Sigma rules for Star Blizzard
500 rules · scoped to actor · back to Star Blizzard
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Use of Legacy Authentication Protocols
id: 60f6535a-760f-42a9-be3f-c9a0a025906e
status: test
description: Alert on when legacy authentication has been used on an account
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
ActivityDetails: Sign-ins
ClientApp:
- Other client
- IMAP
- POP3
- MAPI
- SMTP
- Exchange ActiveSync
- Exchange Web Services
Username: 'UPN'
condition: selection
falsepositives:
- User has been put in acception group so they can use legacy authentication
level: high
title: Application URI Configuration Changes
id: 0055ad1f-be85-4798-83cf-a6da17c993b3
status: test
description: |
Detects when a configuration change is made to an applications URI.
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.initial-access
- attack.stealth
- attack.t1528
- attack.t1078.004
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Update Application Sucess- Property Name AppAddress
condition: selection
falsepositives:
- When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.
level: high
title: PIM Approvals And Deny Elevation
id: 039a7469-0296-4450-84c0-f6966b16dc6d
status: test
description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Request Approved/Denied
condition: selection
falsepositives:
- Actual admin using PIM.
level: high
title: Temporary Access Pass Added To An Account
id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce
status: test
description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-10
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Admin registered security info
Status: Admin registered temporary access pass method for user
condition: selection
falsepositives:
- Administrator adding a legitimate temporary access pass
level: high
title: User Added To Privilege Role
id: 49a268a4-72f4-4e38-8a7b-885be690c5b5
status: test
description: Detects when a user is added to a privileged role.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-06
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add eligible member (permanent)
- Add eligible member (eligible)
condition: selection
falsepositives:
- Legtimate administrator actions of adding members from a role
level: high
title: Users Added to Global or Device Admin Roles
id: 11c767ae-500b-423b-bae3-b234450736ed
status: test
description: Monitor and alert for users added to device admin roles.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: RoleManagement
OperationName|contains|all:
- 'Add'
- 'member to role'
TargetResources|contains:
- '7698a772-787b-4ac8-901f-60d6b08affd2'
- '62e90394-69f5-4237-9190-012177145e10'
condition: selection
falsepositives:
- Unknown
level: high
title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.initial-access
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.stealth
- attack.t1552
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Update Application
- Update Service principal
condition: selection
falsepositives:
- When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
level: high
title: Changes To PIM Settings
id: db6c06c4-bf3b-421c-aa88-15672b88c743
status: test
description: Detects when changes are made to PIM roles
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
- attack.initial-access
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Update role setting in PIM
condition: selection
falsepositives:
- Legit administrative PIM setting configuration changes
level: high
title: Azure Subscription Permission Elevation Via ActivityLogs
id: 09438caa-07b1-4870-8405-1dbafe3dad95
status: test
description: |
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-08-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: high
title: Potential GobRAT File Discovery Via Grep
id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
status: test
description: Detects the use of grep to discover specific files created by the GobRAT malware
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/grep'
CommandLine|contains:
- 'apached'
- 'frpc'
- 'sshd.sh'
- 'zone.arm'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - WinPwn Execution - ScriptBlock
id: 851fd622-b675-4d26-b803-14bc7baa517a
related:
- id: d557dc06-62e8-4468-a8e8-7984124908ce
type: similar
status: test
description: |
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
- https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
- https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
- attack.credential-access
- attack.discovery
- attack.execution
- attack.privilege-escalation
- attack.t1046
