Sigma rules for RoarBAT
500 rules · scoped to actor · back to RoarBAT
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: SharpHound Recon Account Discovery
id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1087
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
OpNum: 2
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - SOAPHound Execution
id: e92a4287-e072-4a40-9739-370c106bb750
status: test
description: |
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
references:
- https://github.com/FalconForceTeam/SOAPHound
- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
author: '@kostastsale'
date: 2024-01-26
tags:
- attack.discovery
- attack.t1087
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains:
- ' --buildcache '
- ' --bhdump '
- ' --certdump '
- ' --dnsdump '
selection_2:
CommandLine|contains:
- ' -c '
- ' --cachefilename '
- ' -o '
- ' --outputdirectory'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: OpenCanary - HTTPPROXY Login Attempt
id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760
status: test
description: |
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.command-and-control
- attack.t1090
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 7001
condition: selection
falsepositives:
- Unlikely
level: high
title: Malicious IP Address Sign-In Failure Rate
id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd
status: test
description: Indicates sign-in from a malicious IP address based on high failure rates.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'maliciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Malicious IP Address Sign-In Suspicious
id: 36440e1c-5c22-467a-889b-593e66498472
status: test
description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Sign-In From Malware Infected IP
id: 821b4dc3-1295-41e7-b157-39ab212dd6bd
status: test
description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'malwareInfectedIPAddress'
condition: selection
falsepositives:
- Using an IP address that is shared by many users
level: high
title: Communication To LocaltoNet Tunneling Service Initiated - Linux
id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: linux
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
title: Communication To Ngrok Tunneling Service - Linux
id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
status: test
description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of ngrok
level: high
title: Communication To LocaltoNet Tunneling Service Initiated
id: 3ab65069-d82a-4d44-a759-466661a082d1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
title: Communication To Ngrok Tunneling Service Initiated
id: 1d08ac94-400d-4469-a82f-daee9a908849
related:
- id: 18249279-932f-45e2-b37a-8925f2597670
type: similar
status: test
description: |
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
modified: 2024-02-02
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of the ngrok service.
level: high
title: RDP Port Forwarding Rule Added Via Netsh.EXE
id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
status: test
description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Florian Roth (Nextron Systems), oscd.community
date: 2019-01-29
modified: 2023-02-13
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- ' i'
- ' p'
- '=3389'
- ' c'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: high
title: PUA - NPS Tunneling Tool Execution
id: 68d37776-61db-42f5-bf54-27e87072d17e
status: test
description: Detects the use of NPS, a port forwarding and intranet penetration proxy server
references:
- https://github.com/ehang-io/nps
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\npc.exe'
selection_cli_1:
CommandLine|contains|all:
- ' -server='
- ' -vkey='
- ' -password='
selection_cli_2:
CommandLine|contains: ' -config=npc'
selection_hashes:
# v0.26.10
Hashes|contains:
- "MD5=AE8ACF66BFE3A44148964048B826D005"
- "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181"
- "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856"
condition: 1 of selection_*
falsepositives:
- Legitimate use
level: high
title: HackTool - Htran/NATBypass Execution
id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e
status: test
description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
references:
- https://github.com/HiwinCN/HTran
- https://github.com/cw1997/NATBypass
author: Florian Roth (Nextron Systems)
date: 2022-12-27
modified: 2023-02-04
tags:
- attack.command-and-control
- attack.t1090
- attack.s0040
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\htran.exe'
- '\lcx.exe'
selection_cli:
CommandLine|contains:
- '.exe -tran '
- '.exe -slave '
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: PUA - Fast Reverse Proxy (FRP) Execution
id: 32410e29-5f94-4568-b6a3-d91a8adad863
status: test
