Sigma rules for Tick
516 rules · scoped to actor · back to Tick
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Sticky Key Like Backdoor Execution
id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
related:
- id: baca5663-583c-45f9-b5dc-ea96a22ce542
type: derived
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2023-03-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\winlogon.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\wt.exe'
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'Magnify.exe'
- 'Narrator.exe'
- 'DisplaySwitch.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Persistence Via Sticky Key Backdoor
id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3
status: test
description: |
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
When the sticky keys are "activated" the privilleged shell is launched.
references:
- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
- https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
- https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
author: Sreeman
date: 2020-02-18
modified: 2023-03-07
tags:
- attack.persistence
- attack.t1546.008
- attack.privilege-escalation
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'copy '
- '/y '
- 'C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\WCE.exe'
- '\WCE64.exe'
selection_hash:
Hashes|contains:
- 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
- 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
- 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
- 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
- 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
- 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
- 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
- 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
- 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
title: Sticky Key Like Backdoor Usage - Registry
id: baca5663-583c-45f9-b5dc-ea96a22ce542
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2022-11-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
logsource:
category: registry_event
product: windows
detection:
selection_registry:
TargetObject|endswith:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger'
condition: selection_registry
falsepositives:
- Unlikely
level: critical
title: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
id: a861d835-af37-4930-bcd6-5b178bfb54df
related:
- id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
type: similar
status: test
description: |
Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets.
This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
- https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
author: frack113
date: 2021-12-28
modified: 2025-11-18
tags:
- attack.credential-access
- attack.t1558.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
- '.GetRequest()'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Debugger Registration Cmdline
id: ae215552-081e-44c7-805f-be16f975c8a2
status: test
description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2019-09-06
modified: 2022-08-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.008
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: '\CurrentVersion\Image File Execution Options\'
selection2:
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'magnify.exe'
- 'narrator.exe'
- 'displayswitch.exe'
- 'atbroker.exe'
- 'HelpPane.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
title: Suspicious Kerberos Ticket Request via CLI
id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
related:
- id: a861d835-af37-4930-bcd6-5b178bfb54df
type: similar
status: experimental
description: |
Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.
Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to
perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse
techniques like silver ticket attacks.
references:
- https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
- https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-18
tags:
- attack.credential-access
- attack.t1558.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
- '.GetRequest()'
condition: all of selection_*
falsepositives:
- Legitimate command line usage by administrators or security tools.
level: high
title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
- https://x.com/wietze/status/1958302556033065292?s=12
author: Florian Roth (Nextron Systems)
date: 2018-10-30
modified: 2025-10-19
tags:
- attack.stealth
- attack.t1036
- attack.credential-access
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_flags:
CommandLine|contains|windash:
- ' -ma '
- ' -mm ' # Mini dump
- ' -mp ' # Miniplus dump
selection_process:
CommandLine|contains:
- ' ls' # Short for lsass
- ' keyiso'
- ' samss'
condition: all of selection_*
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses command line flags similar to ProcDump
level: high
title: Windows Credential Guard Registry Tampering Via CommandLine
id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
related:
- id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
type: similar
- id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
type: similar
status: experimental
description: |
Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.
Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
references:
- https://woshub.com/disable-credential-guard-windows/
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_cli:
CommandLine|contains:
# add/modify
- 'add '
- 'New-ItemProperty '
- 'Set-ItemProperty '
- 'si ' # SetItem Alias
# delete
- 'delete '
- 'del '
- 'Remove-ItemProperty '
- 'rp '
selection_key_base:
CommandLine|contains:
- '\Control\DeviceGuard'
- '\Control\LSA'
- 'Software\Policies\Microsoft\Windows\DeviceGuard'
selection_key_specific:
CommandLine|contains:
- 'EnableVirtualizationBasedSecurity'
- 'RequirePlatformSecurityFeatures'
- 'LsaCfgFlags'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml
title: PetitPotam Suspicious Kerberos TGT Request
id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
status: test
description: |
Detect suspicious Kerberos TGT requests.
Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.
One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.
This request will generate a 4768 event with some unusual fields depending on the environment.
