Sigma rules for Storm-0558
500 rules · scoped to actor · back to Storm-0558
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential Privilege Escalation To LOCAL SYSTEM
id: 207b0396-3689-42d9-8399-4222658efc99
related:
- id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule
type: similar
status: test
description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-05-22
modified: 2024-03-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Escalation to LOCAL_SYSTEM
CommandLine|contains|windash:
# Note that you don't need to add the ".exe" part when using psexec/paexec
# The "-" can also be replaced with "/"
# The order of args isn't important
# "cmd" can be replaced by "powershell", "pwsh" or any other console like software
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
# Pwsh (For PowerShell 7)
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
# PowerShell (For PowerShell 5)
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
filter_main_exclude_coverage:
# This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
CommandLine|contains:
- 'paexec'
- 'PsExec'
- 'accepteula'
condition: selection and not 1 of filter_main_*
falsepositives:
- Weird admins that rename their tools
- Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
level: high
title: PUA - CsExec Execution
id: d08a2711-ee8b-4323-bdec-b7d85e892b31
status: test
description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
references:
- https://github.com/malcomvetter/CSExec
- https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
author: Florian Roth (Nextron Systems)
date: 2022-08-22
modified: 2023-02-21
tags:
- attack.resource-development
- attack.t1587.001
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csexec.exe'
selection_pe:
Description: 'csexec'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
status: test
description: |
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.resource-development
- attack.t1588
logsource:
category: antivirus
detection:
selection_path:
Filename|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\'
- '/www/'
# - '\Client\'
- '\inetpub\'
- '\tsclient\'
- 'apache'
- 'nginx'
- 'tomcat'
- 'weblogic'
selection_ext:
Filename|endswith:
- '.asax'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cfm'
- '.cgi'
- '.chm'
- '.cmd'
- '.dat'
- '.ear'
- '.gif'
- '.hta'
- '.jpeg'
- '.jpg'
- '.jsp'
- '.jspx'
- '.lnk'
- '.msc'
- '.php'
- '.pl'
- '.png'
- '.ps1'
- '.psm1'
- '.py'
- '.pyc'
- '.rb'
- '.scf'
- '.sct'
- '.sh'
- '.svg'
- '.txt'
- '.vbe'
- '.vbs'
- '.war'
- '.wll'
- '.wsf'
- '.wsh'
- '.xll'
- '.xml'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Relevant Anti-Virus Signature Keywords In Application Log
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
status: test
description: |
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
references:
- https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
- https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
- https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2017-02-19
modified: 2024-12-25
tags:
- attack.resource-development
- attack.t1588
logsource:
product: windows
service: application
detection:
keywords:
- 'Adfind'
- 'ASP/BackDoor '
- 'ATK/'
- 'Backdoor.ASP'
- 'Backdoor.Cobalt'
- 'Backdoor.JSP'
- 'Backdoor.PHP'
- 'Blackworm'
- 'Brutel'
- 'BruteR'
- 'Chopper'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'CRYPTES'
- 'Cryptor'
- 'Destructor'
- 'DumpCreds'
- 'Exploit.Script.CVE'
- 'FastReverseProxy'
- 'Filecoder'
- 'GrandCrab '
- 'HackTool'
- 'HKTL'
- 'HTool-'
- '/HTool'
- '.HTool'
- 'IISExchgSpawnCMD'
- 'Impacket'
- 'JSP/BackDoor '
- 'Keylogger'
- 'Koadic'
- 'Krypt'
- 'Lazagne'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'mikatz'
- 'Mimikatz'
- 'Mpreter'
- 'MsfShell'
- 'Nighthawk'
- 'Packed.Generic.347'
- 'PentestPowerShell'
- 'Phobos'
- 'PHP/BackDoor '
- 'Potato'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'Ransom'
- 'Rozena'
- 'Ryzerlo'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool '
- 'SharpDump'
- 'Shellcode'
- 'Sliver'
- 'Splinter'
- 'Swrort'
- 'Tescrypt'
- 'TeslaCrypt'
- 'TurtleLoader'
- 'Valyria'
- 'Webshell'
