Sigma rules for TA505
500 rules · scoped to actor · back to TA505
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: DNS Query by Finger Utility
id: c082c2b0-525b-4dbc-9a26-a57dc4692074
related:
- id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
type: similar
- id: af491bca-e752-4b44-9c86-df5680533dbc
type: similar
status: experimental
description: |
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
references:
- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
- attack.command-and-control
- attack.t1071.004
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: dns_query
detection:
selection:
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Unlikely
level: high
title: Suspicious HWP Sub Processes
id: 023394c4-29d5-46ab-92b8-6a534c6f447b
status: test
description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
references:
- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
- https://twitter.com/cyberwar_15/status/1187287262054076416
- https://blog.alyac.co.kr/1901
- https://en.wikipedia.org/wiki/Hangul_(word_processor)
author: Florian Roth (Nextron Systems)
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1566.001
- attack.execution
- attack.t1203
- attack.t1059.003
- attack.g0032
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Hwp.exe'
Image|endswith: '\gbb.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - Koadic Execution
id: 5cddf373-ef00-4112-ad72-960ac29bac34
status: test
description: Detects command line parameters used by Koadic hack tool
references:
- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
- https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js
- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
author: wagga, Jonhnathan Ribeiro, oscd.community
date: 2020-01-12
modified: 2023-02-11
tags:
- attack.execution
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains|all:
- '/q'
- '/c'
- 'chcp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Operator Bloopers Cobalt Strike Modules
id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
related:
- id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
type: similar
status: test
description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
references:
- https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|contains:
- 'Invoke-UserHunter'
- 'Invoke-ShareFinder'
- 'Invoke-Kerberoast'
- 'Invoke-SMBAutoBrute'
- 'Invoke-Nightmare'
- 'zerologon'
- 'av_query'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: HackTool - RedMimicry Winnti Playbook Execution
id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
status: test
description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
references:
- https://redmimicry.com/posts/redmimicry-winnti/
author: Alexander Rausch
date: 2020-06-24
modified: 2023-03-01
tags:
- attack.execution
- attack.stealth
- attack.t1106
- attack.t1059.003
- attack.t1218.011
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\rundll32.exe'
- '\cmd.exe'
CommandLine|contains:
- 'gthread-3.6.dll'
- '\Windows\Temp\tmp.bat'
- 'sigcmm-2.4.dll'
condition: selection
falsepositives:
- Unknown
level: high
title: Operator Bloopers Cobalt Strike Commands
id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
related:
- id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
type: similar
status: test
description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
references:
- https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
- attack.execution
- attack.t1059.003
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|startswith:
- 'cmd '
- 'cmd.exe'
- 'c:\windows\system32\cmd.exe'
CommandLine|contains:
- 'psinject'
- 'spawnas'
- 'make_token'
- 'remote-exec'
- 'rev2self'
- 'dcsync'
- 'logonpasswords'
- 'execute-assembly'
- 'getsystem'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Conhost.exe CommandLine Path Traversal
id: ee5e119b-1f75-4b34-add8-3be976961e39
status: test
description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
references:
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-14
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentCommandLine|contains: 'conhost'
CommandLine|contains: '/../../'
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential CommandLine Path Traversal Via Cmd.EXE
id: 087790e3-3287-436c-bccf-cbd0184a7db1
status: test
description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
references:
- https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
- https://twitter.com/Oddvarmoe/status/1270633613449723905
author: xknow @xknow_infosec, Tim Shelton
date: 2020-06-11
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- ParentImage|endswith: '\cmd.exe'
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'cmd.exe'
selection_flags:
- ParentCommandLine|contains:
- '/c'
- '/k'
- '/r'
- CommandLine|contains:
- '/c'
- '/k'
- '/r'
selection_path_traversal:
- ParentCommandLine: '/../../'
- CommandLine|contains: '/../../'
filter_java:
CommandLine|contains: '\Tasktop\keycloak\bin\/../../jre\bin\java'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Java tools are known to produce false-positive when loading libraries
level: high
title: Suspicious Scripting in a WMI Consumer
id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
status: test
description: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
references:
- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
- https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19
- https://github.com/RiccardoAncarani/LiquidSnake
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
date: 2019-04-15
modified: 2023-09-09
tags:
- attack.execution
- attack.t1059.005
logsource:
product: windows
category: wmi_event
detection:
selection_destination:
- Destination|contains|all:
- 'new-object'
- 'net.webclient'
- '.downloadstring'