This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
references:
- https://github.com/topotam/PetitPotam
- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
- https://github.com/splunk/security_content/blob/88d689fe8a055d8284337b9fad5d9152b42043db/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
author: Mauricio Velazco, Michael Haag
date: 2021-09-02
modified: 2022-10-05
tags:
- attack.credential-access
- attack.t1187
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Account Logon > Kerberos Authentication Service" must be configured for Success/Failure'
detection:
selection:
EventID: 4768
TargetUserName|endswith: '$'
CertThumbprint|contains: '*'
filter_local:
IpAddress: '::1'
filter_thumbprint:
CertThumbprint: ''
condition: selection and not 1 of filter_*
falsepositives:
- False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts.
level: high
title: Windows Credential Guard Disabled - Registry
id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
related:
- id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
type: similar
status: experimental
description: |
Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
references:
- https://woshub.com/disable-credential-guard-windows/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\DeviceGuard\EnableVirtualizationBasedSecurity'
- '\DeviceGuard\LsaCfgFlags'
- '\Lsa\LsaCfgFlags'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/info.yml
title: Windows Credential Guard Related Registry Value Deleted - Registry
id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
related:
- id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
type: similar
status: experimental
description: |
Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
references:
- https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50
- https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_delete
product: windows
detection:
selection:
TargetObject|endswith:
- '\DeviceGuard\EnableVirtualizationBasedSecurity'
- '\DeviceGuard\LsaCfgFlags'
- '\DeviceGuard\RequirePlatformSecurityFeatures'
- '\Lsa\LsaCfgFlags'
condition: selection
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/info.yml
title: Kerberos Network Traffic RC4 Ticket Encryption
id: 503fe26e-b5f2-4944-a126-eab405cc06e5
status: test
description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
references:
- https://adsecurity.org/?p=3458
author: sigma
date: 2020-02-12
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1558.003
logsource:
product: zeek
service: kerberos
detection:
selection:
request_type: 'TGS'
cipher: 'rc4-hmac'
computer_acct:
service|startswith: '$'
condition: selection and not computer_acct
falsepositives:
- Normal enterprise SPN requests activity
level: medium
title: Potential AS-REP Roasting via Kerberos TGT Requests
id: 3e2f1b2c-4d5e-11ee-be56-0242ac120002
status: experimental
description: |
Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.
This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
references:
- https://medium.com/system-weakness/detecting-as-rep-roasting-attacks-b5b3965f9714
- https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
author: ANosir
date: 2025-05-22
modified: 2025-07-04
logsource:
product: windows
service: security
detection:
selection:
EventID: 4768
TicketEncryptionType: '0x17'
ServiceName: 'krbtgt'
PreAuthType: 0
condition: selection
falsepositives:
- Legacy systems or applications that legitimately use RC4 encryption
- Misconfigured accounts with pre-authentication disabled
level: medium
title: Suspicious Kerberos RC4 Ticket Encryption
id: 496a0e47-0a33-4dca-b009-9e6ca3591f39
status: test
description: Detects service ticket requests using RC4 encryption type
references:
- https://adsecurity.org/?p=3458
- https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
author: Florian Roth (Nextron Systems)
date: 2017-02-06
modified: 2022-06-19
tags:
- attack.credential-access
- attack.t1558.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
TicketOptions: '0x40810000'
TicketEncryptionType: '0x17'
reduction:
ServiceName|endswith: '$'
condition: selection and not reduction
falsepositives:
- Service accounts used on legacy systems (e.g. NetApp)
- Windows Domains with DFL 2003 and legacy systems
level: medium
title: No Suitable Encryption Key Found For Generating Kerberos Ticket
id: b1e0b3f5-b62e-41be-886a-daffde446ad4
status: test
description: |
Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.