description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
references:
- https://asec.ahnlab.com/en/38156/
- https://github.com/fatedier/frp
author: frack113, Florian Roth
date: 2022-09-02
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\frpc.exe'
- '\frps.exe'
selection_cli:
CommandLine|contains: '\frpc.ini'
selection_hashes:
# v0.44.0
Hashes|contains:
- "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
- "SHA1=06DDC9280E1F1810677935A2477012960905942F"
- "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
condition: 1 of selection_*
falsepositives:
- Legitimate use
level: high
title: PUA- IOX Tunneling Tool Execution
id: d7654f02-e04b-4934-9838-65c46f187ebc
status: test
description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
references:
- https://github.com/EddieIvan01/iox
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\iox.exe'
selection_commandline:
CommandLine|contains:
- '.exe fwd -l '
- '.exe fwd -r '
- '.exe proxy -l '
- '.exe proxy -r '
selection_hashes:
# v0.4
Hashes|contains:
- "MD5=9DB2D314DD3F704A02051EF5EA210993"
- "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD"
- "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731"
condition: 1 of selection*
falsepositives:
- Legitimate use
level: high
title: Ngrok Usage with Remote Desktop Service
id: 64d51a51-32a6-49f0-9f3d-17e34d640272
status: test
description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
references:
- https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
- https://ngrok.com/
author: Florian Roth (Nextron Systems)
date: 2022-04-29
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: windows
service: terminalservices-localsessionmanager
detection:
selection:
EventID: 21
Address|contains: '16777216'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - SharpChisel Execution
id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
related:
- id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
type: similar
status: test
description: Detects usage of the Sharp Chisel via the commandline arguments
references:
- https://github.com/shantanu561993/SharpChisel
- https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2023-02-13
tags:
- attack.command-and-control
- attack.t1090.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SharpChisel.exe'
- Product: 'SharpChisel'
# See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage
condition: selection
falsepositives:
- Unlikely
level: high
title: Renamed Cloudflared.EXE Execution
id: e0c69ebd-b54f-4aed-8ae3-e3467843f3f0
status: test
description: Detects the execution of a renamed "cloudflared" binary.
references:
- https://github.com/cloudflare/cloudflared/releases
- https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
- https://github.com/cloudflare/cloudflared
- https://www.intrinsec.com/akira_ransomware/
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
tags:
- attack.command-and-control
- attack.t1090.001
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-20
logsource:
category: process_creation
product: windows
detection:
selection_cleanup:
CommandLine|contains|all:
- ' tunnel '
- 'cleanup '
CommandLine|contains:
- '-config '
- '-connector-id '
selection_tunnel:
CommandLine|contains|all:
- ' tunnel '
- ' run '
CommandLine|contains:
- '-config '
- '-credentials-contents '
- '-credentials-file '
- '-token '
selection_accountless:
CommandLine|contains|all:
- '-url'
- 'tunnel'
selection_hashes:
Hashes|contains:
- 'SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29'
- 'SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8'
- 'SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039'
- 'SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28'
- 'SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7'
- 'SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373'
- 'SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670'
- 'SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a'
- 'SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0'
- 'SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1'
- 'SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2'
- 'SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac'
- 'SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f'
- 'SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d'
- 'SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499'
- 'SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b'
- 'SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f'
- 'SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032'
- 'SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234'
- 'SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f'
- 'SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058'
- 'SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c'