- Destination|contains|all:
- 'new-object'
- 'net.webclient'
- '.downloadfile'
- Destination|contains:
- ' iex('
- ' -nop '
- ' -noprofile '
- ' -decode '
- ' -enc '
- 'WScript.Shell'
- 'System.Security.Cryptography.FromBase64Transform'
condition: selection_destination
falsepositives:
- Legitimate administrative scripts
level: high
title: Adwind RAT / JRAT File Artifact
id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
related:
- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
type: derived
status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017-11-10
modified: 2022-12-02
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|contains|all:
- '\AppData\Roaming\Oracle\bin\java'
- '.exe'
- TargetFilename|contains|all:
- '\Retrive'
- '.vbs'
condition: selection
level: high
title: WScript or CScript Dropper - File
id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
related:
- id: cea72823-df4d-4567-950c-0b579eaf0846
type: derived
status: test
description: Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe
references:
- WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
author: Tim Shelton
date: 2022-01-10
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
TargetFilename|contains:
- ':\Perflogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp'
- '\AppData\Roaming\Temp'
- '\Start Menu\Programs\Startup\'
- '\Temporary Internet'
TargetFilename|endswith:
- '.js'
- '.jse'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - CACTUSTORCH Remote Thread Creation
id: 2e4e488a-6164-4811-9ea1-f960c7359c40
status: test
description: Detects remote thread creation from CACTUSTORCH as described in references.
references:
- https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
- https://github.com/mdsecactivebreach/CACTUSTORCH
author: '@SBousseaden (detection), Thomas Patzke (rule)'
date: 2019-02-01
modified: 2023-05-05
tags:
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1055.012
- attack.t1059.005
- attack.t1059.007
- attack.t1218.005
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\System32\cscript.exe'
- '\System32\wscript.exe'
- '\System32\mshta.exe'
- '\winword.exe'
- '\excel.exe'
TargetImage|contains: '\SysWOW64\'
StartModule: null
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Child Process Of BgInfo.EXE
id: 811f459f-9231-45d4-959a-0266c6311987
related:
- id: aaf46cdc-934e-4284-b329-34aa701e3771
type: similar
status: test
description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\bginfo.exe'
- '\bginfo64.exe'
selection_child:
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- Image|contains:
- '\AppData\Local\'
- '\AppData\Roaming\'
- ':\Users\Public\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\PerfLogs\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Cscript/Wscript Uncommon Script Extension Execution
id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee
status: test
description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2023-06-19
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'wscript.exe'
- 'cscript.exe'
- Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_extension:
CommandLine|contains:
# Note: add additional potential suspicious extension
# We could specify the "//E:" flag to avoid typos by admin. But since that's prone to blind spots via the creation of assoc it's better not to include it
- '.csv'
- '.dat'
- '.doc'
- '.gif'
- '.jpeg'
- '.jpg'
- '.png'
- '.ppt'
- '.txt'
- '.xls'
- '.xml'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
id: 07aa184a-870d-413d-893a-157f317f6f58
related:
- id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
type: similar
- id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN
type: similar
status: test
description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
references:
- https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.discovery
- attack.execution
- attack.t1615
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'gatherNetworkInfo.vbs'
filter:
Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Csc.EXE Execution Form Potentially Suspicious Parent
id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
status: test
description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
references:
- https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing
- https://reaqta.com/2017/11/short-journey-darkvnc/
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2019-02-11
modified: 2026-03-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1059.007
- attack.t1218.005
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\csc.exe'
- OriginalFileName: 'csc.exe'
selection_parent_generic:
ParentImage|endswith:
- '\cscript.exe'
- '\excel.exe'
- '\mshta.exe'
- '\onenote.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
- '\wscript.exe'
selection_parent_powershell:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
ParentCommandLine|contains:
- '-Encoded '
- 'FromBase64String'
selection_parent_susp_location:
- ParentCommandLine|re: '(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
- ParentCommandLine|contains:
- ':\PerfLogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Temporary Internet'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Pictures\'
filter_main_programfiles:
# Note: this is a generic filter. You could baseline execution in your env for a more robust rule
ParentImage|startswith:
- 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
- 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_sdiagnhost:
ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_w3p:
ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
filter_optional_chocolatey:
ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
filter_optional_defender:
ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
filter_optional_ansible:
# Note: As ansible is widely used we exclude it with this generic filter.
# A better option would be to filter based on script content basis or other marker while hunting
ParentCommandLine|contains:
# '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
- 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
- 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
- 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
condition: selection_img and 1 of selection_parent_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
title: Potential Remote SquiblyTwo Technique Execution
id: 8d63dadf-b91b-4187-87b6-34a1114577ea
related:
- id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
type: similar
- id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
type: similar
status: test
description: |
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)
to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process
malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.
The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it
with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common
LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
references:
- https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
- https://twitter.com/mattifestation/status/986280382042595328 # Deleted
- https://atomicredteam.io/defense-evasion/T1220/
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
- https://x.com/byrne_emmy12099/status/1932346420226658668
author: Markus Neis, Florian Roth, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-01-16
modified: 2026-01-24
tags:
- attack.stealth
- attack.t1047
- attack.t1220
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_pe:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
- Hashes|contains: # Sysmon field hashes contains all types
- 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
- 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
- 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
- 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
- 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
selection_cli:
CommandLine|contains|windash: '/format:'
CommandLine|contains:
- '://'
- '\\\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: JXA In-memory Execution Via OSAScript
id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
related:
- id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
type: derived
status: test
description: Detects possible malicious execution of JXA in-memory via OSAScript
references:
- https://redcanary.com/blog/applescript/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
- attack.t1059.002
- attack.t1059.007
- attack.execution
logsource:
product: macos
category: process_creation
detection:
selection_main:
CommandLine|contains|all:
- 'osascript'
- ' -e '
- 'eval'
- 'NSData.dataWithContentsOfURL'
selection_js:
- CommandLine|contains|all:
- ' -l '
- 'JavaScript'
- CommandLine|contains: '.js'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: MSHTA Execution with Suspicious File Extensions
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: |
Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files
- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
- https://twitter.com/mattifestation/status/1326228491302563846
- https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-02-22
modified: 2025-05-12
tags:
- attack.stealth
- attack.t1140
- attack.t1218.005
- attack.execution
- attack.t1059.007
- cve.2020-1599
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'mshta.exe'
selection_cli:
CommandLine|contains:
- '.7z'
- '.avi'
- '.bat'
- '.bmp'
- '.conf'
- '.csv'
- '.dll'
- '.doc'
- '.gif'
- '.gz'
- '.ini'
- '.jpe'
- '.jpg'
- '.json'
- '.lnk'
- '.log'
- '.mkv'
- '.mp3'
- '.mp4'
- '.pdf'
- '.png'
- '.ppt'
- '.rar'
- '.rtf'
- '.svg'
- '.tar'
- '.tmp'
- '.txt'
- '.xls'
- '.xml'
- '.yaml'
- '.yml'
- '.zip'
- 'vbscript'
# - '.chm' # could be prone to false positives
# - '.exe'
condition: all of selection_*
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
title: Suspicious Active Directory Database Snapshot Via ADExplorer
id: ef61af62-bc74-4f58-b49b-626448227652
related:
- id: 9212f354-7775-4e28-9c9f-8f0a4544e664
type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
- OriginalFileName: 'AdExp'
- Description: 'Active Directory Editor'
- Product: 'Sysinternals ADExplorer'
selection_flag:
CommandLine|contains: 'snapshot'
selection_paths:
CommandLine|contains:
# TODO: Add more suspicious paths
- '\Downloads\'
- '\Users\Public\'
- '\AppData\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Reconnaissance Activity
id: 968eef52-9cff-4454-8992-1e74b9cbad6c
status: test
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
date: 2017-03-07
modified: 2022-08-22
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.s0039
logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
EventID: 4661
AccessMask: '0x2d'
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
ObjectName|startswith: 'S-1-5-21-'
ObjectName|endswith:
- '-500'
- '-512'
condition: selection
falsepositives:
- Administrator activity
level: high
title: Disable of ETW Trace - Powershell
id: 115fdba9-f017-42e6-84cf-d5573bf2ddf8
related:
- id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
type: derived
status: test
description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
references:
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2022-11-25
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- car.2016-04-002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_pwsh_remove: # Autologger provider removal
ScriptBlockText|contains: 'Remove-EtwTraceProvider '
selection_pwsh_set: # Provider “Enable” property modification
ScriptBlockText|contains|all:
- 'Set-EtwTraceProvider '
- '0x11'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Clearing Windows Console History
id: bde47d4b-9987-405c-94c7-b080410e8ea7
status: test
description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
references:
- https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
- https://www.shellhacks.com/clear-history-powershell/
- https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1070
- attack.t1070.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection1:
ScriptBlockText|contains: Clear-History
selection2a:
ScriptBlockText|contains:
- Remove-Item
- rm
selection2b:
ScriptBlockText|contains:
- ConsoleHost_history.txt
- (Get-PSReadlineOption).HistorySavePath
condition: selection1 or selection2a and selection2b
falsepositives:
- Unknown
level: high
title: Exchange PowerShell Cmdlet History Deleted
id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
status: test
description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
references:
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
modified: 2022-12-30
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
TargetFilename|contains: '_Cmdlet_'
condition: selection
falsepositives:
- Possible FP during log rotation
level: high
title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
status: stable
description: |
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
Might be used by ransomwares during the attack (seen by NotPetya and others).
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
- https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
- https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
author: Ecco, E.M. Anhaus, oscd.community
date: 2019-09-26
modified: 2023-09-09
tags:
- attack.impact
- attack.stealth
- attack.t1070
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\fsutil.exe'
- OriginalFileName: 'fsutil.exe'
selection_cli:
CommandLine|contains:
- 'deletejournal' # usn deletejournal ==> generally ransomware or attacker
- 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size
- 'setZeroData' # file setZeroData ==> empties a file with zeroes
condition: all of selection_*
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
level: high
title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://blog.talosintelligence.com/2017/05/wannacry.html
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- https://github.com/Neo23x0/Raccine#the-process
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-10-22
modified: 2022-11-03
tags:
- attack.impact
- attack.stealth
- attack.t1070
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection1_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\wmic.exe'
- '\vssadmin.exe'
- '\diskshadow.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wmic.exe'
- 'VSSADMIN.EXE'
- 'diskshadow.exe'
selection1_cli:
CommandLine|contains|all:
- 'shadow' # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
- 'delete'
selection2_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection2_cli:
CommandLine|contains|all:
- 'delete'
- 'catalog'
- 'quiet' # will match -quiet or /quiet
selection3_img:
- Image|endswith: '\vssadmin.exe'
- OriginalFileName: 'VSSADMIN.EXE'
selection3_cli:
CommandLine|contains|all:
- 'resize'
- 'shadowstorage'
CommandLine|contains:
- 'unbounded'
- '/MaxSize='
condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
- LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: high
title: ETW Trace Evasion Activity
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
status: test
description: |
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://abuse.io/lockergoga.txt
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
date: 2019-03-22
modified: 2022-06-28
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- car.2016-04-002
logsource:
category: process_creation
product: windows
detection:
selection_clear_1:
CommandLine|contains|all:
- 'cl'
- '/Trace'
selection_clear_2:
CommandLine|contains|all:
- 'clear-log'
- '/Trace'
selection_disable_1:
CommandLine|contains|all:
- 'sl'
- '/e:false'
selection_disable_2:
CommandLine|contains|all:
- 'set-log'
- '/e:false'
selection_disable_3: # ETW provider removal from a trace session
CommandLine|contains|all:
- 'logman'
- 'update'
- 'trace'
- '--p'
- '-ets'
selection_pwsh_remove: # Autologger provider removal
CommandLine|contains: 'Remove-EtwTraceProvider'
selection_pwsh_set: # Provider “Enable” property modification
CommandLine|contains|all:
- 'Set-EtwTraceProvider'
- '0x11'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: Sysmon Driver Unloaded Via Fltmc.EXE
id: 4d7cda18-1b12-4e52-b45c-d28653210df8
related:
- id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic
type: similar
status: test
description: Detects possible Sysmon filter driver unloaded via fltmc.exe
references:
- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
author: Kirill Kiryanov, oscd.community
date: 2019-10-23
modified: 2023-02-13
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- attack.t1685.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\fltMC.exe'
- OriginalFileName: 'fltMC.exe'
selection_cli:
CommandLine|contains|all:
- 'unload'
- 'sysmon'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Remove Exported Mailbox from Exchange Webserver
id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
status: test
description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
references:
- https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
author: Christian Burkard (Nextron Systems)
date: 2021-08-27
modified: 2023-01-23
tags:
- attack.stealth
- attack.t1070
logsource:
service: msexchange-management
product: windows
detection:
keywords:
'|all':
- 'Remove-MailboxExportRequest'
- ' -Identity '
- ' -Confirm "False"'
condition: keywords
falsepositives:
- Unknown
level: high
title: Terminal Server Client Connection History Cleared - Registry
id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
status: test
description: Detects the deletion of registry keys containing the MSTSC connection history
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
- http://woshub.com/how-to-clear-rdp-connections-history/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Christian Burkard (Nextron Systems)
date: 2021-10-19
modified: 2023-02-08
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1112
logsource:
category: registry_delete
product: windows
detection:
selection1:
EventType: DeleteValue
TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
selection2:
EventType: DeleteKey
TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Prefetch File Deleted
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
status: test
description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
- https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
author: Cedric MAURUGEON
date: 2021-09-29
modified: 2024-01-25
tags:
- attack.stealth
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|contains: ':\Windows\Prefetch\'
TargetFilename|endswith: '.pf'
filter_main_svchost:
Image|endswith: ':\windows\system32\svchost.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Suspicious Ping/Del Command Combination
id: 54786ddc-5b8a-11ed-9b6a-0242ac120002
status: test
description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
references:
- https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
- https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Ilya Krestinichev
date: 2022-11-03
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
# Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
# Example: "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
selection_count:
CommandLine|contains|windash: ' -n '
selection_nul:
CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
selection_del_param:
CommandLine|contains|windash:
- ' -f '
- ' -q '
selection_all:
CommandLine|contains|all:
- 'ping' # Covers "ping" and "ping.exe"
- 'del '
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: HackTool - SILENTTRINITY Stager Execution
id: 03552375-cc2c-4883-bbe4-7958d5a980be
related:
- id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d # DLL Load
type: derived
status: test
description: Detects SILENTTRINITY stager use via PE metadata
references:
- https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019-10-22
modified: 2023-02-13
tags:
- attack.command-and-control
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection:
Description|contains: 'st2stager'
condition: selection
falsepositives:
- Unlikely
level: high
title: HackTool - SILENTTRINITY Stager DLL Load
id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
related:
- id: 03552375-cc2c-4883-bbe4-7958d5a980be # Process Creation
type: derived
status: test
description: Detects SILENTTRINITY stager dll loading activity
references:
- https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019-10-22
modified: 2023-02-17
tags:
- attack.command-and-control
- attack.t1071
logsource:
category: image_load
product: windows
detection:
selection:
Description|contains: 'st2stager'
condition: selection
falsepositives:
- Unlikely
level: high
title: Wannacry Killswitch Domain
id: 3eaf6218-3bed-4d8a-8707-274096f12a18
status: test
description: Detects wannacry killswitch domain dns queries
references:
- https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign
author: Mike Wade
date: 2020-09-16
modified: 2022-03-24
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: dns
detection:
selection:
query:
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
- 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
condition: selection
falsepositives:
- Analyst testing
level: high
title: Outbound Network Connection Initiated By Microsoft Dialer
id: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
status: test
description: |
Detects outbound network connection initiated by Microsoft Dialer.
