Sigma rules for Termite Ransomware
500 rules · scoped to actor · back to Termite Ransomware
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: User Shell Folders Registry Modification via CommandLine
id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
related:
- id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
type: similar
status: experimental
description: |
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.
Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.
This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
references:
- https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1547.001
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
- 'reg.exe'
selection_cli_action:
CommandLine|contains:
- ' add ' # reg.exe modification
- 'New-ItemProperty'
- 'Set-ItemProperty'
- 'si ' # short for Set-ItemProperty
selection_cli_paths_root:
CommandLine|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
- '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
selection_cli_paths_suffix:
CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'
condition: all of selection_*
falsepositives:
- Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml
simulation:
- type: atomic-red-team
name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
technique: T1547.001
atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b
title: ShimCache Flush
id: b0524451-19af-4efa-a46f-562a977f792e
status: stable
description: Detects actions that clear the local ShimCache and remove forensic evidence
references:
- https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
author: Florian Roth (Nextron Systems)
date: 2021-02-01
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection1a:
CommandLine|contains|all:
- 'rundll32'
- 'apphelp.dll'
selection1b:
CommandLine|contains:
- 'ShimFlushCache'
- '#250'
selection2a:
CommandLine|contains|all:
- 'rundll32'
- 'kernel32.dll'
selection2b:
CommandLine|contains:
- 'BaseFlushAppcompatCache'
- '#46'
condition: ( selection1a and selection1b ) or ( selection2a and selection2b )
falsepositives:
- Unknown
level: high
title: Reg Add Suspicious Paths
id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
status: test
description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2022-10-10
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_reg:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_path:
CommandLine|contains:
# Add more suspicious registry locations below
- '\AppDataLow\Software\Microsoft\'
- '\Policies\Microsoft\Windows\OOBE'
- '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
- '\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon'
- '\CurrentControlSet\Control\SecurityProviders\WDigest'
- '\Microsoft\Windows Defender\'
condition: all of selection_*
falsepositives:
- Rare legitimate add to registry via cli (to these locations)
level: high
title: Enable LM Hash Storage - ProcCreation
id: 98dedfdd-8333-49d4-9f23-d7018cccae53
related:
- id: c420410f-c2d8-4010-856b-dffe21866437 # Registry
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
modified: 2023-12-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa'
- 'NoLMHash'
- ' 0'
condition: selection
falsepositives:
- Unknown
level: high
title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
related:
- id: e61e8a88-59a9-451c-874e-70fcc9740d67
type: derived
- id: cbe51394-cd93-4473-b555-edf0144952d9
type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1574.001
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\dnscmd.exe'
CommandLine|contains|all:
- '/config'
- '/serverlevelplugindll'
condition: selection
falsepositives:
- Unknown
level: high
title: RestrictedAdminMode Registry Value Tampering - ProcCreation
id: 28ac00d6-22d9-4a3c-927f-bbd770104573
related:
- id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry
type: similar
status: test
description: |
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
- https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: frack113
date: 2023-01-13
modified: 2025-08-28
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa'
- 'DisableRestrictedAdmin'
condition: selection
falsepositives:
- Unknown
level: high
title: Imports Registry Key From an ADS
id: 0b80ade5-6997-4b1d-99a1-71701778ea61
related:
- id: 73bba97f-a82d-42ce-b315-9182e76c57b1
type: similar
status: test
description: Detects the import of a alternate datastream to the registry with regedit.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regedit/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-12
modified: 2024-03-13
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regedit.exe'
- OriginalFileName: 'REGEDIT.EXE'
selection_cli:
CommandLine|contains:
- ' /i '
- '.reg'
CommandLine|re: ':[^ \\]'
filter:
CommandLine|contains|windash:
- ' -e '
- ' -a '
- ' -c '
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high
title: Non-privileged Usage of Reg or Powershell
id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
status: test
description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
date: 2020-10-05
modified: 2024-12-01
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_cli:
- CommandLine|contains|all:
- 'reg '
- 'add'
- CommandLine|contains:
- 'powershell'
- 'set-itemproperty'
- ' sp '
- 'new-itemproperty'
selection_data:
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'Services'
CommandLine|contains:
- 'ImagePath'
- 'FailureCommand'
- 'ServiceDLL'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Registry Modification From ADS Via Regini.EXE
id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
related:
- id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
type: derived
status: test
description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regini/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
author: Eli Salem, Sander Wiebing, oscd.community
date: 2020-10-12
modified: 2023-02-08
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regini.exe'
- OriginalFileName: 'REGINI.EXE'
selection_re:
CommandLine|re: ':[^ \\]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Security Event Logging Disabled via MiniNt Registry Key - Process
id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462
related:
- id: 8839e550-52d7-4958-9f2f-e13c1e736838 # Disable Security Events Logging Adding Reg Key MiniNt - Registry Set
type: similar
status: experimental
description: |
Detects attempts to disable security event logging by adding the `MiniNt` registry key.