- 'SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f'
- 'SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5'
- 'SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3'
- 'SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4'
- 'SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c'
- 'SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4'
- 'SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f'
- 'SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad'
- 'SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7'
- 'SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75'
- 'SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6'
- 'SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688'
- 'SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f'
- 'SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663'
- 'SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77'
- 'SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078'
filter_main_known_names:
Image|endswith:
- '\cloudflared.exe'
- '\cloudflared-windows-386.exe'
- '\cloudflared-windows-amd64.exe'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: PUA - Chisel Tunneling Tool Execution
id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
related:
- id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
type: similar
status: test
description: Detects usage of the Chisel tunneling tool via the commandline arguments
references:
- https://github.com/jpillora/chisel/
- https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
- https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
author: Florian Roth (Nextron Systems)
date: 2022-09-13
modified: 2023-02-13
tags:
- attack.command-and-control
- attack.t1090.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\chisel.exe'
selection_param1:
CommandLine|contains:
- 'exe client '
- 'exe server '
selection_param2:
CommandLine|contains:
- '-socks5'
- '-reverse'
- ' r:'
- ':127.0.0.1:'
- '-tls-skip-verify '
- ':socks'
condition: selection_img or all of selection_param*
falsepositives:
- Some false positives may occur with other tools with similar commandlines
level: high
title: PUA - Netcat Suspicious Execution
id: e31033fc-33f0-4020-9a16-faf9b31cbf08
status: test
description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
- https://nmap.org/ncat/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
- https://www.revshells.com/
author: frack113, Florian Roth (Nextron Systems)
date: 2021-07-21
modified: 2023-02-08
tags:
- attack.command-and-control
- attack.t1095
logsource:
category: process_creation
product: windows
detection:
selection_img:
# can not use OriginalFileName as is empty
Image|endswith:
- '\nc.exe'
- '\ncat.exe'
- '\netcat.exe'
selection_cmdline:
# Typical command lines
CommandLine|contains:
- ' -lvp '
- ' -lvnp'
- ' -l -v -p '
- ' -lv -p '
- ' -l --proxy-type http '
# - ' --exec cmd.exe ' # Not specific enough for netcat
- ' -vnl --exec '
- ' -vnl -e '
- ' --lua-exec '
- ' --sh-exec '
condition: 1 of selection_*
falsepositives:
- Legitimate ncat use
level: high
title: Potential WinAPI Calls Via CommandLine
id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
related:
- id: 03d83090-8cba-44a0-b02f-0b756a050306
type: derived
status: test
description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
references:
- https://twitter.com/m417z/status/1566674631788007425
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-06
modified: 2025-03-06
tags:
- attack.execution
- attack.t1106
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'AddSecurityPackage'
- 'AdjustTokenPrivileges'
- 'Advapi32'
- 'CloseHandle'
- 'CreateProcessWithToken'
- 'CreatePseudoConsole'
- 'CreateRemoteThread'
- 'CreateThread'
- 'CreateUserThread'
- 'DangerousGetHandle'
- 'DuplicateTokenEx'
- 'EnumerateSecurityPackages'
- 'FreeHGlobal'
- 'FreeLibrary'
- 'GetDelegateForFunctionPointer'
- 'GetLogonSessionData'
- 'GetModuleHandle'
- 'GetProcAddress'
- 'GetProcessHandle'
- 'GetTokenInformation'
- 'ImpersonateLoggedOnUser'
- 'kernel32'
- 'LoadLibrary'
- 'memcpy'
- 'MiniDumpWriteDump'
# - 'msvcrt'
- 'ntdll'
- 'OpenDesktop'
- 'OpenProcess'
- 'OpenProcessToken'
- 'OpenThreadToken'
- 'OpenWindowStation'
- 'PtrToString'
- 'QueueUserApc'
- 'ReadProcessMemory'
- 'RevertToSelf'
- 'RtlCreateUserThread'
- 'secur32'
- 'SetThreadToken'
# - 'user32'
- 'VirtualAlloc'
- 'VirtualFree'
- 'VirtualProtect'
- 'WaitForSingleObject'
- 'WriteInt32'
- 'WriteProcessMemory'
- 'ZeroFreeGlobalAllocUnicode'
filter_optional_mpcmdrun:
Image|endswith: '\MpCmdRun.exe'
CommandLine|contains: 'GetLoadLibraryWAddress32'
filter_optional_compatTelRunner:
ParentImage|endswith: '\CompatTelRunner.exe'
CommandLine|contains:
- 'FreeHGlobal'
- 'PtrToString'
- 'kernel32'
- 'CloseHandle'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity.