# - 'FRP.'
# - 'Locker'
# - 'PWS.'
# - 'PWSX'
# - 'Razy'
# - 'Ryuk'
filter_optional_generic:
- 'anti_ransomware_service.exe'
- 'Anti-Ransomware'
- 'Crack'
- 'cyber-protect-service.exe'
- 'encryptor'
- 'Keygen'
filter_optional_information:
Level: 4 # Information level
filter_optional_restartmanager:
Provider_Name: 'Microsoft-Windows-RestartManager'
condition: keywords and not 1 of filter_optional_*
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
title: Relevant ClamAV Message
id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
status: stable
description: Detects relevant ClamAV messages
references:
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-03-01
tags:
- attack.resource-development
- attack.t1588.001
logsource:
product: linux
service: clamav
detection:
keywords:
- 'Trojan*FOUND'
- 'VirTool*FOUND'
- 'Webshell*FOUND'
- 'Rootkit*FOUND'
- 'Htran*FOUND'
condition: keywords
falsepositives:
- Unknown
level: high
title: Renamed SysInternals DebugView Execution
id: cd764533-2e07-40d6-a718-cfeec7f2da7f
status: test
description: Detects suspicious renamed SysInternals DebugView execution
references:
- https://www.epicturla.com/blog/sysinturla
author: Florian Roth (Nextron Systems)
date: 2020-05-28
modified: 2023-02-14
tags:
- attack.resource-development
- attack.t1588.002
logsource:
category: process_creation
product: windows
detection:
selection:
Product: 'Sysinternals DebugView'
filter:
OriginalFileName: 'Dbgview.exe'
Image|endswith: '\Dbgview.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
id: f50f3c09-557d-492d-81db-9064a8d4e211
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: 8023f872-3f1d-4301-a384-801889917ab4
type: similar
status: test
description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
# Please add new values while respecting the alphabetical order
- '\Active Directory Explorer'
- '\Handle'
- '\LiveKd'
- '\ProcDump'
- '\Process Explorer'
- '\PsExec'
- '\PsLoggedon'
- '\PsLoglist'
- '\PsPasswd'
- '\PsPing'
- '\PsService'
- '\SDelete'
TargetObject|endswith: '\EulaAccepted'
filter:
Image|endswith:
# Please add new values while respecting the alphabetical order
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\PsExec.exe'
- '\PsExec64.exe'
- '\PsLoggedon.exe'
- '\PsLoggedon64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\PsPing.exe'
- '\PsPing64.exe'
- '\PsService.exe'
- '\PsService64.exe'
- '\sdelete.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml
title: Usage of Renamed Sysinternals Tools - RegistrySet
id: 8023f872-3f1d-4301-a384-801889917ab4
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: f50f3c09-557d-492d-81db-9064a8d4e211
type: similar
status: test
description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2023-08-17
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\PsExec'
- '\ProcDump'
- '\Handle'
- '\LiveKd'
- '\Process Explorer'
- '\PsLoglist'
- '\PsPasswd'
- '\Active Directory Explorer'
TargetObject|endswith: '\EulaAccepted'
filter_main_image_names:
Image|endswith:
- '\PsExec.exe'
- '\PsExec64.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
filter_optional_null:
Image: null # Race condition with some logging tools
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
title: SAML Token Issuer Anomaly
id: e3393cba-31f0-4207-831e-aef90ab17a8c
status: test
description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1606
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'tokenIssuerAnomaly'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
title: PUA - AWS TruffleHog Execution
id: a840e606-7c8c-4684-9bc1-eb6b6155127f
status: experimental
description: |
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-21
tags:
- attack.credential-access
- attack.t1555
- attack.t1003
logsource:
product: aws
service: cloudtrail
detection:
selection:
userAgent: 'TruffleHog'
condition: selection
falsepositives:
- Legitimate use of TruffleHog by security teams for credential scanning.
level: medium
title: Rare Subscription-level Operations In Azure
id: c1182e02-49a3-481c-b3de-0fadc4091488
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.t1003
- attack.credential-access
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
- Microsoft.Maps/accounts/listKeys/action
- Microsoft.Media/mediaservices/listKeys/action
- Microsoft.CognitiveServices/accounts/listKeys/action
- Microsoft.Storage/storageAccounts/listKeys/action
- Microsoft.Compute/snapshots/write
- Microsoft.Network/networkSecurityGroups/write
condition: keywords
falsepositives:
- Valid change
level: medium
title: Access To Crypto Currency Wallets By Uncommon Applications
id: f41b0311-44f9-44f0-816d-dd45e39d4bc8
status: test
description: |
Detects file access requests to crypto currency files by uncommon processes.