This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.
Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
references:
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: process_creation
product: windows
detection:
selection_reg_img:
# Example: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cmd:
CommandLine|contains|all:
- ' add '
- '\SYSTEM\CurrentControlSet\Control\MiniNt'
selection_powershell_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_powershell_cmd1:
CommandLine|contains:
- 'New-Item '
- 'ni '
selection_powershell_cmd2:
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: all of selection_reg_* or all of selection_powershell_*
falsepositives:
- Highly Unlikely
level: high
title: ETW Logging Disabled In .NET Processes - Registry
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
related:
- id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2022-12-20
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
service: security
detection:
selection_etw_enabled:
EventID: 4657
ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
ObjectValueName: 'ETWEnabled'
NewValue: 0
selection_complus:
EventID: 4657
ObjectName|contains: '\Environment'
ObjectValueName:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
NewValue: 0
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: NetNTLM Downgrade Attack
id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
related:
- id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
type: derived
status: test
description: Detects NetNTLM downgrade attack
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth (Nextron Systems), wagga
date: 2018-03-20
modified: 2022-10-09
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685
- attack.t1112
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
detection:
selection:
EventID: 4657
ObjectName|contains|all:
- '\REGISTRY\MACHINE\SYSTEM'
- 'ControlSet'
- '\Control\Lsa'
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
- 'RestrictSendingNTLMTraffic'
condition: selection
falsepositives:
- Unknown
level: high
title: Sysmon Channel Reference Deletion
id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
status: test
description: Potential threat actor tampering with Sysmon manifest and eventually disabling it
references:
- https://twitter.com/Flangvik/status/1283054508084473861
- https://twitter.com/SecurityJosh/status/1283027365770276866
- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-07-14
modified: 2025-10-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
service: security
detection:
selection1:
EventID: 4657
ObjectName|contains:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
ObjectValueName: 'Enabled'
NewValue: 0
selection2:
EventID: 4663
ObjectName|contains:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
AccessMask: '0x10000'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Change User Account Associated with the FAX Service
id: e3fdf743-f05b-4051-990a-b66919be1743
status: test
description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
filter:
Details|contains: NetworkService
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Office Macros Warning Disabled
id: 91239011-fe3c-4b54-9f24-15c86bb65913
related:
- id: 9b894e57-033f-46cf-b7fa-a52804181973
type: obsolete
status: test
description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2024-03-19
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Security\VBAWarnings'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unlikely
level: high
title: New DNS ServerLevelPluginDll Installed
id: e61e8a88-59a9-451c-874e-70fcc9740d67
related:
- id: cbe51394-cd93-4473-b555-edf0144952d9
type: derived
- id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1574.001
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
condition: selection
falsepositives:
- Unknown
level: high
title: PowerShell Logging Disabled Via Registry Key Tampering
id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
status: test
description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
author: frack113
date: 2022-04-02
modified: 2023-08-17
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1564.001
- attack.t1112
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows\PowerShell\' # PowerShell 5
- '\Microsoft\PowerShellCore\' # PowerShell 7
TargetObject|endswith:
- '\ModuleLogging\EnableModuleLogging'
- '\ScriptBlockLogging\EnableScriptBlockLogging'
- '\ScriptBlockLogging\EnableScriptBlockInvocationLogging'
- '\Transcription\EnableTranscripting'
- '\Transcription\EnableInvocationHeader'
- '\EnableScripts'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml
simulation:
- type: atomic-red-team
name: Disable PowerShell Logging via Registry
technique: T1112
atomic_guid: 95b25212-91a7-42ff-9613-124aca6845a8
title: Potential Persistence Via Outlook Today Page
id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
related:
- id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
type: similar
status: test
description: |
Detects potential persistence activity via outlook today page.