This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
author: '@SerkinValery'
date: 2024-03-07
modified: 2025-09-22
tags:
- attack.credential-access
- attack.t1558.003
logsource:
product: windows
service: system
detection:
selection:
Provider_Name:
- 'Kerberos-Key-Distribution-Center'
- 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
EventID:
- 16 # KDCEVENT_NO_KEY_INTERSECTION_TGS
- 27 # KDCEVENT_UNSUPPORTED_ETYPE_REQUEST_TGS
condition: selection
falsepositives:
- Unknown
level: low
title: Potentially Suspicious Cabinet File Expansion
id: 9f107a84-532c-41af-b005-8d12a607639f
status: test
description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
references:
- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
author: Bhabesh Raj, X__Junior (Nextron Systems)
date: 2021-07-30
modified: 2024-11-13
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
Image|endswith: '\expand.exe'
CommandLine|contains|windash: '-F:'
selection_folders_1:
CommandLine|contains:
- ':\Perflogs\'
- ':\ProgramData'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Admin$\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\C$\'
- '\Temporary Internet'
selection_folders_2:
- CommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
filter_optional_dell:
# Launched by Dell ServiceShell.exe
ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
falsepositives:
- System administrator Usage
level: medium
title: Suspicious Keyboard Layout Load
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
status: test
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
author: Florian Roth (Nextron Systems)
date: 2019-10-12
modified: 2023-08-17
tags:
- attack.resource-development
- attack.t1588.002
logsource:
category: registry_set
product: windows
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
selection_registry:
TargetObject|contains:
- '\Keyboard Layout\Preload\'
- '\Keyboard Layout\Substitutes\'
Details|contains:
- 00000429 # Persian (Iran)
- 00050429 # Persian (Iran)
- 0000042a # Vietnamese
condition: selection_registry
falsepositives:
- Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
level: medium
title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a password dumper.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
- https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
logsource:
category: antivirus
detection:
selection:
- Signature|startswith: 'PWS'
- Signature|contains:
- 'Certify'
- 'DCSync'
- 'DumpCreds'
- 'DumpLsass'
- 'DumpPert'
- 'HTool/WCE'
- 'Kekeo'
- 'Lazagne'
- 'LsassDump'
- 'Mimikatz'
- 'MultiDump'
- 'Nanodump'
- 'NativeDump'
- 'Outflank'
- 'PShlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'PWS.'
- 'PWSX'
- 'pypykatz'
- 'Rubeus'
- 'SafetyKatz'
- 'SecurityTool'
- 'SharpChrome'
- 'SharpDPAPI'
- 'SharpDump'
- 'SharpKatz'
- 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
- 'ShpKatz'
- 'TrickDump'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
- attack.credential-access
- attack.resource-development
- attack.t1588.002
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
- IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
- IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
- IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
- IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
- IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
- IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
- IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
- IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
- IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
- IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
- IMPHASH=730073214094CD328547BF1F72289752 # Htran
- IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
- IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
- IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
- IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
- IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
- IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
- IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
- IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
- IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
- IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
- IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
- IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
- IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
- IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
- IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
- IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
condition: selection
falsepositives:
- Legitimate use of one of these tools
level: critical
title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
- id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
- https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- https://github.com/GhostPack/Rubeus
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-04-20
tags:
- attack.credential-access
- attack.t1003
- attack.t1558.003
- attack.lateral-movement
- attack.t1550.003
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Rubeus.exe'
- OriginalFileName: 'Rubeus.exe'
- Description: 'Rubeus'
- CommandLine|contains:
- 'asreproast '
- 'dump /service:krbtgt '
- 'dump /luid:0x'
- 'kerberoast '
- 'createnetonly /program:'
- 'ptt /ticket:'
- '/impersonateuser:'
- 'renew /ticket:'
- 'asktgt /user:'
- 'harvest /interval:'
- 's4u /user:'
- 's4u /ticket:'
- 'hash /password:'
- 'golden /aes256:'
- 'silver /user:'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
- https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
- https://twitter.com/Hexacorn/status/1420053502554951689
- https://twitter.com/SBousseaden/status/1464566846594691073?s=20
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2021-11-27
modified: 2023-03-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Windows\System32\lsass.exe'
Image|endswith: '\Windows\System32\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: critical
title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
- attack.credential-access
- attack.t1003