The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
references:
- https://tria.ge/240301-rk34sagf5x/behavioral2
- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
author: CertainlyP
date: 2024-04-26
tags:
- attack.execution
- attack.command-and-control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: ':\Windows\System32\dialer.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.
level: high
title: Renamed Visual Studio Code Tunnel Execution
id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da
status: test
description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-28
modified: 2025-10-29
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_image_only_tunnel:
OriginalFileName: null
CommandLine|endswith: '.exe tunnel'
selection_image_tunnel_args:
CommandLine|contains|all:
- '.exe tunnel'
- '--accept-server-license-terms'
selection_image_tunnel_service:
CommandLine|contains|all:
- 'tunnel '
- 'service'
- 'internal-run'
- 'tunnel-service.log'
selection_parent_tunnel:
ParentCommandLine|endswith: ' tunnel'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/d /c '
- '\servers\Stable-'
- 'code-server.cmd'
filter_main_parent_code:
ParentImage|endswith:
- '\code-tunnel.exe'
- '\code.exe'
filter_main_image_code:
Image|endswith:
- '\code-tunnel.exe'
- '\code.exe'
condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)
falsepositives:
- Unknown
level: high
title: Bitsadmin to Uncommon TLD
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
status: test
description: Detects Bitsadmin connections to domains with uncommon TLDs
references:
- https://twitter.com/jhencinski/status/1102695118455349248
- https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-03-07
modified: 2023-05-17
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1071.001
- attack.persistence
- attack.t1197
- attack.s0190
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft BITS/'
falsepositives:
cs-host|endswith:
- '.com'
- '.net'
- '.org'
- '.scdn.co' # spotify streaming
- '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
condition: selection and not falsepositives
falsepositives:
- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high
title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: test
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
- https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth (Nextron Systems)
date: 2019-12-05
modified: 2023-01-19
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
logsource:
category: proxy
detection:
selection:
c-uri|contains:
- '.paste.ee/r/'
- '.pastebin.com/raw/'
- '.hastebin.com/raw/'
- '.ghostbin.co/paste/*/raw/'
- 'pastetext.net/'
- 'pastebin.pl/'
- 'paste.ee/'
condition: selection
falsepositives:
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high
title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
references:
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
- http://www.botopedia.org/search?searchword=scan&searchphrase=all
- https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
- https://perishablepress.com/blacklist/ua-2013.txt
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
- https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
- https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
- https://twitter.com/crep1x/status/1635034100213112833
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-07-08
modified: 2024-04-14
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# RATs
- 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
- 'HttpBrowser/1.0' # HTTPBrowser RAT
- '*<|>*' # Houdini / Iniduoh / njRAT
- 'nsis_inetc (mozilla)' # ZeroAccess
- 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
# Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
# Malware
- '*zeroup*' # W32/Renos.Downloader
- 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
- '* adlib/*'
- '* tiny' # Trojan Downloader
- '* BGroom *' # Trojan Downloader
- '* changhuatong'
- '* CholTBAgent'
- 'Mozilla/5.0 WinInet'
- 'RookIE/1.0'
- 'M' # HkMain
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
- 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
- 'backdoorbot'
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
- 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
- 'Opera' # Trojan Keragany
- 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
- 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
- 'MSIE' # Toby web shell
- '*(Charon; Inferno)' # Loki Bot
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection
- 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
# Ursnif
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
# Emotet
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
# Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
- 'Mozilla/5.0 (Windows NT 6.1)'
- 'AppleWebkit/587.38 (KHTML, like Gecko)'
- 'Chrome/91.0.4472.77'
- 'Safari/537.36'
- 'Edge/91.0.864.37'
- 'Firefox/89.0'
- 'Gecko/20100101'
# Others
- '* pxyscand*'
- '* asd'
- '* mdms'
- 'sample'
- 'nocase'
- 'Moxilla'
- 'Win32 *'
- '*Microsoft Internet Explorer*'
- 'agent *'
- 'AutoIt' # Suspicious - base-lining recommended
- 'IczelionDownLoad'
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
- 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
- 'antSword/v2.1' # AntSword Webshell UA
