
description: |
Detects the execution of Winrs.exe where it is used to execute commands locally.
Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
references:
- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs
author: Liran Ravich, Nasreddine Bencherchali
date: 2025-10-22
tags:
- attack.lateral-movement
- attack.stealth
- attack.t1021.006
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
# Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" calc.exe
- Image|endswith: '\winrs.exe'
- OriginalFileName: 'winrs.exe'
selection_local_ip:
CommandLine|contains|windash:
- '/r:localhost'
- '/r:127.0.0.1'
- '/r:[::1]'
- '/remote:localhost'
- '/remote:127.0.0.1'
- '/remote:[::1]'
filter_main_remote:
CommandLine|contains|windash:
- "/r:"
- "/remote:"
condition: all of selection_* or (selection_img and not 1 of filter_main_*)
falsepositives:
- Unlikely
level: high
title: Suspicious Filename with Embedded Base64 Commands
id: 179b3686-6271-4d87-807d-17d843a8af73
status: experimental
description: |
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
references:
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1027
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains:
- '{echo'
- '{base64,-d}'
condition: selection
falsepositives:
- Legitimate files with similar naming patterns (very unlikely).
level: high
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
related:
- id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- '&&'
- 'rundll32'
- 'shell32.dll'
- 'shellexec_rundll'
Payload|contains:
- 'value'
- 'invoke'
- 'comspec'
- 'iex'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
related:
- id: 73e67340-0d25-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use MSHTA - PowerShell Module
id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
related:
- id: e55a5195-4724-480e-a77e-3ebe64bd3759
type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2023-01-04
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains|all:
- 'set'
- '&&'
- 'mshta'
- 'vbscript:createobject'
- '.run'
- '(window.close)'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
related:
- id: e54f5149-6ba3-49cf-b153-070d24679126
type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
id: 2f211361-7dce-442d-b78a-c04039677378
related:
- id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
type: derived
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-12-31
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_payload:
- Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- Payload|re: '\*mdr\*\W\s*\)\.Name'
- Payload|re: '\$VerbosePreference\.ToString\('
- Payload|re: '\[String\]\s*\$VerbosePreference'
condition: selection_payload
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
related:
- id: 779c8c12-0eb1-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR+ Launcher - PowerShell Module
id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
related:
- id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Stdin - PowerShell Module
id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
related:
- id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Clip - PowerShell Module
id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
related:
- id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
date: 2019-11-08
modified: 2022-12-31
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_iex:
- ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ScriptBlockText|re: '\*mdr\*\W\s*\)\.Name'
- ScriptBlockText|re: '\$VerbosePreference\.ToString\('
condition: selection_iex
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Stdin - Powershell
id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell
id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- '&&'
- 'rundll32'
- 'shell32.dll'
- 'shellexec_rundll'
ScriptBlockText|contains:
- 'value'
- 'invoke'
- 'comspec'
- 'iex'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR+ Launcher - PowerShell
id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation CLIP+ Launcher - PowerShell
id: 73e67340-0d25-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Clip - Powershell
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-15
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
id: e54f5149-6ba3-49cf-b153-070d24679126
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use MSHTA - PowerShell
id: e55a5195-4724-480e-a77e-3ebe64bd3759
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'set'
- '&&'
- 'mshta'
- 'vbscript:createobject'
- '.run'
- '(window.close)'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation STDIN+ Launcher - Powershell
id: 779c8c12-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Potential Winnti Dropper Activity
id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
status: test
description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
references:
- https://redmimicry.com/posts/redmimicry-winnti/#dropper
author: Alexander Rausch
date: 2020-06-24
modified: 2023-01-05
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\gthread-3.6.dll'
- '\sigcmm-2.4.dll'
- '\Windows\Temp\tmp.bat'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Get-Variable.exe Creation
id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
status: test
description: |
Get-Variable is a valid PowerShell cmdlet
WindowsApps is by default in the path where PowerShell is executed.