- attack.s0005
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectName|endswith: '\wceaux.dll'
condition: selection
falsepositives:
- Unknown
level: critical
title: HackTool - Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
type: derived
status: test
description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2023-05-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: 'dumpert.dmp'
condition: selection
falsepositives:
- Very unlikely
level: critical
title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2023-08-07
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains:
- '\cachedump'
- '\lsadump'
- '\wceservicepipe'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: critical
title: HackTool - Inveigh Execution
id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
status: test
description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
references:
- https://github.com/Kevin-Robertson/Inveigh
- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Inveigh.exe'
- OriginalFileName:
- '\Inveigh.exe'
- '\Inveigh.dll'
- Description: 'Inveigh'
- CommandLine|contains:
- ' -SpooferIP'
- ' -ReplyToIPs '
- ' -ReplyToDomains '
- ' -ReplyToMACs '
- ' -SnifferIP'
condition: selection
falsepositives:
- Very unlikely
level: critical
title: HackTool - SafetyKatz Execution
id: b1876533-4ed5-4a83-90f3-b8645840a413
status: test
description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
references:
- https://github.com/GhostPack/SafetyKatz
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-20
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SafetyKatz.exe'
- OriginalFileName: 'SafetyKatz.exe'
- Description: 'SafetyKatz'
condition: selection
falsepositives:
- Unlikely
level: critical
title: HackTool - Dumpert Process Dumper Execution
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
status: test
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2025-01-22
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Hashes|contains: 'MD5=09D278F9DE118EF09163C6140255C690'
- CommandLine|contains: 'Dumpert.dll'
condition: selection
falsepositives:
- Very unlikely
level: critical
title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- Unknown
level: critical
title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
- id: 36803969-5421-41ec-b92f-8500f79c23b0
type: similar
status: test
description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
author: Florian Roth (Nextron Systems)
date: 2021-02-26
modified: 2022-12-19
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
title: HackTool - QuarksPwDump Dump File
id: 847def9e-924d-4e90-b7c4-5f581395a2b4
status: test
description: Detects a dump file written by QuarksPwDump password dumper
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
author: Florian Roth (Nextron Systems)
date: 2018-02-10
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains|all:
- '\AppData\Local\Temp\SAM-'
- '.dmp'
condition: selection
falsepositives:
- Unknown
level: critical
title: Wmiprvse Wbemcomn DLL Hijack - File
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-12-02
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: file_event
detection:
selection:
Image: System
TargetFilename|endswith: '\wbem\wbemcomn.dll'
condition: selection
falsepositives:
- Unknown
level: critical
title: Potential DCOM InternetExplorer.Application DLL Hijack
id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
related:
- id: e554f142-5cf3-4e55-ace9-a1b59e0def65
type: obsolete
- id: f354eba5-623b-450f-b073-0b5b2773b6aa
type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
category: file_event
detection:
selection:
Image: System
TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
condition: selection
falsepositives:
- Unknown
level: critical
title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
id: f354eba5-623b-450f-b073-0b5b2773b6aa
related:
- id: e554f142-5cf3-4e55-ace9-a1b59e0def65
type: obsolete
- id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\Internet Explorer\iexplore.exe'
ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
condition: selection
falsepositives:
- Unknown
level: critical
title: CobaltStrike Service Installations - System
id: 5a105d34-05fc-401e-8553-272b45c1522d
status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
references:
- https://www.sans.org/webcasts/119395
- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-26
modified: 2022-11-27
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_id:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection1:
ImagePath|contains|all:
- 'ADMIN$'
- '.exe'
selection2:
ImagePath|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
selection3:
ImagePath|contains: 'powershell -nop -w hidden -encodedcommand'
selection4:
ImagePath|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
condition: selection_id and (selection1 or selection2 or selection3 or selection4)
falsepositives:
- Unknown
level: critical
title: Renamed Whoami Execution
id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
status: test
description: Detects the execution of whoami that has been renamed to a different name to avoid detection
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
author: Florian Roth (Nextron Systems)
date: 2021-08-12
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'whoami.exe'
filter:
Image|endswith: '\whoami.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
title: HackTool - Sliver C2 Implant Activity Pattern
id: 42333b2c-b425-441c-b70e-99404a17170f
status: test
description: Detects process activity patterns as seen being used by Sliver C2 framework implants
references:
- https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36
- https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-08-25
modified: 2023-03-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Bad Opsec Powershell Code Artifacts
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
related:
- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
type: derived
status: test
description: |
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
that often undergo minimal changes by attackers due to bad opsec.