Could indicate potential attempt of crypto currency wallet stealing.
references:
- Internal Research
author: X__Junior (Nextron Systems)
date: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
- FileName|contains:
- '\AppData\Roaming\Ethereum\keystore\'
- '\AppData\Roaming\EthereumClassic\keystore\'
- '\AppData\Roaming\monero\wallets\'
- FileName|endswith:
- '\AppData\Roaming\Bitcoin\wallet.dat'
- '\AppData\Roaming\BitcoinABC\wallet.dat'
- '\AppData\Roaming\BitcoinSV\wallet.dat'
- '\AppData\Roaming\DashCore\wallet.dat'
- '\AppData\Roaming\DogeCoin\wallet.dat'
- '\AppData\Roaming\Litecoin\wallet.dat'
- '\AppData\Roaming\Ripple\wallet.dat'
- '\AppData\Roaming\Zcash\wallet.dat'
filter_main_system:
Image: System
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Backup software
- Legitimate software installed on partitions other than "C:\"
- Searching software such as "everything.exe"
level: medium
title: Credential Manager Access By Uncommon Applications
id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
status: test
description: |
Detects suspicious processes based on name and location that access the windows credential manager and vault.
Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
references:
- https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-11
modified: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|contains:
- '\AppData\Local\Microsoft\Credentials\'
- '\AppData\Roaming\Microsoft\Credentials\'
- '\AppData\Local\Microsoft\Vault\'
- '\ProgramData\Microsoft\Vault\'
filter_system_folders:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).
# Increase level after false positives filters are good enough
level: medium
title: Esentutl Gather Credentials
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
status: test
description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
references:
- https://twitter.com/vxunderground/status/1423336151860002816
- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
author: sam0x90
date: 2021-08-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.003
- attack.s0404
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'esentutl'
- ' /p'
condition: selection
falsepositives:
- To be determined
level: medium
title: Shadow Copies Creation Using Operating Systems Utilities
id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
status: test
description: Shadow Copies creation using operating systems utilities, possible credential access
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2019-10-22
modified: 2022-11-10
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.002
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\wmic.exe'
- '\vssadmin.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wmic.exe'
- 'VSSADMIN.EXE'
selection_cli:
CommandLine|contains|all:
- 'shadow'
- 'create'
condition: all of selection_*
falsepositives:
- Legitimate administrator working with shadow copies, access for backup purposes
level: medium
title: Loaded Module Enumeration Via Tasklist.EXE
id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
status: test
description: |
Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
In order to dump the process memory or perform other nefarious actions.
references:
- https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
- https://pentestlab.blog/tag/svchost/
author: Swachchhanda Shrawan Poudel
date: 2024-02-12
modified: 2024-03-13
tags:
- attack.t1003
- attack.credential-access
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\tasklist.exe'
- OriginalFileName: 'tasklist.exe'
selection_flags:
CommandLine|contains|windash: '-m'
selection_module:
# Note: add other interesting modules or binaries
CommandLine|contains: 'rdpcorets.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Capture Credentials with Rpcping.exe
id: 93671f99-04eb-4ab4-a161-70d446a84003
status: test
description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
- https://twitter.com/vysecurity/status/974806438316072960
- https://twitter.com/vysecurity/status/873181705024266241
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
author: Julia Fomina, oscd.community
date: 2020-10-09
modified: 2025-10-31
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_main_img:
- Image|endswith: '\RpcPing.exe'
- OriginalFileName: '\RpcPing.exe'
selection_main_flag:
CommandLine|contains|windash: '-s'
selection_cli_ntlm:
CommandLine|contains|windash: '-u'
CommandLine|contains: 'NTLM'
selection_cli_ncacn:
CommandLine|contains|windash: '-t'
CommandLine|contains: 'ncacn_np'
condition: all of selection_main_* and 1 of selection_cli_*
falsepositives:
- Unlikely
level: medium
title: File Access Of Signal Desktop Sensitive Data
id: 5d6c375a-18ae-4952-b4f6-8b803f6c8555
status: experimental
description: |
Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
- https://vmois.dev/query-signal-desktop-messages-sqlite/
author: Andreas Braathen (mnemonic.io)
date: 2025-10-19
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
service: security
definition: 'Requirements: System Access Control List (SACL) policy with attributes List folder/read data on Objects'
detection:
selection:
EventID: 4663
ObjectType: 'File'
ObjectName|contains: '\AppData\Roaming\Signal\'
ObjectName|endswith:
- '\config.json'
- '\db.sqlite'
filter_main_signal:
ProcessName|endswith:
- '\signal-portable.exe'
- '\signal.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely, but possible from AV or backup software accessing the files.