- 'rqwrwqrqwrqw' # Racoon Stealer
- 'qwrqrwrqwrqwr' # Racoon Stealer
- 'rc2.0/client' # Racoon Stealer
- 'TakeMyPainBack' # Racoon Stealer
- 'xxx' # Racoon Stealer
- '20112211' # Racoon Stealer
- '23591' # Racoon Stealer
- '901785252112' # Racoon Stealer
- '1235125521512' # Racoon Stealer
- '125122112551' # Racoon Stealer
- 'B1D3N_RIM_MY_ASS' # Racoon Stealer
- 'AYAYAYAY1337' # Racoon Stealer
- 'iMightJustPayMySelfForAFeature' # Racoon Stealer
- 'ForAFeature' # Racoon Stealer
- 'Ares_ldr_v_*' # AresLoader
# - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
- 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
- 'CLCTR' # https://github.com/silence-is-best/c2db
- 'uploader' # https://github.com/silence-is-best/c2db
- 'agent' # https://github.com/silence-is-best/c2db
- 'License' # https://github.com/silence-is-best/c2db
- 'vb wininet' # https://github.com/silence-is-best/c2db
- 'Client' # https://github.com/silence-is-best/c2db
- 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
- 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
- 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
- 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
- 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'DuckTales' # Racoon Stealer
- 'Zadanie' # Racoon Stealer
- 'GunnaWunnaBlueTips' # Racoon Stealer
- 'Xlmst' # Racoon Stealer
- 'GeekingToTheMoon' # Racoon Stealer
- 'SunShineMoonLight' # Racoon Stealer
- 'BunnyRequester' # BunnyStealer
- 'BunnyTasks' # BunnyStealer
- 'BunnyStealer' # BunnyStealer
- 'BunnyLoader_Dropper' # BunnyStealer
- 'BunnyLoader' # BunnyStealer
- 'BunnyShell' # BunnyStealer
- 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
- '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
- 'SouthSide' # Racoon Stealer
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - Empire UserAgent URI Combo
id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
status: test
description: Detects user agent and URI paths used by empire agents
references:
- https://github.com/BC-SECURITY/Empire
author: Florian Roth (Nextron Systems)
date: 2020-07-13
modified: 2024-02-26
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-uri:
- '/admin/get.php'
- '/news.php'
- '/login/process.php'
cs-method: 'POST'
condition: selection
falsepositives:
- Valid requests with this exact user agent to server scripts of the defined names
level: high
title: APT User Agent
id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
status: test
description: Detects suspicious user agent strings used in APT malware in proxy logs
references:
- Internal Research
author: Florian Roth (Nextron Systems), Markus Neis
date: 2019-11-12
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# APT Related
- 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://www.cisa.gov/news-events/alerts/2017/02/10/enhanced-analysis-grizzly-steppe
- 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp
- 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp
- 'webclient' # Naikon APT
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT
- 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel
- 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
- 'Netscape' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
- 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
- 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla v5.1 *' # Sofacy Zebrocy samples
- 'MSIE 8.0' # Sofacy Azzy Backdoor from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
- 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA
- 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
- 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
- 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware
- 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
- 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
- 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001' # RedCurl Downloader APT https://www.facct.ru/blog/redcurl-2024
condition: selection
falsepositives:
- Old browsers
level: high
title: Windows WebDAV User Agent
id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
status: test
description: Detects WebDav DownloadCradle
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems)
date: 2018-04-06
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
condition: selection
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
- Legitimate WebDAV administration
level: high
title: Exploit Framework User Agent
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
status: test
description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2025-01-18
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
- 'Internet Explorer *'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/
# Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
- 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
- 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
# Metasploit Update by Florian Roth 08.07.2017
- 'Mozilla/5.0'
- 'Mozilla/4.0 (compatible; SPIPE/1.0'
# - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected
# - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected
- 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
- 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
- 'X-FORWARDED-FOR'
- 'DotDotPwn v2.1'
- 'SIPDROID'
- 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