An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-10
modified: 2024-08-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection_main:
TargetObject|contains|all:
- 'Software\Microsoft\Office\'
- '\Outlook\Today\'
selection_value_stamp:
TargetObject|endswith: '\Stamp'
Details: 'DWORD (0x00000001)'
selection_value_url:
TargetObject|endswith:
- '\URL'
- '\UserDefinedUrl'
filter_main_office:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
condition: selection_main and 1 of selection_value_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Wdigest Enable UseLogonCredential
id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
status: test
description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
references:
- https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html
- https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649
- https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-09-12
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'WDigest\UseLogonCredential'
Details: DWORD (0x00000001)
condition: selection
falsepositives:
- Unknown
level: high
title: RDP Sensitive Settings Changed
id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
related:
- id: 171b67e1-74b4-460e-8d55-b331f3e32d67
type: obsolete
- id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
type: obsolete
- id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
type: similar
status: test
description: |
Detects tampering of RDP Terminal Service/Server sensitive settings.
Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Below is a list of registry keys/values that are monitored by this rule:
- Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
- DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
- DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
- fAllowUnsolicited: Allows unsolicited remote assistance offers.
- fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
- InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
- ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
- SecurityLayer: Specifies the security layer used for RDP connections.
references:
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contains description for most of the keys mentioned here (check it out if you want more information)
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contains description for most of the keys mentioned here (check it out if you want more information)
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- https://blog.sekoia.io/darkgate-internals/
- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
- https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
- https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022-08-06
modified: 2025-11-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_shadow:
TargetObject|contains:
- '\Control\Terminal Server\'
- '\Windows NT\Terminal Services\'
TargetObject|endswith: '\Shadow'
Details:
- 'DWORD (0x00000001)' # Full Control with user’s permission
- 'DWORD (0x00000002)' # Full Control without user’s permission
- 'DWORD (0x00000003)' # View Session with user’s permission
- 'DWORD (0x00000004)' # View Session without user’s permission
selection_terminal_services_key:
TargetObject|contains:
- '\Control\Terminal Server\'
- '\Windows NT\Terminal Services\'
TargetObject|endswith:
- '\DisableRemoteDesktopAntiAlias' # Disable anti-aliasing for remote desktop (DarkGate malware)
- '\DisableSecuritySettings' # Disable security settings, allowing access to programs/entire desktop (DarkGate malware)
- '\fAllowUnsolicited' # Allow unsolicited remote assistance offers
- '\fAllowUnsolicitedFullControl'
Details: 'DWORD (0x00000001)'
selection_tamper_only:
# Any changes to these keys should be suspicious and looked at
TargetObject|contains:
- '\Control\Terminal Server\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
- '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
- '\services\TermService\Parameters\ServiceDll' # RDP hijacking
- '\Terminal Server\WinStations\RDP-Tcp\SecurityLayer'
- '\Windows NT\Terminal Services\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
filter_main_securitylayer_tls:
TargetObject|endswith: '\SecurityLayer'
Details: 'DWORD (0x00000002)' # TLS Enabled
condition: (selection_shadow or selection_terminal_services_key or selection_tamper_only) and not 1 of filter_main_*
falsepositives:
- Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: high
title: NET NGenAssemblyUsageLog Registry Key Tamper
id: 28036918-04d3-423d-91c0-55ecf99fb892
status: test
description: |
Detects changes to the NGenAssemblyUsageLog registry key.
.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
references:
- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
author: frack113
date: 2022-11-18
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog'
condition: selection
falsepositives:
- Unknown
level: high
title: Enable LM Hash Storage
id: c420410f-c2d8-4010-856b-dffe21866437
related:
- id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
title: Trust Access Disable For VBApplications
id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf
related:
- id: 9b894e57-033f-46cf-b7fa-a52804181973
type: obsolete
status: test
description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Security\AccessVBOM'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential Persistence Via Outlook Home Page
id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
related:
- id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
type: similar
status: test
description: |
Detects potential persistence activity via outlook home page.