level: high
title: Suspicious Mshta.EXE Execution Patterns
id: e32f92d1-523e-49c3-9374-bdb13b46a3ba
status: test
description: Detects suspicious mshta process execution patterns
references:
- https://en.wikipedia.org/wiki/HTML_Application
- https://www.echotrail.io/insights/search/mshta.exe
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-17
modified: 2023-02-21
tags:
- attack.execution
- attack.t1106
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'MSHTA.EXE'
selection_susp:
# Suspicious parents
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
# Suspicious folders
CommandLine|contains:
- '\AppData\Local\'
- 'C:\ProgramData\'
- 'C:\Users\Public\'
- 'C:\Windows\Temp\'
filter_img:
# Filter legit Locations
- Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
# Suspicious extensions
- CommandLine|contains:
- '.htm'
- '.hta'
# Filter simple execution
- CommandLine|endswith:
- 'mshta.exe'
- 'mshta'
condition: all of selection_* or (selection_img and not filter_img)
falsepositives:
- Unknown
level: high
title: HackTool - CobaltStrike BOF Injection Pattern
id: 09706624-b7f6-455d-9d02-adee024cee1d
status: test
description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
references:
- https://github.com/boku7/injectAmsiBypass
- https://github.com/boku7/spawn
author: Christian Burkard (Nextron Systems)
date: 2021-08-04
modified: 2023-11-28
tags:
- attack.execution
- attack.defense-impairment
- attack.t1106
- attack.t1685
logsource:
category: process_access
product: windows
detection:
selection:
CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$'
GrantedAccess:
- '0x1028'
- '0x1fffff'
condition: selection
falsepositives:
- Unknown
level: high
title: Remote Registry Lateral Movement
id: 35c55673-84ca-4e99-8d09-e334f3c29539
status: test
description: Detects remote RPC calls to modify the registry and possible execute code
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.defense-impairment
- attack.t1112
- attack.persistence
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
OpNum:
- 6
- 7
- 8
- 13
- 18
- 19
- 21
- 22
- 23
- 35
condition: selection
falsepositives:
- Remote administration of registry values
level: high
title: User Shell Folders Registry Modification via CommandLine
id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
related:
- id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
type: similar
status: experimental
description: |
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.
Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.
This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
references:
- https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1547.001
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
- 'reg.exe'
selection_cli_action:
CommandLine|contains:
- ' add ' # reg.exe modification
- 'New-ItemProperty'
- 'Set-ItemProperty'
- 'si ' # short for Set-ItemProperty
selection_cli_paths_root:
CommandLine|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
- '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
selection_cli_paths_suffix:
CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'
condition: all of selection_*
falsepositives:
- Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml
simulation:
- type: atomic-red-team
name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
technique: T1547.001
atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b
title: ShimCache Flush
id: b0524451-19af-4efa-a46f-562a977f792e
status: stable
description: Detects actions that clear the local ShimCache and remove forensic evidence
references:
- https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
author: Florian Roth (Nextron Systems)
date: 2021-02-01
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection1a:
CommandLine|contains|all:
- 'rundll32'
- 'apphelp.dll'
selection1b:
CommandLine|contains:
- 'ShimFlushCache'
- '#250'
selection2a:
CommandLine|contains|all:
- 'rundll32'
- 'kernel32.dll'
selection2b:
CommandLine|contains:
- 'BaseFlushAppcompatCache'
- '#46'
condition: ( selection1a and selection1b ) or ( selection2a and selection2b )
falsepositives:
- Unknown
level: high
title: Reg Add Suspicious Paths
id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
status: test
description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2022-10-10
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_reg:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_path:
CommandLine|contains:
# Add more suspicious registry locations below
- '\AppDataLow\Software\Microsoft\'
- '\Policies\Microsoft\Windows\OOBE'
- '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
- '\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon'
- '\CurrentControlSet\Control\SecurityProviders\WDigest'
- '\Microsoft\Windows Defender\'
condition: all of selection_*
falsepositives:
- Rare legitimate add to registry via cli (to these locations)
level: high
title: Enable LM Hash Storage - ProcCreation
id: 98dedfdd-8333-49d4-9f23-d7018cccae53
related:
- id: c420410f-c2d8-4010-856b-dffe21866437 # Registry
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
modified: 2023-12-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa'
- 'NoLMHash'
- ' 0'
condition: selection