level: medium
title: Potential Credential Dumping Attempt Using New NetworkProvider - REG
id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
related:
- id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-08-17
tags:
- attack.credential-access
- attack.t1003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
filter:
TargetObject|contains:
- '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
- '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
- '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
# - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
filter_valid_procs:
Image: C:\Windows\System32\poqexec.exe
condition: selection and not 1 of filter*
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: medium
title: Suspicious Get-ADReplAccount
id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73
status: test
description: |
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://www.powershellgallery.com/packages/DSInternals
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
author: frack113
date: 2022-02-06
tags:
- attack.credential-access
- attack.t1003.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Get-ADReplAccount
- '-All '
- '-Server '
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
related:
- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
Payload|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
Payload|endswith: 'readtoend'
condition: selection_4103
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
id: a23791fe-8846-485a-b16b-ca691e1b03d4
related:
- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection_4103
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection_4104
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
ScriptBlockText|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
ScriptBlockText|endswith: 'readtoend'
condition: selection_4104
falsepositives:
- Unknown
level: medium
title: PUA - Potential PE Metadata Tamper Using Rcedit
id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
status: test
description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
references:
- https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
- https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
- https://github.com/electron/rcedit
author: Micah Babinski
date: 2022-12-11
modified: 2023-03-05
tags:
- attack.stealth
- attack.t1036.003
- attack.t1036
- attack.t1027.005
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\rcedit-x64.exe'
- '\rcedit-x86.exe'
- Description: 'Edit resources of exe'
- Product: 'rcedit'
selection_flags:
CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string"
selection_attributes:
CommandLine|contains:
- 'OriginalFileName'
- 'CompanyName'
- 'FileDescription'
- 'ProductName'
- 'ProductVersion'
- 'LegalCopyright'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool by administrators or users to update metadata of a binary
level: medium
title: Certificate Exported Via Certutil.EXE
id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5
status: test
description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
references:
- https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-exportPFX '
condition: all of selection_*
falsepositives:
- There legitimate reasons to export certificates. Investigate the activity to determine if it's benign
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml
title: Suspicious XOR Encoded PowerShell Command
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
related:
- id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
type: obsolete
status: test
description: Detects presence of a potentially xor encoded powershell command
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://redcanary.com/blog/yellow-cockatoo/
- https://zero2auto.com/2020/05/19/netwalker-re/
- https://mez0.cc/posts/cobaltstrike-powershell-exec/
author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
date: 2018-09-05
modified: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1140
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Description: 'Windows PowerShell'
- Product: 'PowerShell Core 6'
selection_cli_xor:
CommandLine|contains: 'bxor'
selection_cli_other:
CommandLine|contains:
- 'ForEach'
- 'for('
- 'for '
- '-join '
- "-join'"
- '-join"'
- '-join`'
- '::Join'
- '[char]'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious Download Via Certutil.EXE