An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
- https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
- https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-09
modified: 2024-08-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\Software\Microsoft\Office\'
- '\Outlook\WebView\'
TargetObject|endswith: '\URL'
condition: selection
falsepositives:
- Unknown
level: high
title: Windows Event Log Access Tampering Via Registry
id: ba226dcf-d390-4642-b9af-b534872f1156
status: experimental
description: |
Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell
- https://www.youtube.com/watch?v=uSYvHUVU8xY
- https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
author: X__Junior
date: 2025-01-16
modified: 2025-08-16
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-impairment
- attack.t1547.001
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
# O:SYG:SYD:(D;;0x1;;;WD)
# O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(D;;0x1;;;WD)
selection_key_1:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
TargetObject|endswith: '\CustomSD'
selection_key_2:
TargetObject|contains:
- '\Policies\Microsoft\Windows\EventLog\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels'
TargetObject|endswith: '\ChannelAccess'
selection_details:
- Details|contains: 'D:(D;'
- Details|contains|all:
- 'D:('
- ')(D;'
filter_main_trustedinstaller:
Image: 'C:\Windows\servicing\TrustedInstaller.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
filter_optional_empty:
Image: ''
filter_optional_null:
Image: null
condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative activity, still unlikely
level: high
title: Uncommon Microsoft Office Trusted Location Added
id: f742bde7-9528-42e5-bd82-84f51a8387d2
related:
- id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
type: derived
status: test
description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
- Internal Research
- https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-09-29
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Security\Trusted Locations\Location'
TargetObject|endswith: '\Path'
filter_exclude_known_paths:
Details|contains:
- '%APPDATA%\Microsoft\Templates'
- '%%APPDATA%%\Microsoft\Templates'
- '%APPDATA%\Microsoft\Word\Startup'
- '%%APPDATA%%\Microsoft\Word\Startup'
- ':\Program Files (x86)\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office (x86)\Templates'
- ':\Program Files\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office\Templates\'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
falsepositives:
- Other unknown legitimate or custom paths need to be filtered to avoid false positives
level: high
title: ETW Logging Disabled In .NET Processes - Sysmon Registry
id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
related:
- id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_etw_enabled:
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
Details: 'DWORD (0x00000000)'
selection_complus:
TargetObject|endswith:
- '\COMPlus_ETWEnabled'
- '\COMPlus_ETWFlags'
Details:
- 0 # For REG_SZ type
- 'DWORD (0x00000000)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: Change the Fax Dll
id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513
status: test
description: Detect possible persistence using Fax DLL load when service restart
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\Software\Microsoft\Fax\Device Providers\'
- '\ImageName'
filter:
Details: '%systemroot%\system32\fxst30.dll' # Windows 10
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set
id: 8839e550-52d7-4958-9f2f-e13c1e736838
related:
- id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key
type: similar
status: experimental
description: |
Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.
Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
references:
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)'
condition: selection
falsepositives:
- Highly Unlikely
level: high
title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
related:
- id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
type: similar
- id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
- https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: test
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1574.001
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Services\DHCPServer\Parameters\CalloutDlls'
- '\Services\DHCPServer\Parameters\CalloutEnabled'
condition: selection
falsepositives:
- Unknown
level: high
title: Macro Enabled In A Potentially Suspicious Document
id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
related:
- id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
type: derived
status: test
description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
references:
- https://twitter.com/inversecos/status/1494174785621819397
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_value:
TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
selection_paths:
TargetObject|contains:
# Note: add more locations where you don't expect a user to executed macro enabled docs
- '/AppData/Local/Microsoft/Windows/INetCache/'
- '/AppData/Local/Temp/'
- '/PerfLogs/'
- 'C:/Users/Public/'
- 'file:///D:/'
- 'file:///E:/'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: RestrictedAdminMode Registry Value Tampering
id: d6ce7ebd-260b-4323-9768-a9631c8d4db2
related:
- id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation
type: similar
status: test
description: |
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
- https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
author: frack113
date: 2023-01-13
modified: 2024-08-23
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin'
condition: selection
falsepositives:
- Unknown
level: high
title: Registry Modification for OCI DLL Redirection
id: c0e0bdec-3e3d-47aa-9974-05539c999c89
status: experimental
description: |
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
references:
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1112
- attack.t1574.001
logsource:
category: registry_set
product: windows
detection:
selection_ocilib:
TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'
filter_main_ocilib_file:
# it is looking when oci.dll name is changed to something else like evil.dll
Details|contains: 'oci.dll'
selection_ocilibpath:
TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'
filter_main_ocilibpath:
# it is looking when oci.dll path is changed to something else like 'C:\Windows\Temp\'
Details|contains: '%SystemRoot%\System32\'
condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)
falsepositives:
- Unlikely
level: high
title: Service Binary in Suspicious Folder
id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
related:
- id: c0abc838-36b0-47c9-b3b3-a90c39455382
type: obsolete
status: test
description: Detect the creation of a service with a service binary located in a suspicious directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Florian Roth (Nextron Systems), frack113
date: 2022-05-02
modified: 2025-10-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_service_start:
TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
TargetObject|endswith: '\Start'
Image|contains:
- '\Users\Public\'
- '\Perflogs\'
- '\ADMIN$\'
- '\Temp\'
Details:
- 'DWORD (0x00000000)' # boot
- 'DWORD (0x00000001)' # System
- 'DWORD (0x00000002)' # Automatic
# 3 - Manual , 4 - Disabled
selection_service_imagepath:
TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
TargetObject|endswith: '\ImagePath'
Details|contains:
- '\Users\Public\'
- '\Perflogs\'
- '\ADMIN$\'
- '\Temp\'
filter_optional_avast:
Image|contains|all: # Filter FP with Avast software
- '\Common Files\'
- '\Temp\'
filter_optional_mbamservice:
TargetObject|endswith: '\CurrentControlSet\Services\MBAMInstallerService\ImagePath'
Details|endswith: '\AppData\Local\Temp\MBAMInstallerService.exe"'
Image: 'C:\Windows\system32\services.exe'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
title: Potential Qakbot Registry Activity
id: 1c8e96cd-2bed-487d-9de0-b46c90cade56
status: test
description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: Hieu Tran
date: 2023-03-13
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: '\Software\firm\soft\Name'
condition: selection
falsepositives:
- Unknown
level: high
title: Disable Security Events Logging Adding Reg Key MiniNt
id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
status: test
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
references:
- https://twitter.com/0gtweet/status/1182516740955226112
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: registry_event
product: windows
detection:
selection:
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
EventType: 'CreateKey' # we don't want deletekey
# key rename
- NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: selection
falsepositives:
- Unknown
level: high
title: RedMimicry Winnti Playbook Registry Manipulation
id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
status: test
description: Detects actions caused by the RedMimicry Winnti playbook
references:
- https://redmimicry.com
author: Alexander Rausch
date: 2020-06-24
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
condition: selection
falsepositives:
- Unknown
level: high
title: Wdigest CredGuard Registry Modification
id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
status: test
description: |
Detects potential malicious modification of the property value of IsCredGuardEnabled from
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system.
This is usually used with UseLogonCredential to manipulate the caching credentials.
references:
- https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-08-25
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: '\IsCredGuardEnabled'
condition: selection
falsepositives:
- Unknown
level: high
title: NetNTLM Downgrade Attack - Registry
id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
status: test
description: Detects NetNTLM downgrade attack
references:
- https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
- https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers
author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)
date: 2018-03-20
modified: 2024-12-03
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection_regkey:
TargetObject|contains|all:
- 'SYSTEM\'
- 'ControlSet'
- '\Control\Lsa'
selection_value_lmcompatibilitylevel:
TargetObject|endswith: '\lmcompatibilitylevel'
Details:
- 'DWORD (0x00000000)'
- 'DWORD (0x00000001)'
- 'DWORD (0x00000002)'
selection_value_ntlmminclientsec:
TargetObject|endswith: '\NtlmMinClientSec'
Details:
- 'DWORD (0x00000000)' # No Security
- 'DWORD (0x00000010)' # Only Integrity
- 'DWORD (0x00000020)' # Only confidentiality
- 'DWORD (0x00000030)' # Both Integrity and confidentiality
selection_value_restrictsendingntlmtraffic:
# Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit).