references:
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
- https://www.mdeditor.tw/pl/pgRt
author: 'ok @securonix invrep_de, oscd.community'
date: 2020-10-09
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains:
- '$DoIt'
- 'harmj0y'
- 'mattifestation'
- '_RastaMouse'
- 'tifkin_'
- '0xdeadbeef'
condition: selection_4103
falsepositives:
- 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
level: critical
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: test
description: Detects Silence EmpireDNSAgent as described in the Group-IP report
references:
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019-11-01
modified: 2023-04-03
tags:
- attack.execution
- attack.t1059.001
- attack.command-and-control
- attack.t1071.004
- attack.t1572
- attack.impact
- attack.t1529
- attack.g0091
- attack.s0363
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
empire:
# better to randomise the order
ScriptBlockText|contains|all:
- 'System.Diagnostics.Process'
- 'Stop-Computer'
- 'Restart-Computer'
- 'Exception in execution'
- '$cmdargs'
- 'Close-Dnscat2Tunnel'
dnscat:
# better to randomise the order
ScriptBlockText|contains|all:
- 'set type=$LookupType`nserver'
- '$Command | nslookup 2>&1 | Out-String'
- 'New-RandomDNSField'
- '[Convert]::ToString($SYNOptions, 16)'
- '$Session.Dead = $True'
- '$Session["Driver"] -eq'
condition: empire and dnscat
falsepositives:
- Unknown
level: critical
title: HackTool - BabyShark Agent Default URL Pattern
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
status: test
description: Detects Baby Shark C2 Framework default communication patterns
references:
- https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
author: Florian Roth (Nextron Systems)
date: 2021-06-09
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-uri|contains: 'momyshark\?key='
condition: selection
falsepositives:
- Unlikely
level: critical
title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: test
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
references:
- https://breakdev.org/pwndrop/
author: Florian Roth (Nextron Systems)
date: 2020-04-15
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/pwndrop/'
condition: selection
falsepositives:
- Unknown
level: critical
title: Win Susp Computer Name Containing Samtheadmin
id: 39698b3f-da92-4bc6-bfb5-645a98386e45
status: test
description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
references:
- https://twitter.com/malmoeb/status/1511760068743766026
- https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
author: elhoim
date: 2022-09-09
modified: 2023-01-04
tags:
- attack.initial-access
- cve.2021-42278
- cve.2021-42287
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
service: security
product: windows
detection:
# Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
selection1:
SamAccountName|startswith: 'SAMTHEADMIN-'
SamAccountName|endswith: '$'
selection2:
TargetUserName|startswith: 'SAMTHEADMIN-'
TargetUserName|endswith: '$'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
title: Registry Entries For Azorult Malware
id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
status: test
description: Detects the presence of a registry key created during Azorult execution
references:
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
author: Trent Liffick
date: 2020-05-08
modified: 2021-11-27
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
EventID:
- 12
- 13
TargetObject|contains: 'SYSTEM\'
TargetObject|endswith: '\services\localNETService'
condition: selection
falsepositives:
- Unknown
level: critical
title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9002
condition: selection
falsepositives:
- Unlikely
level: high
title: OpenCanary - MySQL Login Attempt
id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
status: test
description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 8001
condition: selection
falsepositives:
- Unlikely
level: high
title: OpenCanary - MSSQL Login Attempt Via SQLAuth
id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9001
condition: selection
falsepositives:
- Unlikely
level: high
title: OpenCanary - REDIS Action Command Attempt
id: 547dfc53-ebf6-4afe-8d2e-793d9574975d
status: test
description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 17001
condition: selection
falsepositives:
- Unlikely
level: high
title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
status: test
description: Detect attempt to enable auditing of TTY input
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
- https://linux.die.net/man/8/pam_tty_audit
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
- https://access.redhat.com/articles/4409591#audit-record-types-2
author: 'Pawel Mazur'
date: 2021-05-24
modified: 2022-12-18
tags:
- attack.collection
- attack.credential-access
- attack.t1003
- attack.t1056.001
logsource:
product: linux
service: auditd
detection:
selection_path_events:
type: PATH
name:
- '/etc/pam.d/system-auth'
- '/etc/pam.d/password-auth'
selection_tty_events:
type:
- 'TTY'
- 'USER_TTY'
condition: 1 of selection_*
falsepositives:
- Administrative work
level: high
title: Potential Invoke-Mimikatz PowerShell Script
id: 189e3b02-82b2-4b90-9662-411eb64486d4
status: test
description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
references:
- https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
tags:
- attack.credential-access
- attack.t1003
logsource:
category: ps_script
product: windows
detection:
selection_1:
ScriptBlockText|contains|all:
- 'DumpCreds'
- 'DumpCerts'
selection_2:
ScriptBlockText|contains: 'sekurlsa::logonpasswords'
selection_3:
ScriptBlockText|contains|all:
- 'crypto::certificates'
- 'CERT_SYSTEM_STORE_LOCAL_MACHINE'
condition: 1 of selection*
falsepositives:
- Mimikatz can be useful for testing the security of networks
level: high
title: Live Memory Dump Using Powershell
id: cd185561-4760-45d6-a63e-a51325112cae
status: test
description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
references:
- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
author: Max Altgelt (Nextron Systems)
date: 2021-09-21
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-StorageDiagnosticInfo'
- '-IncludeLiveDump'
condition: selection
falsepositives:
- Diagnostics
level: high