id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
related:
- id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
tags:
- attack.stealth
- attack.t1027
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
- 'URL '
selection_http:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/info.yml
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-12-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
CommandLine|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
- 'readtoend('
condition: selection
falsepositives:
- Unknown
level: medium
title: File Encoded To Base64 Via Certutil.EXE
id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-02-24
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-encode'
condition: all of selection_*
falsepositives:
- As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/info.yml
title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
id: 74403157-20f5-415d-89a7-c505779585cf
status: test
description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-02-01
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains: 'ConvertTo-SecureString'
condition: all of selection_*
falsepositives:
- Legitimate use to pass password to different powershell commands
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - Security
id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
related:
- id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection
falsepositives:
- Unknown
level: medium
title: Password Protected ZIP File Opened
id: 00ba9da1-b510-4f6b-b258-8d338836180f
status: test
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
- https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
service: security
detection:
selection:
EventID: 5379
TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
filter: # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4
TargetName|contains: '\Temporary Internet Files\Content.Outlook'
condition: selection and not filter
falsepositives:
- Legitimate used of encrypted ZIP files
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
related:
- id: 175997c5-803c-4b08-8bb0-70b099f47595
type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
- 'readtoend'
ServiceFileName|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
condition: selection
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - System
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - System
id: 175997c5-803c-4b08-8bb0-70b099f47595
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
- 'readtoend'
ImagePath|contains:
- ':system.io.compression.deflatestream'
- 'system.io.streamreader'
condition: selection
falsepositives:
- Unknown
level: medium
title: Interactive Bash Suspicious Children
id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
status: test
description: Detects suspicious interactive bash as a parent to rather uncommon child processes
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
ParentCommandLine: 'bash -i'
anomaly1:
CommandLine|contains:
- '-c import '
- 'base64'
- 'pty.spawn'
anomaly2:
Image|endswith:
- 'whoami'
- 'iptables'
- '/ncat'
- '/nc'
- '/netcat'
condition: selection and 1 of anomaly*
falsepositives:
- Legitimate software that uses these patterns
level: medium
title: Potentially Suspicious Execution From Tmp Folder
id: 312b42b1-bded-4441-8b58-163a3af58775
status: test
description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
modified: 2025-08-05
tags:
- attack.stealth
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
Image|startswith: '/tmp/'
filter_optional_nextcloud:
Image|endswith: '/usr/bin/nextcloud'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: Potential Homoglyph Attack Using Lookalike Characters in Filename
id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
status: test
description: |
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
- https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
- http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-08
tags:
- attack.stealth
- attack.t1036
- attack.t1036.003
logsource:
category: file_event
product: windows
detection:
selection_upper:
TargetFilename|contains:
- "\u0410" # А/A
- "\u0412" # В/B
- "\u0415" # Е/E
- "\u041a" # К/K
- "\u041c" # М/M
- "\u041d" # Н/H
- "\u041e" # О/O
- "\u0420" # Р/P
- "\u0421" # С/C
- "\u0422" # Т/T