So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
- https://www.joesandbox.com/analysis/465533/0/html
author: frack113
date: 2022-04-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1546
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Base64 Encoded PowerShell Command Detected
id: e32d4572-9826-4738-b651-95fa63747e8a
status: test
description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
references:
- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
author: Florian Roth (Nextron Systems)
date: 2020-01-29
modified: 2023-01-26
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1140
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '::FromBase64String('
condition: selection
falsepositives:
- Administrative script libraries
level: high
title: Ping Hex IP
id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd
status: test
description: Detects a ping command that uses a hex encoded IP address
references:
- https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna
- https://twitter.com/vysecurity/status/977198418354491392
author: Florian Roth (Nextron Systems)
date: 2018-03-23
modified: 2025-10-17
tags:
- attack.stealth
- attack.t1140
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ping.exe'
CommandLine|re: '0x[a-fA-F0-9]{8}'
condition: selection
falsepositives:
- Unlikely, because no sane admin pings IP addresses in a hexadecimal form
level: high
title: Invoke-Obfuscation VAR+ Launcher
id: 27aec9c9-dbb0-4939-8422-1742242471d0
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-15
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
# Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
CommandLine|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
condition: selection
falsepositives:
- Unknown
level: high
title: PowerShell Base64 Encoded Reflective Assembly Load
id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
related:
- id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
type: similar
status: test
description: Detects base64 encoded .NET reflective loading of Assembly
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems)
date: 2022-03-01
modified: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
- attack.t1620
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# [Reflection.Assembly]::Load(
- 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'
- 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'
- 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'
# [reflection.assembly]::("Load")
- 'AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC'
- 'BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp'
- 'AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK'
# [Reflection.Assembly]::("Load")
- 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ'
- 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA'
- 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA'
# [reflection.assembly]::Load(
- 'WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'
- 'sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'
- 'bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'
condition: selection
falsepositives:
- Unlikely
level: high
title: Suspicious File Encoded To Base64 Via Certutil.EXE
id: ea0cdc3e-2239-4f26-a947-4e8f8224e464
related:
- id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
type: derived
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
references:
- https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior
- https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior
- https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior
- https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-encode'
selection_extension:
CommandLine|contains:
- '.acl'
- '.bat'
- '.doc'
- '.gif'
- '.jpeg'
- '.jpg'
- '.mp3'
- '.pdf'
- '.png'
- '.ppt'
- '.tmp'
- '.xls'
- '.xml'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml
title: File Decoded From Base64/Hex Via Certutil.EXE
id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
status: test
description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2023-02-15
modified: 2025-06-04
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash:
- '-decode ' # Decode Base64
- '-decodehex ' # Decode Hex
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/info.yml
title: Invoke-Obfuscation Obfuscated IEX Invocation
id: 4bf943c6-5146-4273-98dd-e958fd1e3abf
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
date: 2019-11-08
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- CommandLine|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- CommandLine|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- CommandLine|re: '\$env:ComSpec\[(?:\s*\d{1,3}\s*,){2}'