falsepositives:
- Unknown
level: high
title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
related:
- id: e61e8a88-59a9-451c-874e-70fcc9740d67
type: derived
- id: cbe51394-cd93-4473-b555-edf0144952d9
type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1574.001
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\dnscmd.exe'
CommandLine|contains|all:
- '/config'
- '/serverlevelplugindll'
condition: selection
falsepositives:
- Unknown
level: high
title: RestrictedAdminMode Registry Value Tampering - ProcCreation
id: 28ac00d6-22d9-4a3c-927f-bbd770104573
related:
- id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry
type: similar
status: test
description: |
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
- https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: frack113
date: 2023-01-13
modified: 2025-08-28
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa'
- 'DisableRestrictedAdmin'
condition: selection
falsepositives:
- Unknown
level: high
title: Imports Registry Key From an ADS
id: 0b80ade5-6997-4b1d-99a1-71701778ea61
related:
- id: 73bba97f-a82d-42ce-b315-9182e76c57b1
type: similar
status: test
description: Detects the import of a alternate datastream to the registry with regedit.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regedit/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-12
modified: 2024-03-13
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regedit.exe'
- OriginalFileName: 'REGEDIT.EXE'
selection_cli:
CommandLine|contains:
- ' /i '
- '.reg'
CommandLine|re: ':[^ \\]'
filter:
CommandLine|contains|windash:
- ' -e '
- ' -a '
- ' -c '
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high
title: Non-privileged Usage of Reg or Powershell
id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
status: test
description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
date: 2020-10-05
modified: 2024-12-01
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_cli:
- CommandLine|contains|all:
- 'reg '
- 'add'
- CommandLine|contains:
- 'powershell'
- 'set-itemproperty'
- ' sp '
- 'new-itemproperty'
selection_data:
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'Services'
CommandLine|contains:
- 'ImagePath'
- 'FailureCommand'
- 'ServiceDLL'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Registry Modification From ADS Via Regini.EXE
id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
related:
- id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
type: derived
status: test
description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regini/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
author: Eli Salem, Sander Wiebing, oscd.community
date: 2020-10-12
modified: 2023-02-08
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regini.exe'
- OriginalFileName: 'REGINI.EXE'
selection_re:
CommandLine|re: ':[^ \\]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Security Event Logging Disabled via MiniNt Registry Key - Process
id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462
related:
- id: 8839e550-52d7-4958-9f2f-e13c1e736838 # Disable Security Events Logging Adding Reg Key MiniNt - Registry Set
type: similar
status: experimental
description: |
Detects attempts to disable security event logging by adding the `MiniNt` registry key.
This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.
Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
references:
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: process_creation
product: windows
detection:
selection_reg_img:
# Example: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cmd:
CommandLine|contains|all:
- ' add '
- '\SYSTEM\CurrentControlSet\Control\MiniNt'
selection_powershell_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_powershell_cmd1:
CommandLine|contains:
- 'New-Item '
- 'ni '
selection_powershell_cmd2:
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: all of selection_reg_* or all of selection_powershell_*
falsepositives:
- Highly Unlikely
level: high
title: ETW Logging Disabled In .NET Processes - Registry
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
related:
- id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2022-12-20
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
service: security
detection:
selection_etw_enabled:
EventID: 4657
ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
ObjectValueName: 'ETWEnabled'
NewValue: 0
selection_complus:
EventID: 4657
ObjectName|contains: '\Environment'
ObjectValueName:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
NewValue: 0
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: NetNTLM Downgrade Attack
id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
related:
- id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
type: derived
status: test
description: Detects NetNTLM downgrade attack
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth (Nextron Systems), wagga
date: 2018-03-20
modified: 2022-10-09
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685
- attack.t1112
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
detection:
selection:
EventID: 4657
ObjectName|contains|all:
- '\REGISTRY\MACHINE\SYSTEM'
- 'ControlSet'
- '\Control\Lsa'
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