- "\u0425" # Х/X
- "\u0405" # Ѕ/S
- "\u0406" # І/I
- "\u0408" # Ј/J
- "\u04ae" # Ү/Y
- "\u04c0" # Ӏ/I
- "\u050C" # Ԍ/G
- "\u051a" # Ԛ/Q
- "\u051c" # Ԝ/W
- "\u0391" # Α/A
- "\u0392" # Β/B
- "\u0395" # Ε/E
- "\u0396" # Ζ/Z
- "\u0397" # Η/H
- "\u0399" # Ι/I
- "\u039a" # Κ/K
- "\u039c" # Μ/M
- "\u039d" # Ν/N
- "\u039f" # Ο/O
- "\u03a1" # Ρ/P
- "\u03a4" # Τ/T
- "\u03a5" # Υ/Y
- "\u03a7" # Χ/X
selection_lower:
TargetFilename|contains:
- "\u0430" # а/a
- "\u0435" # е/e
- "\u043e" # о/o
- "\u0440" # р/p
- "\u0441" # с/c
- "\u0445" # х/x
- "\u0455" # ѕ/s
- "\u0456" # і/i
- "\u04cf" # ӏ/l
- "\u0458" # ј/j
- "\u04bb" # һ/h
- "\u0501" # ԁ/d
- "\u051b" # ԛ/q
- "\u051d" # ԝ/w
- "\u03bf" # ο/o
condition: 1 of selection_*
falsepositives:
- File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium
title: DumpMinitool Execution
id: dee0a7a3-f200-4112-a99b-952196d81e42
status: test
description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
references:
- https://twitter.com/mrd0x/status/1511415432888131586
- https://twitter.com/mrd0x/status/1511489821247684615
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
- https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-04-06
modified: 2023-04-12
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\DumpMinitool.exe'
- '\DumpMinitool.x86.exe'
- '\DumpMinitool.arm64.exe'
- OriginalFileName:
- 'DumpMinitool.exe'
- 'DumpMinitool.x86.exe'
- 'DumpMinitool.arm64.exe'
selection_cli:
CommandLine|contains:
- ' Full'
- ' Mini'
- ' WithHeap'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Potential Homoglyph Attack Using Lookalike Characters
id: 32e280f1-8ad4-46ef-9e80-910657611fbc
status: test
description: |
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
- https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
- http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-07
tags:
- attack.stealth
- attack.t1036
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_upper:
CommandLine|contains:
- "\u0410" # А/A
- "\u0412" # В/B
- "\u0415" # Е/E
- "\u041a" # К/K
- "\u041c" # М/M
- "\u041d" # Н/H
- "\u041e" # О/O
- "\u0420" # Р/P
- "\u0421" # С/C
- "\u0422" # Т/T
- "\u0425" # Х/X
- "\u0405" # Ѕ/S
- "\u0406" # І/I
- "\u0408" # Ј/J
- "\u04ae" # Ү/Y
- "\u04c0" # Ӏ/I
- "\u050C" # Ԍ/G
- "\u051a" # Ԛ/Q
- "\u051c" # Ԝ/W
- "\u0391" # Α/A
- "\u0392" # Β/B
- "\u0395" # Ε/E
- "\u0396" # Ζ/Z
- "\u0397" # Η/H
- "\u0399" # Ι/I
- "\u039a" # Κ/K
- "\u039c" # Μ/M
- "\u039d" # Ν/N
- "\u039f" # Ο/O
- "\u03a1" # Ρ/P
- "\u03a4" # Τ/T
- "\u03a5" # Υ/Y
- "\u03a7" # Χ/X
selection_lower:
CommandLine|contains:
- "\u0430" # а/a
- "\u0435" # е/e
- "\u043e" # о/o
- "\u0440" # р/p
- "\u0441" # с/c
- "\u0445" # х/x
- "\u0455" # ѕ/s
- "\u0456" # і/i
- "\u04cf" # ӏ/l
- "\u0458" # ј/j
- "\u04bb" # һ/h
- "\u0501" # ԁ/d
- "\u051b" # ԛ/q
- "\u051d" # ԝ/w
- "\u03bf" # ο/o
condition: 1 of selection_*
falsepositives:
- Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium
title: Potential ReflectDebugger Content Execution Via WerFault.EXE
id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
related:
- id: 0cf2e1c6-8d10-4273-8059-738778f981ad
type: derived
status: test
description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
references:
- https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
author: X__Junior (Nextron Systems)
date: 2023-06-30
tags:
- attack.execution
- attack.stealth
- attack.t1036
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\WerFault.exe'
- OriginalFileName: 'WerFault.exe'
selection_cli:
CommandLine|contains: ' -pr '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Procdump Execution
id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
status: test
description: Detects usage of the SysInternals Procdump utility
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth (Nextron Systems)
date: 2021-08-16
modified: 2023-02-28
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\procdump.exe'
- '\procdump64.exe'
condition: selection
falsepositives:
- Legitimate use of procdump by a developer or administrator
level: medium
title: CodePage Modification Via MODE.COM To Russian Language
id: 12fbff88-16b5-4b42-9754-cd001a789fb3
related:
- id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e
type: derived
status: test
description: |
Detects a CodePage modification using the "mode.com" utility to Russian language.