- attack.t1082
- attack.t1106
- attack.t1518
- attack.t1548.002
- attack.t1552.001
- attack.t1555
- attack.t1555.003
logsource:
category: ps_script
product: windows
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Offline_Winpwn'
- 'WinPwn '
- 'WinPwn.exe'
- 'WinPwn.ps1'
condition: selection
falsepositives:
- As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
level: high
title: Suspicious Kernel Dump Using Dtrace
id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
status: test
description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
references:
- https://twitter.com/0gtweet/status/1474899714290208777?s=12
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
author: Florian Roth (Nextron Systems)
date: 2021-12-28
tags:
- attack.discovery
- attack.t1082
logsource:
product: windows
category: process_creation
detection:
selection_plain:
Image|endswith: '\dtrace.exe'
CommandLine|contains: 'lkd(0)'
selection_obfuscated:
CommandLine|contains|all:
- 'syscall:::return'
- 'lkd('
condition: 1 of selection*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml
title: HackTool - WinPwn Execution
id: d557dc06-62e8-4468-a8e8-7984124908ce
related:
- id: 851fd622-b675-4d26-b803-14bc7baa517a
type: similar
status: test
description: |
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
- https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
- https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
- https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
- attack.credential-access
- attack.discovery
- attack.execution
- attack.privilege-escalation
- attack.t1046
- attack.t1082
- attack.t1106
- attack.t1518
- attack.t1548.002
- attack.t1552.001
- attack.t1555
- attack.t1555.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Offline_Winpwn'
- 'WinPwn '
- 'WinPwn.exe'
- 'WinPwn.ps1'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - winPEAS Execution
id: 98b53e78-ebaf-46f8-be06-421aafd176d9
status: test
description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
references:
- https://github.com/carlospolop/PEASS-ng
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
author: Georg Lauenstein (sure[secure])
date: 2022-09-19
modified: 2023-03-23
tags:
- attack.privilege-escalation
- attack.discovery
- attack.t1082
- attack.t1087
- attack.t1046
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'winPEAS.exe'
- Image|endswith:
- '\winPEASany_ofs.exe'
- '\winPEASany.exe'
- '\winPEASx64_ofs.exe'
- '\winPEASx64.exe'
- '\winPEASx86_ofs.exe'
- '\winPEASx86.exe'
selection_cli_option:
CommandLine|contains:
- ' applicationsinfo' # Search installed applications information
- ' browserinfo' # Search browser information
- ' eventsinfo' # Display interesting events information
- ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
- ' filesinfo' # Search generic files that can contains credentials
- ' processinfo' # Search processes information
- ' servicesinfo' # Search services information
- ' windowscreds' # Search windows credentials
selection_cli_dl:
CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
selection_cli_specific:
- ParentCommandLine|endswith: ' -linpeas'
- CommandLine|endswith: ' -linpeas'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Network Reconnaissance Activity
id: e6313acd-208c-44fc-a0ff-db85d572e90e
status: test
description: Detects a set of suspicious network related commands often used in recon stages
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
author: Florian Roth (Nextron Systems)
date: 2022-02-07
tags:
- attack.discovery
- attack.t1087
- attack.t1082
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'nslookup'
- '_ldap._tcp.dc._msdcs.'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
title: HackTool - PCHunter Execution
id: fca949cc-79ca-446e-8064-01aa7e52ece5
status: test
description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
references:
- https://web.archive.org/web/20231210115125/http://www.xuetr.com/
- https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2022-10-10
modified: 2024-11-23
tags:
- attack.execution
- attack.discovery
- attack.t1082
- attack.t1057
- attack.t1012
- attack.t1083
- attack.t1007
logsource:
category: process_creation
product: windows
detection:
selection_image:
Image|endswith:
- '\PCHunter64.exe'
- '\PCHunter32.exe'
selection_pe:
- OriginalFileName: 'PCHunter.exe'
- Description: 'Epoolsoft Windows Information View Tools'
selection_hashes:
Hashes|contains:
- 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'
- 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'
- 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'