- CommandLine|re: '\*mdr\*\W\s*\)\.Name'
- CommandLine|re: '\$VerbosePreference\.ToString\('
- CommandLine|re: '\[String\]\s*\$VerbosePreference'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Clip
id: e1561947-b4e3-4a74-9bdd-83baed21bdb5
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Example 1: C:\WINdoWS\sySteM32\CMd /c " ECho\Invoke-Expression (New-Object Net.WebClient).DownloadString|Clip.Exe&&C:\WINdoWS\sySteM32\CMd /c pOWerSheLl -STa . ( \"{2}{0}{1}\"-f'dd-',(\"{0}{1}\" -f 'T','ype' ),'A' ) -Assembly ( \"{4}{1}{3}{0}{2}\"-f (\"{0}{1}\" -f 'nd','ow'),( \"{1}{0}\"-f'.W','stem' ),( \"{2}{1}{0}\" -f 'rms','Fo','s.'),'i','Sy') ; ${exeCUtIOnCONTeXT}.\"INV`oKECOM`m`ANd\".\"INV`ok`ESCriPT\"( ( [sYSteM.wiNDoWS.forMs.ClIPboaRD]::( \"{2}{0}{1}\" -f'Ex','t',(\"{0}{1}\" -f'Get','t' ) ).\"iNvo`Ke\"( )) ) ; [System.Windows.Forms.Clipboard]::(\"{1}{0}\" -f 'ar','Cle' ).\"in`V`oKE\"( )"
# Example 2: C:\WINDowS\sYsTEM32\CmD.eXE /C" echo\Invoke-Expression (New-Object Net.WebClient).DownloadString| C:\WIndOWs\SYSteM32\CLip &&C:\WINDowS\sYsTEM32\CmD.eXE /C POWERSHeLL -sT -noL [Void][System.Reflection.Assembly]::( \"{0}{3}{4}{1}{2}\" -f( \"{0}{1}\"-f'Lo','adW' ),( \"{0}{1}\"-f 'Par','t'),( \"{0}{1}{2}\"-f 'ial','N','ame'),'it','h' ).\"in`VO`KE\"( ( \"{3}{1}{4}{5}{2}{0}\"-f'rms','ystem.Windo','Fo','S','w','s.' )) ; ( [wIndows.fOrms.cLIPBOArD]::( \"{1}{0}\"-f'T',( \"{1}{0}\" -f'tEX','gET' )).\"i`Nvoke\"( ) ) ^^^| ^^^& ( ( ^^^& ( \"{2}{1}{0}\"-f 'e',( \"{2}{1}{0}\"-f'IABl','aR','v' ),( \"{0}{1}\"-f'Get','-' ) ) ( \"{1}{0}\"-f'*','*MDr' )).\"n`Ame\"[3,11,2]-jOin'') ; [Windows.Forms.Clipboard]::( \"{0}{1}\" -f (\"{1}{0}\"-f'tT','Se' ),'ext').\"in`VoKe\"(' ' )"
CommandLine|re: '(?i)echo.*clip.*&&.*(?:Clipboard|i`?n`?v`?o`?k`?e`?)'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
related:
- id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
type: similar
status: test
description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0
author: pH-T (Nextron Systems)
date: 2022-03-01
modified: 2023-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# ::("L"+"oad")
- 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'
- 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'
- '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'
# ::("Lo"+"ad")
- 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'
- 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'
- '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'
# ::("Loa"+"d")
- 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'
- 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'
- '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'
# ::('L'+'oad')
- 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'
- 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'
- '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'
# ::('Lo'+'ad')
- 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'
- 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'
- '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'
# ::('Loa'+'d')
- 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'
- 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'
- '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'
condition: selection
falsepositives:
- Unlikely
level: high
title: Invoke-Obfuscation Via Use MSHTA
id: ac20ae82-8758-4f38-958e-b44a3140ca88
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-03-08
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'set'
- '&&'
- 'mshta'
- 'vbscript:createobject'
- '.run'
- '(window.close)'
condition: selection
falsepositives:
- Unknown
level: high
title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE
id: 82a6714f-4899-4f16-9c1e-9a333544d4c3
related:
- id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
type: derived
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
references:
- https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior
- https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior
- https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior
- https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-encode'
selection_extension:
CommandLine|contains:
# Note: Add more suspicious locations to increase coverage
- '\AppData\Roaming\'
- '\Desktop\'
- '\Local\Temp\'
- '\PerfLogs\'
- '\Users\Public\'
- '\Windows\Temp\'
- '$Recycle.Bin'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml
title: Potential PowerShell Command Line Obfuscation