This behavior has been used by threat actors behind Dharma ransomware.
references:
- https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode
- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-17
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
# VT Query: behavior:"mode con cp select=1251"
# VT Query: behavior:"mode con cp select=866"
selection_img:
- Image|endswith: '\mode.com'
- OriginalFileName: 'MODE.COM'
selection_cli:
CommandLine|contains|all:
- ' con '
- ' cp '
- ' select='
CommandLine|endswith:
- '=1251' # ANSI Cyrillic; Cyrillic (Windows) - Observed ITW by Dharma ransomware
- '=866' # OEM Russian; Cyrillic (DOS) - Observed ITW by other malware
condition: all of selection_*
falsepositives:
- Russian speaking people changing the CodePage
level: medium
title: Explorer Process Tree Break
id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
status: test
description: |
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
references:
- https://twitter.com/CyberRaiju/status/1273597319322058752
- https://twitter.com/bohops/status/1276357235954909188?s=12
- https://twitter.com/nas_bench/status/1535322450858233858
- https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
date: 2019-06-29
modified: 2025-10-31
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
# Note: See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference
selection_factory:
CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data
selection_root:
CommandLine|contains: 'explorer.exe'
CommandLine|contains|windash: ' /root,'
# There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example
# It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique.
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious Process Start Locations
id: 15b75071-74cc-47e0-b4c6-b43744a62a2b
status: test
description: Detects suspicious process run from unusual locations
references:
- https://car.mitre.org/wiki/CAR-2013-05-002
author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2022-01-07
tags:
- attack.stealth
- attack.t1036
- car.2013-05-002
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|contains:
- ':\RECYCLER\'
- ':\SystemVolumeInformation\'
- Image|startswith:
- 'C:\Windows\Tasks\'
- 'C:\Windows\debug\'
- 'C:\Windows\fonts\'
- 'C:\Windows\help\'
- 'C:\Windows\drivers\'
- 'C:\Windows\addins\'
- 'C:\Windows\cursors\'
- 'C:\Windows\system32\tasks\'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
title: Findstr Launching .lnk File
id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
status: test
description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
references:
- https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
author: Trent Liffick
date: 2020-05-01
modified: 2024-01-15
tags:
- attack.stealth
- attack.t1036
- attack.t1202
- attack.t1027.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|endswith:
- '.lnk'
- '.lnk"'
- ".lnk'"
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious CodePage Switch Via CHCP
id: c7942406-33dd-4377-a564-0f62db0593a3
status: test
description: Detects a code page switch in command line or batch scripts to a rare language
references:
- https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
- https://twitter.com/cglyer/status/1183756892952248325
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-10-14
modified: 2023-03-07
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\chcp.com'
CommandLine|endswith:
- ' 936' # Chinese
# - ' 1256' # Arabic
- ' 1258' # Vietnamese
# - ' 855' # Russian
# - ' 866' # Russian
# - ' 864' # Arabic
condition: selection
falsepositives:
- Administrative activity (adjust code pages according to your organization's region)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml
title: Potential Fake Instance Of Hxtsr.EXE Executed
id: 4e762605-34a8-406d-b72e-c1a089313320
status: test
description: |
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
references:
- Internal Research
author: Sreeman
date: 2020-04-17
modified: 2024-02-08
tags:
- attack.stealth
- attack.t1036
logsource:
product: windows
category: process_creation
detection:
# TODO: Link this to the more generic system process rule
selection:
Image|endswith: '\hxtsr.exe'
filter_main_hxtsr:
Image|contains: ':\program files\windowsapps\microsoft.windowscommunicationsapps_'
Image|endswith: '\hxtsr.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Potential Command Line Path Traversal Evasion Attempt
id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
status: test
description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
references:
- https://twitter.com/hexacorn/status/1448037865435320323
- https://twitter.com/Gal_B1t/status/1062971006078345217
author: Christian Burkard (Nextron Systems)
date: 2021-10-26
modified: 2023-03-29
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_1:
Image|contains: '\Windows\'
CommandLine|contains:
- '\..\Windows\'
- '\..\System32\'
- '\..\..\'
selection_2:
CommandLine|contains: '.exe\..\'
filter_optional_google_drive:
CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
filter_optional_citrix:
CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Google Drive
- Citrix
level: medium