- 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF'
- 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB'
- 'MD5=228DD0C2E6287547E26FFBD973A40F14'
- 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C'
- 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Shell Execution GCC - Linux
id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
status: test
description: |
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/gcc/#shell
- https://gtfobins.github.io/gtfobins/c89/#shell
- https://gtfobins.github.io/gtfobins/c99/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/c89'
- '/c99'
- '/gcc'
CommandLine|contains: '-wrapper'
selection_cli:
CommandLine|contains:
- '/bin/bash,-s'
- '/bin/dash,-s'
- '/bin/fish,-s'
- '/bin/sh,-s'
- '/bin/zsh,-s'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Shell Execution via Find - Linux
id: 6adfbf8f-52be-4444-9bac-81b539624146
status: test
description: |
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
references:
- https://gtfobins.github.io/gtfobins/find/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/find'
CommandLine|contains|all:
- ' . '
- '-exec'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Shell Execution via Flock - Linux
id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
status: test
description: |
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/flock/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/flock'
CommandLine|contains: ' -u '
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Shell Execution via Nice - Linux
id: 093d68c7-762a-42f4-9f46-95e79142571a
status: test
description: |
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/nice/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/nice'
CommandLine|endswith:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Unknown
level: high
title: Vim GTFOBin Abuse - Linux
id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
status: test
description: |
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/vim/
- https://gtfobins.github.io/gtfobins/rvim/
- https://gtfobins.github.io/gtfobins/vimdiff/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rvim'
- '/vim'
- '/vimdiff'
CommandLine|contains:
- ' --cmd'
- ' -c '
selection_cli:
CommandLine|contains:
- ':!/'
- ':lua '
- ':py '
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: PUA - Seatbelt Execution
id: 38646daa-e78f-4ace-9de0-55547b2d30da
status: test
description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
references:
- https://github.com/GhostPack/Seatbelt
- https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-18
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1526
- attack.t1087
- attack.t1083
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Seatbelt.exe'
- OriginalFileName: 'Seatbelt.exe'
- Description: 'Seatbelt'
- CommandLine|contains:
# This just a list of the commands that will produce the least amount of FP in "theory"
# Comment out/in as needed in your environment
# To get the full list of commands see reference section
- ' DpapiMasterKeys'
- ' InterestingProcesses'
- ' InterestingFiles'
- ' CertificateThumbprints'
- ' ChromiumBookmarks'
- ' ChromiumHistory'
- ' ChromiumPresence'
- ' CloudCredentials'
- ' CredEnum'
- ' CredGuard'
- ' FirefoxHistory'
- ' ProcessCreationEvents'
# - ' RDPSessions'
# - ' PowerShellHistory'
selection_group_list:
CommandLine|contains:
- ' -group=misc'
- ' -group=remote'
- ' -group=chromium'
- ' -group=slack'
- ' -group=system'
- ' -group=user'
- ' -group=all'
selection_group_output:
CommandLine|contains: ' -outputfile='
condition: selection_img or all of selection_group_*
falsepositives:
- Unlikely
level: high
title: SharpHound Recon Account Discovery
id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1087
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
OpNum: 2
condition: selection
falsepositives:
- Unknown
level: high
title: Webshell Detection With Command Line Keywords
id: bed2a484-9348-4143-8a8a-b801c979301c
status: test
description: Detects certain command line parameters often used during reconnaissance activity via web shells
references:
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
- https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
date: 2017-01-01
modified: 2024-12-14
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_webserver_image:
ParentImage|endswith:
- '\w3wp.exe'
- '\php-cgi.exe'
- '\nginx.exe'
- '\httpd.exe'
- '\caddy.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'catalina.jar'
- 'CATALINA_HOME'
selection_susp_net_utility:
OriginalFileName:
- 'net.exe'
- 'net1.exe'