# Empire
- 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0'
# Exploits
- '*wordpress hash grabber*'
- '*exploit*'
# Havoc
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36' # https://github.com/HavocFramework/Havoc/issues/519
condition: selection
falsepositives:
- Unknown
level: high
title: Crypto Miner User Agent
id: fa935401-513b-467b-81f4-f9e77aa0dd78
status: test
description: Detects suspicious user agent strings used by crypto miners in proxy logs
references:
- https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
- https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
author: Florian Roth (Nextron Systems)
date: 2019-10-21
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith:
# XMRig
- 'XMRig '
# CCMiner
- 'ccminer'
condition: selection
falsepositives:
- Unknown
level: high
title: Bitsadmin to Uncommon IP Server Address
id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
status: test
description: Detects Bitsadmin connections to IP addresses instead of FQDN names
references:
- https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
author: Florian Roth (Nextron Systems)
date: 2022-06-10
modified: 2022-08-24
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1071.001
- attack.persistence
- attack.t1197
- attack.s0190
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft BITS/'
cs-host|endswith:
- '1'
- '2'
- '3'
- '4'
- '5'
- '6'
- '7'
- '8'
- '9'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: test
description: Detects suspicious malformed user agent strings in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-10-31
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection1:
c-useragent|startswith:
- 'user-agent' # User-Agent: User-Agent:
- 'Mozilla/3.0 '
- 'Mozilla/2.0 '
- 'Mozilla/1.0 '
- 'Mozilla ' # missing slash
- ' Mozilla/' # leading space
- 'Mozila/' # single 'l'
- 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol' # https://twitter.com/NtSetDefault/status/1303643299509567488
selection2:
c-useragent|contains:
- ' (compatible;MSIE ' # typical typo - missing space
- '.0;Windows NT ' # typical typo - missing space
- 'loader' # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg
selection3:
c-useragent:
- '_'
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
- 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a' # https://www.cyfirma.com/outofband/erbium-stealer-malware-report
- 'x' # Use by Racoon Stealer but could be something else
- 'xxx' # Use by Racoon Stealer but could be something else
falsepositives:
- c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
- cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
- '.acrobat.com'
- '.adobe.com'
- '.adobe.io'
condition: 1 of selection* and not falsepositives
falsepositives:
- Unknown
level: high
title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
id: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac
related:
- id: 953b895e-5cc9-454b-b183-7f3db555452e
type: obsolete
- id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
type: obsolete
- id: 37325383-740a-403d-b1a2-b2b4ab7992e7
type: obsolete
- id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
type: obsolete
status: test
description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
- https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
author: Markus Neis, Florian Roth (Nextron Systems)
date: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection_amazon_1:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'GET'
c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
cs-host: 'www.amazon.com'
cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection_amazon_2:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'POST'
c-uri: '/N4215/adj/amzn.us.sr.aps'
cs-host: 'www.amazon.com'
selection_generic_1:
c-useragent:
- 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
- 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
selection_generic_2:
c-useragent|endswith: '; MANM; MANM)'
selection_oscp:
c-uri|contains: '/oscp/'
cs-host: 'ocsp.verisign.com'
selection_onedrive:
cs-method: 'GET'
c-uri|endswith: '\?manifest=wac'
cs-host: 'onedrive.live.com'
filter_main_onedrive:
c-uri|startswith: 'http'
c-uri|contains: '://onedrive.live.com/'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: test
description: Detects strings used in command execution in DNS TXT Answer
references:
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
author: Markus Neis
date: 2018-08-08
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
category: dns
detection:
selection:
record_type: 'TXT'
answer|contains:
- 'IEX'
- 'Invoke-Expression'
- 'cmd.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: DNS Exfiltration and Tunneling Tools Execution
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
status: test
description: Well-known DNS Exfiltration tools execution
references:
- https://github.com/iagox86/dnscat2
- https://github.com/yarrick/iodine
author: Daniil Yugoslavskiy, oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.exfiltration
- attack.t1048.001
- attack.command-and-control
- attack.t1071.004
- attack.t1132.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\iodine.exe'
- Image|contains: '\dnscat2'
condition: selection
falsepositives:
- Unlikely
level: high