id: d7bcd677-645d-4691-a8d4-7a5602b780d1
status: test
description: Detects the PowerShell command lines with special characters
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)
date: 2020-10-15
modified: 2024-04-15
tags:
- attack.execution
- attack.stealth
- attack.t1027
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_re:
# TODO: Optimize for PySIGMA
- CommandLine|re: '\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+'
- CommandLine|re: '\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{'
- CommandLine|re: '\^.*\^.*\^.*\^.*\^'
- CommandLine|re: '`.*`.*`.*`.*`'
filter_optional_amazonSSM:
ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe
filter_optional_defender_atp:
CommandLine|contains:
- 'new EventSource("Microsoft.Windows.Sense.Client.Management"'
- 'public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Amazon SSM Document Worker
- Windows Defender ATP
level: high
title: PowerShell Base64 Encoded WMI Classes
id: 1816994b-42e1-4fb1-afd2-134d88184f71
related:
- id: 47688f1b-9f51-4656-b013-3cc49a166a36
type: obsolete
status: test
description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_shadowcopy:
# Win32_ShadowCopy
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ'
- 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA'
- 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A'
- 'V2luMzJfU2hhZG93Y29we'
- 'dpbjMyX1NoYWRvd2NvcH'
- 'XaW4zMl9TaGFkb3djb3B5'
selection_cli_scheduledJob:
# Win32_ScheduledJob
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA'
- 'cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA'
- 'XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg'
- 'V2luMzJfU2NoZWR1bGVkSm9i'
- 'dpbjMyX1NjaGVkdWxlZEpvY'
- 'XaW4zMl9TY2hlZHVsZWRKb2'
selection_cli_process:
# Win32_Process
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw'
- 'cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA'
- 'XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA'
- 'V2luMzJfUHJvY2Vzc'
- 'dpbjMyX1Byb2Nlc3'
- 'XaW4zMl9Qcm9jZXNz'
selection_cli_useraccount:
# Win32_UserAccount
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A'
- 'cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA'
- 'XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA'
- 'V2luMzJfVXNlckFjY291bn'
- 'dpbjMyX1VzZXJBY2NvdW50'
- 'XaW4zMl9Vc2VyQWNjb3Vud'
selection_cli_loggedonuser:
# Win32_LoggedOnUser
CommandLine|contains:
- 'VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA'
- 'cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA'
- 'XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg'
- 'V2luMzJfTG9nZ2VkT25Vc2Vy'
- 'dpbjMyX0xvZ2dlZE9uVXNlc'
- 'XaW4zMl9Mb2dnZWRPblVzZX'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
title: Potential PowerShell Obfuscation Via WCHAR/CHAR
id: e312efd0-35a1-407f-8439-b8d434b438a6
status: test
description: Detects suspicious encoded character syntax often used for defense evasion
references:
- https://twitter.com/0gtweet/status/1281103918693482496
author: Florian Roth (Nextron Systems)
date: 2020-07-09
modified: 2025-03-03
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '[char]0x'
- '(WCHAR)0x'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
related:
- id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
type: similar
- id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://twitter.com/_JohnHammond/status/1708910264261980634
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
tags:
- attack.stealth
- attack.t1027
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
- 'URL '
selection_http:
CommandLine|contains:
- '://1'
- '://2'
- '://3'
- '://4'
- '://5'
- '://6'
- '://7'
- '://8'
- '://9'
# filter_local_ips:
# # Note: Uncomment this filter if you want to exclude local IPs
# CommandLine|contains:
# - '://10.' # 10.0.0.0/8
# - '://192.168.' # 192.168.0.0/16
# - '://172.16.' # 172.16.0.0/12
# - '://172.17.'
# - '://172.18.'
# - '://172.19.'
# - '://172.20.'
# - '://172.21.'
# - '://172.22.'
# - '://172.23.'
# - '://172.24.'
# - '://172.25.'
# - '://172.26.'
# - '://172.27.'
# - '://172.28.'
# - '://172.29.'
# - '://172.30.'
# - '://172.31.'
# - '://127.' # 127.0.0.0/8
# - '://169.254.' # 169.254.0.0/16
filter_main_seven_zip:
CommandLine|contains: '://7-' # For https://7-zip.org/
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml
title: Invoke-Obfuscation Via Stdin
id: 9c14c9fa-1a63-4a64-8e57-d19280559490
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|re: '(?i)(?:set).*&&\s?set.*(?:environment|invoke|\$\{?input).*&&.*"'
condition: selection
falsepositives:
- Unknown
level: high