CommandLine|contains:
- ' user '
- ' use '
- ' group '
selection_susp_ping_utility:
OriginalFileName: 'ping.exe'
CommandLine|contains: ' -n '
selection_susp_change_dir:
CommandLine|contains:
- '&cd&echo' # china chopper web shell
- 'cd /d ' # https://www.computerhope.com/cdhlp.htm
selection_susp_wmic_utility:
OriginalFileName: 'wmic.exe'
CommandLine|contains: ' /node:'
selection_susp_powershell_cli:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -enc '
- ' -EncodedCommand '
- ' -w hidden '
- ' -windowstyle hidden'
- '.WebClient).Download'
selection_susp_misc_discovery_binaries:
- Image|endswith:
- '\dsquery.exe'
- '\find.exe'
- '\findstr.exe'
- '\ipconfig.exe'
- '\netstat.exe'
- '\nslookup.exe'
- '\pathping.exe'
- '\quser.exe'
- '\schtasks.exe'
- '\systeminfo.exe'
- '\tasklist.exe'
- '\tracert.exe'
- '\ver.exe'
- '\wevtutil.exe'
- '\whoami.exe'
- OriginalFileName:
- 'dsquery.exe'
- 'find.exe'
- 'findstr.exe'
- 'ipconfig.exe'
- 'netstat.exe'
- 'nslookup.exe'
- 'pathping.exe'
- 'quser.exe'
- 'schtasks.exe'
- 'sysinfo.exe'
- 'tasklist.exe'
- 'tracert.exe'
- 'ver.exe'
- 'VSSADMIN.EXE'
- 'wevtutil.exe'
- 'whoami.exe'
selection_susp_misc_discovery_commands:
CommandLine|contains:
- ' Test-NetConnection '
- 'dir \' # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
condition: 1 of selection_webserver_* and 1 of selection_susp_*
falsepositives:
- Unknown
level: high
title: Chopper Webshell Process Pattern
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
status: test
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
author: Florian Roth (Nextron Systems), MSTI (query)
date: 2022-10-01
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_origin:
- Image|endswith: '\w3wp.exe'
- ParentImage|endswith: '\w3wp.exe'
selection_cmdline:
CommandLine|contains:
- '&ipconfig&echo'
- '&quser&echo'
- '&whoami&echo'
- '&c:&echo'
- '&cd&echo'
- '&dir&echo'
- '&echo [E]'
- '&echo [S]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
- https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
# Webserver
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'catalina.jar'
- 'CATALINA_HOME'
# Suspicious child processes
selection_child_1:
# Process dumping
CommandLine|contains|all:
- 'rundll32'
- 'comsvcs'
selection_child_2:
# Winrar exfil
CommandLine|contains|all:
- ' -hp'
- ' a '
- ' -m'
selection_child_3:
# User add
CommandLine|contains|all:
- 'net'
- ' user '
- ' /add'
selection_child_4:
CommandLine|contains|all:
- 'net'
- ' localgroup '
- ' administrators '
- '/add'
selection_child_5:
Image|endswith:
# Credential stealing
- '\ntdsutil.exe'
# AD recon
- '\ldifde.exe'
- '\adfind.exe'
# Process dumping
- '\procdump.exe'
- '\Nanodump.exe'
# Destruction / ransom groups
- '\vssadmin.exe'
- '\fsutil.exe'
selection_child_6:
# SUspicious patterns
CommandLine|contains:
- ' -decode ' # Used with certutil
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' /decode ' # Used with certutil
- ' /ticket:' # Rubeus
- ' sekurlsa' # Mimikatz
- '.dmp full' # Process dumping method apart from procdump
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- 'FromBase64String' # PowerShell encoded payload
- 'process call create' # WMIC process creation
- 'reg save ' # save registry SAM - syskey extraction
- 'whoami /priv'
condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
- Unlikely
level: high
title: HackTool - SOAPHound Execution
id: e92a4287-e072-4a40-9739-370c106bb750
status: test
description: |
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
references:
- https://github.com/FalconForceTeam/SOAPHound
- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
author: '@kostastsale'
date: 2024-01-26
tags:
- attack.discovery
- attack.t1087
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains:
- ' --buildcache '
- ' --bhdump '
- ' --certdump '
- ' --dnsdump '
selection_2:
CommandLine|contains:
- ' -c '
- ' --cachefilename '
- ' -o '
- ' --outputdirectory'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: PUA - AdFind Suspicious Execution
id: 9a132afa-654e-11eb-ae93-0242ac130002
related:
- id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
type: similar
- id: 75df3b17-8bcc-4565-b89b-c9898acef911
type: obsolete
status: test
description: Detects AdFind execution with common flags seen used during attacks
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects
author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
date: 2021-02-02
modified: 2025-10-24
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
- attack.t1482
- attack.t1069.002
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'domainlist'
- 'trustdmp'