- 'RestrictSendingNTLMTraffic'
condition: selection
falsepositives:
- Unknown
level: high
title: Sysmon Channel Reference Deletion
id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
status: test
description: Potential threat actor tampering with Sysmon manifest and eventually disabling it
references:
- https://twitter.com/Flangvik/status/1283054508084473861
- https://twitter.com/SecurityJosh/status/1283027365770276866
- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-07-14
modified: 2025-10-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
service: security
detection:
selection1:
EventID: 4657
ObjectName|contains:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
ObjectValueName: 'Enabled'
NewValue: 0
selection2:
EventID: 4663
ObjectName|contains:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
AccessMask: '0x10000'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Change User Account Associated with the FAX Service
id: e3fdf743-f05b-4051-990a-b66919be1743
status: test
description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
filter:
Details|contains: NetworkService
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Office Macros Warning Disabled
id: 91239011-fe3c-4b54-9f24-15c86bb65913
related:
- id: 9b894e57-033f-46cf-b7fa-a52804181973
type: obsolete
status: test
description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2024-03-19
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Security\VBAWarnings'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unlikely
level: high
title: New DNS ServerLevelPluginDll Installed
id: e61e8a88-59a9-451c-874e-70fcc9740d67
related:
- id: cbe51394-cd93-4473-b555-edf0144952d9
type: derived
- id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1574.001
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
condition: selection
falsepositives:
- Unknown
level: high
title: PowerShell Logging Disabled Via Registry Key Tampering
id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
status: test
description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
author: frack113
date: 2022-04-02
modified: 2023-08-17
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1564.001
- attack.t1112
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows\PowerShell\' # PowerShell 5
- '\Microsoft\PowerShellCore\' # PowerShell 7
TargetObject|endswith:
- '\ModuleLogging\EnableModuleLogging'
- '\ScriptBlockLogging\EnableScriptBlockLogging'
- '\ScriptBlockLogging\EnableScriptBlockInvocationLogging'
- '\Transcription\EnableTranscripting'
- '\Transcription\EnableInvocationHeader'
- '\EnableScripts'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml
simulation:
- type: atomic-red-team
name: Disable PowerShell Logging via Registry
technique: T1112
atomic_guid: 95b25212-91a7-42ff-9613-124aca6845a8
title: Potential Persistence Via Outlook Today Page
id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
related:
- id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
type: similar
status: test
description: |
Detects potential persistence activity via outlook today page.
An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-10
modified: 2024-08-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection_main:
TargetObject|contains|all:
- 'Software\Microsoft\Office\'
- '\Outlook\Today\'
selection_value_stamp:
TargetObject|endswith: '\Stamp'
Details: 'DWORD (0x00000001)'
selection_value_url:
TargetObject|endswith:
- '\URL'
- '\UserDefinedUrl'
filter_main_office:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
condition: selection_main and 1 of selection_value_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Wdigest Enable UseLogonCredential
id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
status: test
description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
references:
- https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html
- https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649
- https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-09-12
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'WDigest\UseLogonCredential'
Details: DWORD (0x00000001)
condition: selection
falsepositives:
- Unknown
level: high
title: RDP Sensitive Settings Changed
id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
related:
- id: 171b67e1-74b4-460e-8d55-b331f3e32d67
type: obsolete
- id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
type: obsolete
- id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
type: similar
status: test
description: |
Detects tampering of RDP Terminal Service/Server sensitive settings.
Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Below is a list of registry keys/values that are monitored by this rule:
- Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
- DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
- DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
- fAllowUnsolicited: Allows unsolicited remote assistance offers.
- fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
- InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
- ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
- SecurityLayer: Specifies the security layer used for RDP connections.