# 0x00000002 can be secure but only if "ClientAllowedNTLMServers" is properly configured
# Hence all values should be monitored and investigated
TargetObject|endswith: '\RestrictSendingNTLMTraffic'
condition: selection_regkey and 1 of selection_value_*
falsepositives:
- Services or tools that set the values to more restrictive values
level: high
title: Terminal Server Client Connection History Cleared - Registry
id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
status: test
description: Detects the deletion of registry keys containing the MSTSC connection history
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
- http://woshub.com/how-to-clear-rdp-connections-history/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Christian Burkard (Nextron Systems)
date: 2021-10-19
modified: 2023-02-08
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1112
logsource:
category: registry_delete
product: windows
detection:
selection1:
EventType: DeleteValue
TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
selection2:
EventType: DeleteKey
TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Unusual File Deletion by Dns.exe
id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
related:
- id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
type: similar
status: test
description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
modified: 2023-02-15
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: file_delete
product: windows
detection:
selection:
Image|endswith: '\dns.exe'
filter:
TargetFilename|endswith: '\dns.log'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Unusual File Modification by dns.exe
id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
related:
- id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version
type: similar
status: test
description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: file_change
product: windows
detection:
selection:
Image|endswith: '\dns.exe'
filter:
TargetFilename|endswith: '\dns.log'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Suspicious File Created by ArcSOC.exe
id: e890acee-d488-420e-8f20-d9b19b3c3d43
status: experimental
description: |
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
server, creates a file with suspicious file type, indicating that it may be an executable, script file,
or otherwise unusual.
references:
- https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
- https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
- attack.command-and-control
- attack.persistence
- attack.initial-access
- attack.execution
- attack.stealth
- attack.t1127
- attack.t1105
- attack.t1133
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\ArcSOC.exe'
TargetFilename|endswith:
- '.ahk'
- '.aspx'
- '.au3'
- '.bat'
- '.cmd'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.ps1'
- '.py'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- Unlikely
level: high
title: Unusual Child Process of dns.exe
id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
status: test
description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
modified: 2023-02-05
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\dns.exe'
filter:
Image|endswith: '\conhost.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
id: b64a026b-8deb-4c1d-92fd-98893209dff1
status: test
description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
author: frack113
date: 2021-12-28
modified: 2023-08-17
tags:
- attack.initial-access
- attack.persistence
- attack.t1133
logsource:
category: registry_set
product: windows
detection:
chrome_ext:
TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'
TargetObject|endswith: 'update_url'
chrome_vpn:
TargetObject|contains:
- fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
- fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN
- bihmplhobchoageeokmgbdihknkjbknd # Touch VPN
- gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN
- jajilbjjinjmgcibalaakngmkilboobh # Astar VPN
- gjknjjomckknofjidppipffbpoekiipm # VPN Free
- nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN
- kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN
- nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN
- omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN
- bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro
- mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free
- jljopmgdobloagejpohpldgkiellmfnc # PP VPN
- lochiccbgeohimldjooaakjllnafhaid # IP Unblock
- nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN
- ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN
- namfblliamklmeodpcelkokjbffgmeoo # Daily VPN
- nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy
- majdfhpaihoncoakbjgbdhglocklcgno # Free VPN
- lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER
- eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN
- cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy
- foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional
- hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN
- jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN
- inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN
- higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN
- hipncndjamdcmphkgngojegjblibadbe # RusVPN
- iolonopooapdagdemdoaihahlfkncfgg # Azino VPN
- nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN
- jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN
- fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN
- ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy
- keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN
- hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN
- poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker
- dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN
- kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN
- klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome
- lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN
- pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN
- jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access
- jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC
- hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe
- ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN
- kcndmbbelllkmioekdagahekgimemejo # VPN.AC
- jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN
- bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN
- ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn
- oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN
- bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN
- knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy
- dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN
- jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy
- mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN
- omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN
- npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN
- akeehkgglkmpapdnanoochpfmeghfdln # VPN Master
- gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites
- aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN
- cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN
- ficajfeojakddincjafebjmfiefcmanc # Best VPN USA
- ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT
- jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn
- apcfdffemoinopelidncddjbhkiblecc # Soul VPN
- mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN
- oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy
- plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN
- mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN
- bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN
- aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN
- lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server
- knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy
- bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN
- edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN
- eidnihaadmmancegllknfbliaijfmkgo # Push VPN
- ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN
- macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN
- chioafkonnhbpajpengbalkececleldf # BullVPN
- amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN
- llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow
- pcienlhnoficegnepejpfiklggkioccm # Cloud VPN
- iocnglnmfkgfedpcemdflhkchokkfeii # sVPN
- igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN
- njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet
- ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN
- kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN
- bnijmipndnicefcdbhgcjoognndbgkep # Veee
- lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser
- dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN
- egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN
- ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN
- bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic
- almalgbpmcfpdaopimbdchdliminoign # Urban Shield
- akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN
- gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind
- bniikohfmajhdcffljgfeiklcbgffppl # Upnet
- lejgfmmlngaigdmmikblappdafcmkndb # uVPN
- ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN
- gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard
- pooljnboifbodgifngpppfklhifechoe # GeoProxy
- fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN
- aakchaleigkohafkfjfjbblobjifikek # ProxFlow
- dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp
- padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega
- bfidboloedlamgdmenmlbipfnccokknp # PureVPN
condition: all of chrome_*
falsepositives:
- Unknown
level: high
title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4
status: test
description: |
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
author: '@Kostastsale'
references:
- https://ss64.com/nt/shell.html
date: 2022-12-22
modified: 2024-08-23
tags:
- attack.discovery
- attack.t1135
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\explorer.exe'
CommandLine|contains: 'shell:mycomputerfolder'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml
title: Potential Base64 Decoded From Images
id: 09a910bf-f71f-4737-9c40-88880ba5913d
status: test
description: |
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
references:
- https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
- https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.stealth
- attack.t1140
logsource:
product: macos
category: process_creation
detection:
# Example: /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
# VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
selection_image:
Image|endswith: '/bash'
selection_view:
CommandLine|contains|all:
- 'tail'
- '-c'
selection_b64:
CommandLine|contains|all:
- 'base64'
- '-d' # Also covers "--decode"
- '>'
selection_files:
CommandLine|contains:
- '.avif'
- '.gif'
- '.jfif'
- '.jpeg'
- '.jpg'
- '.pjp'
- '.pjpeg'
- '.png'
- '.svg'
- '.webp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Inbox Manipulation Rules
id: ceb55fd0-726e-4656-bf4e-b585b7f7d572
status: test
description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1140
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'mcasSuspiciousInboxManipulationRules'
condition: selection
falsepositives:
- Actual mailbox rules that are moving items based on their workflow.
level: high
title: MSHTA Execution with Suspicious File Extensions
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: |
Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files
- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
- https://twitter.com/mattifestation/status/1326228491302563846
- https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-02-22
modified: 2025-05-12
tags:
- attack.stealth
- attack.t1140
- attack.t1218.005
- attack.execution
- attack.t1059.007
- cve.2020-1599
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'mshta.exe'
selection_cli:
CommandLine|contains:
- '.7z'
- '.avi'
- '.bat'
- '.bmp'
- '.conf'
- '.csv'
- '.dll'
- '.doc'
- '.gif'
- '.gz'
- '.ini'
- '.jpe'
- '.jpg'
- '.json'
- '.lnk'
- '.log'
- '.mkv'
- '.mp3'
- '.mp4'
- '.pdf'
- '.png'
- '.ppt'
- '.rar'
- '.rtf'
- '.svg'
- '.tar'
- '.tmp'
- '.txt'
- '.xls'
- '.xml'
- '.yaml'
- '.yml'
- '.zip'
- 'vbscript'
# - '.chm' # could be prone to false positives
# - '.exe'
condition: all of selection_*
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high