- 'dcmodes'
- 'adinfo'
- '-sc dclist'
- 'computer_pwdnotreqd'
- 'objectcategory='
- '-subnets -f'
- 'name="Domain Admins"'
- '-sc u:'
- 'domainncs'
- 'dompol'
- ' oudmp '
- 'subnetdmp'
- 'gpodmp'
- 'fspdmp'
- 'users_noexpire'
- 'computers_active'
- 'computers_pwdnotreqd'
condition: selection
falsepositives:
- Legitimate admin activity
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml
simulation:
- type: atomic-red-team
name: Adfind - Enumerate Active Directory Computer Objects
technique: T1018
atomic_guid: a889f5be-2d54-4050-bd05-884578748bb4
- type: atomic-red-team
name: Adfind - Enumerate Active Directory Domain Controller Objects
technique: T1018
atomic_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
title: Renamed AdFind Execution
id: df55196f-f105-44d3-a675-e9dfb6cc2f2b
status: test
description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
author: Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2025-02-26
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
- attack.t1482
- attack.t1069.002
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'domainlist'
- 'trustdmp'
- 'dcmodes'
- 'adinfo'
- ' dclist '
- 'computer_pwdnotreqd'
- 'objectcategory='
- '-subnets -f'
- 'name="Domain Admins"'
- '-sc u:'
- 'domainncs'
- 'dompol'
- ' oudmp '
- 'subnetdmp'
- 'gpodmp'
- 'fspdmp'
- 'users_noexpire'
- 'computers_active'
- 'computers_pwdnotreqd'
selection_2:
Hashes|contains:
- 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
- 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
- 'IMPHASH=d144de8117df2beceaba2201ad304764'
- 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
- 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
- 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
- 'IMPHASH=680dad9e300346e05a85023965867201'
- 'IMPHASH=21aa085d54992511b9f115355e468782'
selection_3:
OriginalFileName: 'AdFind.exe'
filter:
Image|endswith: '\AdFind.exe'
condition: 1 of selection* and not filter
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/info.yml
title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
related:
- id: 9a132afa-654e-11eb-ae93-0242ac130002
type: similar
- id: 514e7e3e-b3b4-4a67-af60-be20f139198b
type: similar
status: test
description: Detects active directory enumeration activity using known AdFind CLI flags
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
author: frack113
date: 2021-12-13
modified: 2023-03-05
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
category: process_creation
detection:
selection_password: # Listing password policy
CommandLine|contains:
- lockoutduration
- lockoutthreshold
- lockoutobservationwindow
- maxpwdage
- minpwdage
- minpwdlength
- pwdhistorylength
- pwdproperties
selection_enum_ad: # Enumerate Active Directory Admins
CommandLine|contains: '-sc admincountdmp'
selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects
CommandLine|contains: '-sc exchaddresses'
condition: 1 of selection_*
falsepositives:
- Authorized administrative activity
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml
title: Suspicious Active Directory Database Snapshot Via ADExplorer
id: ef61af62-bc74-4f58-b49b-626448227652
related:
- id: 9212f354-7775-4e28-9c9f-8f0a4544e664
type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
- OriginalFileName: 'AdExp'
- Description: 'Active Directory Editor'
- Product: 'Sysinternals ADExplorer'
selection_flag:
CommandLine|contains: 'snapshot'
selection_paths:
CommandLine|contains:
# TODO: Add more suspicious paths
- '\Downloads\'
- '\Users\Public\'
- '\AppData\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: AD Privileged Users or Groups Reconnaissance
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
status: test
description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
references:
- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-07-13
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
service: security
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
detection:
selection:
EventID: 4661
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
selection_object:
- ObjectName|endswith:
- '-512'
- '-502'
- '-500'
- '-505'
- '-519'
- '-520'
- '-544'
- '-551'
- '-555'
- ObjectName|contains: 'admin'
filter:
SubjectUserName|endswith: '$'
condition: selection and selection_object and not filter
falsepositives:
- If source account name is not an admin then its super suspicious
level: high
title: Reconnaissance Activity
id: 968eef52-9cff-4454-8992-1e74b9cbad6c
status: test
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
date: 2017-03-07
modified: 2022-08-22