references:
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contains description for most of the keys mentioned here (check it out if you want more information)
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contains description for most of the keys mentioned here (check it out if you want more information)
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- https://blog.sekoia.io/darkgate-internals/
- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
- https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
- https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022-08-06
modified: 2025-11-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_shadow:
TargetObject|contains:
- '\Control\Terminal Server\'
- '\Windows NT\Terminal Services\'
TargetObject|endswith: '\Shadow'
Details:
- 'DWORD (0x00000001)' # Full Control with user’s permission
- 'DWORD (0x00000002)' # Full Control without user’s permission
- 'DWORD (0x00000003)' # View Session with user’s permission
- 'DWORD (0x00000004)' # View Session without user’s permission
selection_terminal_services_key:
TargetObject|contains:
- '\Control\Terminal Server\'
- '\Windows NT\Terminal Services\'
TargetObject|endswith:
- '\DisableRemoteDesktopAntiAlias' # Disable anti-aliasing for remote desktop (DarkGate malware)
- '\DisableSecuritySettings' # Disable security settings, allowing access to programs/entire desktop (DarkGate malware)
- '\fAllowUnsolicited' # Allow unsolicited remote assistance offers
- '\fAllowUnsolicitedFullControl'
Details: 'DWORD (0x00000001)'
selection_tamper_only:
# Any changes to these keys should be suspicious and looked at
TargetObject|contains:
- '\Control\Terminal Server\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
- '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
- '\services\TermService\Parameters\ServiceDll' # RDP hijacking
- '\Terminal Server\WinStations\RDP-Tcp\SecurityLayer'
- '\Windows NT\Terminal Services\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
filter_main_securitylayer_tls:
TargetObject|endswith: '\SecurityLayer'
Details: 'DWORD (0x00000002)' # TLS Enabled
condition: (selection_shadow or selection_terminal_services_key or selection_tamper_only) and not 1 of filter_main_*
falsepositives:
- Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: high
title: NET NGenAssemblyUsageLog Registry Key Tamper
id: 28036918-04d3-423d-91c0-55ecf99fb892
status: test
description: |
Detects changes to the NGenAssemblyUsageLog registry key.
.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
references:
- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
author: frack113
date: 2022-11-18
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog'
condition: selection
falsepositives:
- Unknown
level: high
title: Enable LM Hash Storage
id: c420410f-c2d8-4010-856b-dffe21866437
related:
- id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
title: Trust Access Disable For VBApplications
id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf
related:
- id: 9b894e57-033f-46cf-b7fa-a52804181973
type: obsolete
status: test
description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Security\AccessVBOM'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential Persistence Via Outlook Home Page
id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
related:
- id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
type: similar
status: test
description: |
Detects potential persistence activity via outlook home page.
An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
- https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-09
modified: 2024-08-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\Software\Microsoft\Office\'
- '\Outlook\WebView\'
TargetObject|endswith: '\URL'
condition: selection
falsepositives:
- Unknown
level: high
title: Windows Event Log Access Tampering Via Registry
id: ba226dcf-d390-4642-b9af-b534872f1156
status: experimental
description: |
Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell
- https://www.youtube.com/watch?v=uSYvHUVU8xY
- https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
author: X__Junior
date: 2025-01-16
modified: 2025-08-16
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-impairment
- attack.t1547.001
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
# O:SYG:SYD:(D;;0x1;;;WD)
# O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(D;;0x1;;;WD)
selection_key_1:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
TargetObject|endswith: '\CustomSD'
selection_key_2:
TargetObject|contains:
- '\Policies\Microsoft\Windows\EventLog\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels'
TargetObject|endswith: '\ChannelAccess'
selection_details:
- Details|contains: 'D:(D;'
- Details|contains|all:
- 'D:('
- ')(D;'
filter_main_trustedinstaller:
Image: 'C:\Windows\servicing\TrustedInstaller.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
filter_optional_empty:
Image: ''
filter_optional_null:
Image: null
condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative activity, still unlikely
level: high
title: Uncommon Microsoft Office Trusted Location Added
id: f742bde7-9528-42e5-bd82-84f51a8387d2
related:
- id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
type: derived
status: test
description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
- Internal Research
- https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-09-29
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Security\Trusted Locations\Location'
TargetObject|endswith: '\Path'
filter_exclude_known_paths:
Details|contains:
- '%APPDATA%\Microsoft\Templates'
- '%%APPDATA%%\Microsoft\Templates'
- '%APPDATA%\Microsoft\Word\Startup'
- '%%APPDATA%%\Microsoft\Word\Startup'
- ':\Program Files (x86)\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office (x86)\Templates'
- ':\Program Files\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office\Templates\'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
falsepositives:
- Other unknown legitimate or custom paths need to be filtered to avoid false positives
level: high