Sigma rules for Play
519 rules · scoped to actor · back to Play
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Anomalous Token
id: 6555754e-5e7f-4a67-ad1c-4041c413a007
status: test
description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow'
date: 2023-08-07
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anomalousToken'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Potential Winnti Dropper Activity
id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
status: test
description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
references:
- https://redmimicry.com/posts/redmimicry-winnti/#dropper
author: Alexander Rausch
date: 2020-06-24
modified: 2023-01-05
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\gthread-3.6.dll'
- '\sigcmm-2.4.dll'
- '\Windows\Temp\tmp.bat'
condition: selection
falsepositives:
- Unknown
level: high
title: UAC Bypass Using Windows Media Player - File
id: 68578b43-65df-4f81-9a9b-92f32711a951
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection1:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll'
selection2:
Image: 'C:\Windows\system32\DllHost.exe'
TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Suspicious FileFix Execution Pattern
id: b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
related:
- id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
type: similar
- id: 4be03877-d5b6-4520-85c9-a5911c0a656c
type: obsolete
status: experimental
description: |
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
references:
- https://mrd0x.com/filefix-clickfix-alternative/
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ # phishing lure directly asking users to open file explorer and paste command
- https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/
author: 0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-24
tags:
- attack.execution
- attack.t1204.004
logsource:
category: process_creation
product: windows
detection:
selection_exec_parent:
# This is case where phishing pages trick users to paste commands in browser file upload dialog
ParentImage|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
CommandLine|contains: '#'
selection_cli_lolbin:
CommandLine|contains:
- '%comspec%'
- 'bitsadmin'
- 'certutil'
- 'cmd'
- 'cscript'
- 'curl'
- 'finger'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'schtasks'
- 'wget'
- 'wscript'
selection_cli_captcha:
CommandLine|contains:
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
condition: selection_exec_parent and 1 of selection_cli_*
falsepositives:
- Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools
level: high
title: UAC Bypass Using Windows Media Player - Process
id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection_img_1:
Image: 'C:\Program Files\Windows Media Player\osk.exe'
selection_img_2:
Image: 'C:\Windows\System32\cmd.exe'
ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
selection_integrity:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: 1 of selection_img_* and selection_integrity
falsepositives:
- Unknown
level: high
title: HackTool - RedMimicry Winnti Playbook Execution
id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
status: test
description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
references:
- https://redmimicry.com/posts/redmimicry-winnti/
author: Alexander Rausch
date: 2020-06-24
modified: 2023-03-01
tags:
- attack.execution
- attack.stealth
- attack.t1106
- attack.t1059.003
- attack.t1218.011
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\rundll32.exe'
- '\cmd.exe'
CommandLine|contains:
- 'gthread-3.6.dll'
- '\Windows\Temp\tmp.bat'
- 'sigcmm-2.4.dll'
condition: selection
falsepositives:
- Unknown
level: high
title: Finger.EXE Execution
id: af491bca-e752-4b44-9c86-df5680533dbc
related:
- id: c082c2b0-525b-4dbc-9a26-a57dc4692074
type: similar
- id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
type: similar
status: test
description: |
Detects execution of the "finger.exe" utility.
Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
references:
- https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
- https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
- http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
author: Florian Roth (Nextron Systems), omkar72, oscd.community
date: 2021-02-24
modified: 2024-06-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'finger.exe'
- Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Admin activity (unclear what they do nowadays with finger.exe)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/info.yml
title: Suspicious LDAP-Attributes Used
id: d00a9a72-2c09-4459-ad03-5e0a23351e36
status: test
description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
author: xknow @xknow_infosec
date: 2019-03-24
modified: 2022-10-05
tags:
- attack.t1001.003
- attack.command-and-control
logsource:
product: windows
service: security
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
selection:
EventID: 5136
AttributeValue|contains: '*'
AttributeLDAPDisplayName:
- 'primaryInternationalISDNNumber'
- 'otherFacsimileTelephoneNumber'
- 'primaryTelexNumber'
condition: selection
falsepositives:
- Companies, who may use these default LDAP-Attributes for personal information
level: high
title: Replay Attack Detected
id: 5a44727c-3b85-4713-8c44-4401d5499629
status: test
description: Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
references:
- https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649
author: frack113
date: 2022-10-14
tags:
- attack.credential-access
- attack.t1558
logsource:
service: security
product: windows
detection:
selection:
EventID: 4649
condition: selection
falsepositives:
- Unknown
level: high
title: UAC Bypass Using Windows Media Player - Registry
id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe'
Details: 'Binary Data'
condition: selection
falsepositives:
- Unknown
level: high
title: RedMimicry Winnti Playbook Registry Manipulation
id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
status: test
description: Detects actions caused by the RedMimicry Winnti playbook
references:
- https://redmimicry.com
author: Alexander Rausch
date: 2020-06-24
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
condition: selection
falsepositives:
- Unknown
level: high
title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
- attack.initial-access
- attack.stealth
- attack.t1189
- attack.execution
- attack.t1204.002
- attack.t1036.005
logsource:
category: proxy
detection:
selection:
- c-uri|contains: '/flash_install.php'
- c-uri|endswith: '/install_flash_player.exe'
filter:
cs-host|endswith: '.adobe.com'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
level: high
title: Suspicious PowerShell WindowStyle Option
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
status: test
description: |
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
author: frack113, Tim Shelton (fp AWS)
date: 2021-10-20
modified: 2023-01-03
tags:
- attack.stealth
- attack.t1564.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'powershell'
- 'WindowStyle'
- 'Hidden'
filter:
ScriptBlockText|contains|all:
- ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
- '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
title: Desktop.INI Created by Uncommon Process
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: test
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
date: 2020-03-19
modified: 2025-12-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\desktop.ini'
filter_main_generic:
Image|startswith:
- 'C:\Windows\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_upgrade:
TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
filter_optional_jetbrains:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
TargetFilename|contains: '\JetBrains\apps\'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Operations performed through Windows SCCM or equivalent
- Read only access list authority
level: medium
title: Uncommon System Information Discovery Via Wmic.EXE
id: 9d5a1274-922a-49d0-87f3-8c653483b909
related:
- id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
type: derived
status: test
description: |
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
and GPU driver products/versions.
Some of these commands were used by Aurora Stealer in late 2022/early 2023.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
- https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
- https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
- https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
- https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
- https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
author: TropChaud
date: 2023-01-26
modified: 2023-12-19
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_wmic:
- Description: 'WMI Commandline Utility'
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_commands:
CommandLine|contains:
- 'LOGICALDISK get Name,Size,FreeSpace'
- 'os get Caption,OSArchitecture,Version'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Gpresult Display Group Policy Information
id: e56d3073-83ff-4021-90fe-c658e0709e72
status: test
description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
- https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: frack113
date: 2022-05-01
tags:
- attack.discovery
- attack.t1615
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\gpresult.exe'
CommandLine|contains:
- '/z'
- '/v'
condition: selection
falsepositives:
- Unknown
level: medium
simulation:
- type: atomic-red-team
name: Display group policy information via gpresult
technique: T1615
atomic_guid: 0976990f-53b1-4d3f-a185-6df5be429d3b
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/info.yml
title: Service Reconnaissance Via Wmic.EXE
id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
related:
- id: 68bcd73b-37ef-49cb-95fc-edc809730be6
type: similar
status: test
description: |
An adversary might use WMI to check if a certain remote service is running on a remote device.
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
- https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-service
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
modified: 2026-01-07
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'service'
filter_main_win32_methods:
CommandLine|contains:
- 'Change'
- 'Create'
- 'Delete'
- 'PauseService'
- 'ResumeService'
- 'SetSecurityDescriptor'
- 'StartService'
- 'StopService'
- 'UserControlService'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Windows Network Access Suspicious desktop.ini Action
id: 35bc7e28-ee6b-492f-ab04-da58fcf6402e
status: test
description: Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Tim Shelton (HAWK.IO)
date: 2021-12-06
modified: 2022-01-16
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ObjectType: File
RelativeTargetName|endswith: '\desktop.ini'
AccessList|contains:
- 'WriteData'
- 'DELETE'
- 'WriteDAC'
- 'AppendData'
- 'AddSubdirectory'
condition: selection
falsepositives:
- Read only access list authority
level: medium
title: Potential Privileged System Service Operation - SeLoadDriverPrivilege
id: f63508a0-c809-4435-b3be-ed819394d612
status: test
description: |
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.
This user right does not apply to Plug and Play device drivers.
If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.
This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
references:
- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2026-03-29
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: security
detection:
selection_1:
EventID: 4673
PrivilegeList: 'SeLoadDriverPrivilege'
Service: '-'
filter_main_exact:
ProcessName:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\HelpPane.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\fltMC.exe'
- 'C:\Windows\System32\mmc.exe'
- 'C:\Windows\System32\rundll32.exe'
- 'C:\Windows\System32\RuntimeBroker.exe'
- 'C:\Windows\System32\ShellHost.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\SystemSettingsBroker.exe'
- 'C:\Windows\System32\wimserv.exe'
filter_optional_others:
ProcessName|endswith:
- '\AppData\Local\Microsoft\Teams\current\Teams.exe'
- '\Google\Chrome\Application\chrome.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\procmon.exe'
- '\procmon64.exe'
filter_main_startswith:
ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft'
filter_optional_dropbox:
ProcessName|startswith:
- 'C:\Program Files (x86)\Dropbox\'
- 'C:\Program Files\Dropbox\'
ProcessName|endswith: '\Dropbox.exe'
condition: selection_1 and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers.
level: medium
title: UAC Secure Desktop Prompt Disabled
id: 0d7ceeef-3539-4392-8953-3dc664912714
related:
- id: c5f6a85d-b647-40f7-bbad-c10b66bab038
type: similar
- id: 48437c39-9e5f-47fb-af95-3d663c3f2919
type: similar
status: test
description: |
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
author: frack113
date: 2024-05-10
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
title: Displaying Hidden Files Feature Disabled
id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
status: test
description: |
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
This technique is abused by several malware families to hide their files from normal users.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
author: frack113
date: 2022-04-02
modified: 2024-03-26
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden'
- '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
title: Persistence Via Disk Cleanup Handler - Autorun
id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc
status: test
description: |
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
The disk cleanup manager is part of the operating system.
It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
- https://persistence-info.github.io/Data/diskcleanuphandler.html
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
root:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
selection_autorun:
# Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean
TargetObject|contains: '\Autorun'
Details: 'DWORD (0x00000001)'
selection_pre_after:
TargetObject|contains:
- '\CleanupString'
- '\PreCleanupString'
Details|contains:
# Add more as you see fit
- 'cmd'
- 'powershell'
- 'rundll32'
- 'mshta'
- 'cscript'
- 'wscript'
- 'wsl'
- '\Users\Public\'
- '\Windows\TEMP\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
condition: root and 1 of selection_*
falsepositives:
- Unknown
level: medium
title: Potential Persistence Via Disk Cleanup Handler - Registry
id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
status: test
description: |
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
The disk cleanup manager is part of the operating system. It displays the dialog box […]
The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
- https://persistence-info.github.io/Data/diskcleanuphandler.html
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-02-07
tags:
- attack.persistence
logsource:
product: windows
category: registry_add
detection:
selection:
EventType: CreateKey
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
filter_main_default_keys:
# Default Keys
TargetObject|endswith:
- '\Active Setup Temp Folders'
- '\BranchCache'
- '\Content Indexer Cleaner'
- '\D3D Shader Cache'
- '\Delivery Optimization Files'
- '\Device Driver Packages'
- '\Diagnostic Data Viewer database files'
- '\Downloaded Program Files'
- '\DownloadsFolder'
- '\Feedback Hub Archive log files'
- '\Internet Cache Files'
- '\Language Pack'
- '\Microsoft Office Temp Files'
- '\Offline Pages Files'
- '\Old ChkDsk Files'
- '\Previous Installations'
- '\Recycle Bin'
- '\RetailDemo Offline Content'
- '\Setup Log Files'
- '\System error memory dump files'
- '\System error minidump files'
- '\Temporary Files'
- '\Temporary Setup Files'
- '\Temporary Sync Files'
- '\Thumbnail Cache'
- '\Update Cleanup'
- '\Upgrade Discarded Files'
- '\User file versions'
- '\Windows Defender'
- '\Windows Error Reporting Files'
- '\Windows ESD installation files'
- '\Windows Upgrade Log Files'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate new entry added by windows
level: medium
title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a password dumper.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
- https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
logsource:
category: antivirus
detection:
selection:
- Signature|startswith: 'PWS'
- Signature|contains:
- 'Certify'
- 'DCSync'
- 'DumpCreds'
- 'DumpLsass'
- 'DumpPert'
- 'HTool/WCE'
- 'Kekeo'
- 'Lazagne'
- 'LsassDump'
- 'Mimikatz'
- 'MultiDump'
- 'Nanodump'
- 'NativeDump'
- 'Outflank'
- 'PShlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'PWS.'
- 'PWSX'
- 'pypykatz'
- 'Rubeus'
- 'SafetyKatz'
- 'SecurityTool'
- 'SharpChrome'
- 'SharpDPAPI'
- 'SharpDump'
- 'SharpKatz'
- 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
- 'ShpKatz'
- 'TrickDump'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
- attack.credential-access
- attack.resource-development
- attack.t1588.002
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
- IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
- IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
- IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
- IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
- IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
- IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
- IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
- IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
- IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
- IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
- IMPHASH=730073214094CD328547BF1F72289752 # Htran
- IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
- IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
- IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
- IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
- IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
- IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
- IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
- IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
- IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
- IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
- IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
- IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
- IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
- IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
- IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
- IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
condition: selection
falsepositives:
- Legitimate use of one of these tools
level: critical
title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
- id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
- https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- https://github.com/GhostPack/Rubeus
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-04-20
tags:
- attack.credential-access
- attack.t1003
- attack.t1558.003
- attack.lateral-movement
- attack.t1550.003
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Rubeus.exe'
- OriginalFileName: 'Rubeus.exe'
- Description: 'Rubeus'
- CommandLine|contains:
- 'asreproast '
- 'dump /service:krbtgt '
- 'dump /luid:0x'
- 'kerberoast '
- 'createnetonly /program:'
- 'ptt /ticket:'
- '/impersonateuser:'
- 'renew /ticket:'
- 'asktgt /user:'
- 'harvest /interval:'
- 's4u /user:'
- 's4u /ticket:'
- 'hash /password:'
- 'golden /aes256:'
- 'silver /user:'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
- https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
- https://twitter.com/Hexacorn/status/1420053502554951689
- https://twitter.com/SBousseaden/status/1464566846594691073?s=20
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2021-11-27
modified: 2023-03-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Windows\System32\lsass.exe'
Image|endswith: '\Windows\System32\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: critical
title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
- attack.credential-access
- attack.t1003
- attack.s0005
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectName|endswith: '\wceaux.dll'
condition: selection
falsepositives:
- Unknown
level: critical
title: HackTool - Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
type: derived
status: test
description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2023-05-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: 'dumpert.dmp'
condition: selection
falsepositives:
- Very unlikely
level: critical
title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2023-08-07
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains:
- '\cachedump'
- '\lsadump'
- '\wceservicepipe'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: critical
title: HackTool - Inveigh Execution
id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
status: test
description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
references:
- https://github.com/Kevin-Robertson/Inveigh
- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Inveigh.exe'
- OriginalFileName:
- '\Inveigh.exe'
- '\Inveigh.dll'
- Description: 'Inveigh'
- CommandLine|contains:
- ' -SpooferIP'
- ' -ReplyToIPs '
- ' -ReplyToDomains '
- ' -ReplyToMACs '
- ' -SnifferIP'
condition: selection
falsepositives:
- Very unlikely
level: critical
title: HackTool - SafetyKatz Execution
id: b1876533-4ed5-4a83-90f3-b8645840a413
status: test
description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
references:
- https://github.com/GhostPack/SafetyKatz
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-20
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SafetyKatz.exe'
- OriginalFileName: 'SafetyKatz.exe'
- Description: 'SafetyKatz'
condition: selection
falsepositives:
- Unlikely
level: critical
title: HackTool - Dumpert Process Dumper Execution
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
status: test
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2025-01-22
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Hashes|contains: 'MD5=09D278F9DE118EF09163C6140255C690'
- CommandLine|contains: 'Dumpert.dll'
condition: selection
falsepositives:
- Very unlikely
level: critical
title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\WCE.exe'
- '\WCE64.exe'
selection_hash:
Hashes|contains:
- 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
- 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
- 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
- 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
- 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
- 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
- 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
- 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
- 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- Unknown
level: critical
title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
- id: 36803969-5421-41ec-b92f-8500f79c23b0
type: similar
status: test
description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
author: Florian Roth (Nextron Systems)
date: 2021-02-26
modified: 2022-12-19
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
status: test
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
references:
- https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
- https://threathunterplaybook.com/library/windows/active_directory_replication.html
- https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-07-26
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
AccessMask: '0x100'
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter:
- SubjectUserName|endswith: '$'
- SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not filter
falsepositives:
- Unknown
level: critical
title: Renamed Whoami Execution
id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
status: test
description: Detects the execution of whoami that has been renamed to a different name to avoid detection
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
author: Florian Roth (Nextron Systems)
date: 2021-08-12
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'whoami.exe'
filter:
Image|endswith: '\whoami.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
title: HackTool - Sliver C2 Implant Activity Pattern
id: 42333b2c-b425-441c-b70e-99404a17170f
status: test
description: Detects process activity patterns as seen being used by Sliver C2 framework implants
references:
- https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36
- https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-08-25
modified: 2023-03-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Bad Opsec Powershell Code Artifacts
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
related:
- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
type: derived
status: test
description: |
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
that often undergo minimal changes by attackers due to bad opsec.
references:
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
- https://www.mdeditor.tw/pl/pgRt
author: 'ok @securonix invrep_de, oscd.community'
date: 2020-10-09
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains:
- '$DoIt'
- 'harmj0y'
- 'mattifestation'
- '_RastaMouse'
- 'tifkin_'
- '0xdeadbeef'
condition: selection_4103
falsepositives:
- 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
level: critical
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: test
description: Detects Silence EmpireDNSAgent as described in the Group-IP report
references:
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019-11-01
modified: 2023-04-03
tags:
- attack.execution
- attack.t1059.001
- attack.command-and-control
- attack.t1071.004
- attack.t1572
- attack.impact
- attack.t1529
- attack.g0091
- attack.s0363
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
empire:
# better to randomise the order
ScriptBlockText|contains|all:
- 'System.Diagnostics.Process'
- 'Stop-Computer'
- 'Restart-Computer'
- 'Exception in execution'
- '$cmdargs'
- 'Close-Dnscat2Tunnel'
dnscat:
# better to randomise the order
ScriptBlockText|contains|all:
- 'set type=$LookupType`nserver'
- '$Command | nslookup 2>&1 | Out-String'
- 'New-RandomDNSField'
- '[Convert]::ToString($SYNOptions, 16)'
- '$Session.Dead = $True'
- '$Session["Driver"] -eq'
condition: empire and dnscat
falsepositives:
- Unknown
level: critical
title: Possible Coin Miner CPU Priority Param
id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed
status: test
description: Detects command line parameter very often used with coin miners
references:
- https://xmrig.com/docs/miner/command-line-options
author: Florian Roth (Nextron Systems)
date: 2021-10-09
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.t1068
logsource:
product: linux
service: auditd
detection:
cmd1:
a1|startswith: '--cpu-priority'
cmd2:
a2|startswith: '--cpu-priority'
cmd3:
a3|startswith: '--cpu-priority'
cmd4:
a4|startswith: '--cpu-priority'
cmd5:
a5|startswith: '--cpu-priority'
cmd6:
a6|startswith: '--cpu-priority'
cmd7:
a7|startswith: '--cpu-priority'
condition: 1 of cmd*
falsepositives:
- Other tools that use a --cpu-priority flag
level: critical
title: HackTool - SysmonEOP Execution
id: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9
status: test
description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
references:
- https://github.com/Wh04m1001/SysmonEoP
author: Florian Roth (Nextron Systems)
date: 2022-12-04
modified: 2024-11-23
tags:
- cve.2022-41120
- attack.t1068
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\SysmonEOP.exe'
selection_hash:
Hashes|contains:
- 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5'
- 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
title: Audit CVE Event
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
status: test
description: |
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
Unfortunately, that is about the only instance of CVEs being written to this log.
references:
- https://twitter.com/VM_vivisector/status/1217190929330655232
- https://twitter.com/DidierStevens/status/1217533958096924676
- https://twitter.com/FlemmingRiis/status/1217147415482060800
- https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed.
- https://nullsec.us/windows-event-log-audit-cve/
author: Florian Roth (Nextron Systems), Zach Mathis
date: 2020-01-15
modified: 2022-10-22
tags:
- attack.execution
- attack.stealth
- attack.t1203
- attack.privilege-escalation
- attack.t1068
- attack.t1211
- attack.credential-access
- attack.t1212
- attack.lateral-movement
- attack.t1210
- attack.impact
- attack.t1499.004
logsource:
product: windows
service: application
detection:
selection:
Provider_Name:
- 'Microsoft-Windows-Audit-CVE'
- 'Audit-CVE'
EventID: 1
condition: selection
falsepositives:
- Unknown
level: critical
title: HackTool - BabyShark Agent Default URL Pattern
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
status: test
description: Detects Baby Shark C2 Framework default communication patterns
references:
- https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
author: Florian Roth (Nextron Systems)
date: 2021-06-09
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-uri|contains: 'momyshark\?key='
condition: selection
falsepositives:
- Unlikely
level: critical
title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: test
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
references:
- https://breakdev.org/pwndrop/
author: Florian Roth (Nextron Systems)
date: 2020-04-15
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/pwndrop/'
condition: selection
falsepositives:
- Unknown
level: critical
title: Win Susp Computer Name Containing Samtheadmin
id: 39698b3f-da92-4bc6-bfb5-645a98386e45
status: test
description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
references:
- https://twitter.com/malmoeb/status/1511760068743766026
- https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
author: elhoim
date: 2022-09-09
modified: 2023-01-04
tags:
- attack.initial-access
- cve.2021-42278
- cve.2021-42287
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
service: security
product: windows
detection:
# Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
selection1:
SamAccountName|startswith: 'SAMTHEADMIN-'
SamAccountName|endswith: '$'
selection2:
TargetUserName|startswith: 'SAMTHEADMIN-'
TargetUserName|endswith: '$'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
title: Registry Entries For Azorult Malware
id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
status: test
description: Detects the presence of a registry key created during Azorult execution
references:
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
author: Trent Liffick
date: 2020-05-08
modified: 2021-11-27
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
EventID:
- 12
- 13
TargetObject|contains: 'SYSTEM\'
TargetObject|endswith: '\services\localNETService'
condition: selection
falsepositives:
- Unknown
level: critical
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: |
Detects a highly relevant Antivirus alert that reports an exploitation framework.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
- https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
- https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.execution
- attack.t1203
- attack.command-and-control
- attack.t1219.002
logsource:
category: antivirus
detection:
selection:
Signature|contains:
- 'Backdoor.Cobalt'
- 'Brutel'
- 'BruteR'
- 'CobaltStr'
- 'CobaltStrike'
- 'COBEACON'
- 'Cometer'
- 'Exploit.Script.CVE'
- 'IISExchgSpawnCMD'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'Mpreter'
- 'MsfShell'
- 'PowerSploit'
- 'Razy'
- 'Rozena'
- 'Sbelt'
- 'Seatbelt'
- 'Sliver'
- 'Swrort'
condition: selection
falsepositives:
- Unlikely
level: critical
title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9002
condition: selection
falsepositives:
- Unlikely
level: high