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.s0039
logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
EventID: 4661
AccessMask: '0x2d'
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
ObjectName|startswith: 'S-1-5-21-'
ObjectName|endswith:
- '-500'
- '-512'
condition: selection
falsepositives:
- Administrator activity
level: high
title: OpenCanary - HTTPPROXY Login Attempt
id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760
status: test
description: |
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.command-and-control
- attack.t1090
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 7001
condition: selection
falsepositives:
- Unlikely
level: high
title: Malicious IP Address Sign-In Failure Rate
id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd
status: test
description: Indicates sign-in from a malicious IP address based on high failure rates.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'maliciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Malicious IP Address Sign-In Suspicious
id: 36440e1c-5c22-467a-889b-593e66498472
status: test
description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: Sign-In From Malware Infected IP
id: 821b4dc3-1295-41e7-b157-39ab212dd6bd
status: test
description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'malwareInfectedIPAddress'
condition: selection
falsepositives:
- Using an IP address that is shared by many users
level: high
title: Communication To LocaltoNet Tunneling Service Initiated - Linux
id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: linux
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
title: Communication To Ngrok Tunneling Service - Linux
id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
status: test
description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of ngrok
level: high
title: Communication To LocaltoNet Tunneling Service Initiated
id: 3ab65069-d82a-4d44-a759-466661a082d1
status: test
description: |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
references:
- https://localtonet.com/documents/supported-tunnels
- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
author: Andreas Braathen (mnemonic.io)
date: 2024-06-17
tags:
- attack.command-and-control
- attack.t1572
- attack.t1090
- attack.t1102
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|endswith:
- '.localto.net'
- '.localtonet.com'
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate use of the LocaltoNet service.
level: high
title: Communication To Ngrok Tunneling Service Initiated
id: 1d08ac94-400d-4469-a82f-daee9a908849
related:
- id: 18249279-932f-45e2-b37a-8925f2597670
type: similar
status: test
description: |
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
modified: 2024-02-02
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of the ngrok service.
level: high
title: RDP Port Forwarding Rule Added Via Netsh.EXE
id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
status: test
description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Florian Roth (Nextron Systems), oscd.community
date: 2019-01-29
modified: 2023-02-13
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- ' i'
- ' p'
- '=3389'
- ' c'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: high
title: PUA - NPS Tunneling Tool Execution
id: 68d37776-61db-42f5-bf54-27e87072d17e
status: test
description: Detects the use of NPS, a port forwarding and intranet penetration proxy server
references:
- https://github.com/ehang-io/nps
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\npc.exe'
selection_cli_1:
CommandLine|contains|all:
- ' -server='
- ' -vkey='
- ' -password='
selection_cli_2:
CommandLine|contains: ' -config=npc'
selection_hashes:
# v0.26.10
Hashes|contains:
- "MD5=AE8ACF66BFE3A44148964048B826D005"
- "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181"
- "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856"
condition: 1 of selection_*
falsepositives:
- Legitimate use
level: high
title: HackTool - Htran/NATBypass Execution
id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e
status: test
description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
references:
- https://github.com/HiwinCN/HTran
- https://github.com/cw1997/NATBypass
author: Florian Roth (Nextron Systems)
date: 2022-12-27
modified: 2023-02-04
tags:
- attack.command-and-control
- attack.t1090
- attack.s0040
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\htran.exe'
- '\lcx.exe'
selection_cli:
CommandLine|contains:
- '.exe -tran '
- '.exe -slave '
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: PUA - Fast Reverse Proxy (FRP) Execution
id: 32410e29-5f94-4568-b6a3-d91a8adad863
status: test
description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
references:
- https://asec.ahnlab.com/en/38156/
- https://github.com/fatedier/frp
author: frack113, Florian Roth
date: 2022-09-02
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\frpc.exe'
- '\frps.exe'
selection_cli:
CommandLine|contains: '\frpc.ini'
selection_hashes:
# v0.44.0
Hashes|contains:
- "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
- "SHA1=06DDC9280E1F1810677935A2477012960905942F"
- "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
condition: 1 of selection_*
falsepositives:
- Legitimate use
level: high
title: PUA- IOX Tunneling Tool Execution
id: d7654f02-e04b-4934-9838-65c46f187ebc
status: test
description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
references:
- https://github.com/EddieIvan01/iox
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\iox.exe'
selection_commandline:
CommandLine|contains:
- '.exe fwd -l '
- '.exe fwd -r '
- '.exe proxy -l '
- '.exe proxy -r '
selection_hashes:
# v0.4
Hashes|contains:
- "MD5=9DB2D314DD3F704A02051EF5EA210993"
- "SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD"
- "SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731"
condition: 1 of selection*
falsepositives:
- Legitimate use
level: high
title: Ngrok Usage with Remote Desktop Service
id: 64d51a51-32a6-49f0-9f3d-17e34d640272
status: test
description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
references:
- https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
- https://ngrok.com/
author: Florian Roth (Nextron Systems)
date: 2022-04-29
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: windows
service: terminalservices-localsessionmanager
detection:
selection:
EventID: 21
Address|contains: '16777216'
condition: selection
falsepositives:
- Unknown
level: high
title: RDP over Reverse SSH Tunnel WFP
id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address
references:
- https://twitter.com/SBousseaden/status/1096148422984384514
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
author: Samir Bousseaden
date: 2019-02-16
modified: 2022-09-02
tags:
- attack.command-and-control
- attack.lateral-movement
- attack.t1090.001
- attack.t1090.002
- attack.t1021.001
- car.2013-07-002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
sourceRDP:
SourcePort: 3389
DestAddress:
- '127.*'
- '::1'
destinationRDP:
DestPort: 3389
SourceAddress:
- '127.*'
- '::1'
filter_app_container:
FilterOrigin: 'AppContainer Loopback'
filter_thor: # checking BlueKeep vulnerability
Application|endswith:
- '\thor.exe'
- '\thor64.exe'
condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
falsepositives:
- Programs that connect locally to the RDP port
level: high
title: DNS Query Tor .Onion Address - Sysmon
id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
related:
- id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
type: similar
- id: a8322756-015c-42e7-afb1-436e85ed3ff5
type: similar
status: test
description: Detects DNS queries to an ".onion" address related to Tor routing networks
references:
- https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: frack113
date: 2022-02-20
modified: 2025-09-12
tags:
- attack.command-and-control
- attack.t1090.003
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|endswith:
- '.hiddenservice.net'
- '.onion.ca'
- '.onion.cab'
- '.onion.casa'
- '.onion.city'
- '.onion.direct'
- '.onion.dog'
- '.onion.glass'
- '.onion.gq'
- '.onion.ink'
- '.onion.it'
- '.onion.link'
- '.onion.lt'
- '.onion.lu'
- '.onion.nu'
- '.onion.pet'
- '.onion.plus'
- '.onion.rip'
- '.onion.sh'
- '.onion.to'
- '.onion.top'
- '.onion'
- '.s1.tor-gateways.de'
- '.s2.tor-gateways.de'
- '.s3.tor-gateways.de'
- '.s4.tor-gateways.de'
- '.s5.tor-gateways.de'
- '.t2w.pw'
- '.tor2web.ae.org'
- '.tor2web.blutmagie.de'
- '.tor2web.com'
- '.tor2web.fi'
- '.tor2web.io'
- '.tor2web.org'
- '.tor2web.xyz'
- '.torlink.co'
condition: selection
falsepositives:
- Unknown
level: high
title: Tor Client/Browser Execution
id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c
status: test
description: Detects the use of Tor or Tor-Browser to connect to onion routing networks
references:
- https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
author: frack113
date: 2022-02-20
modified: 2025-10-27
tags:
- attack.command-and-control
- attack.t1090.003
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'Tor Browser'
- Product: 'Tor Browser'
- Image|endswith:
- '\tor.exe'
- '\Tor Browser\Browser\firefox.exe'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml