Sigma rules for ToddyCat
500 rules · scoped to actor · back to ToddyCat
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
id: 0d5675be-bc88-4172-86d3-1e96a4476536
status: test
description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- https://blog.sekoia.io/darkgate-internals/
- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
- https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
- https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport
date: 2022-02-12
modified: 2025-11-22
tags:
- attack.persistence
- attack.lateral-movement
- attack.defense-impairment
- attack.t1021.001
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection_main_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_main_cli:
CommandLine|contains|all:
- ' add '
- '\CurrentControlSet\Control\Terminal Server'
- 'REG_DWORD'
- ' /f'
selection_values_1:
CommandLine|contains|all:
- 'Licensing Core'
- 'EnableConcurrentSessions'
selection_values_2:
CommandLine|contains:
- 'AllowTSConnections'
- 'fDenyTSConnections'
- 'fEnableWinStation'
- 'fSingleSessionPerUser'
- 'IdleWinStationPoolCount'
- 'MaxInstanceCount'
- 'SecurityLayer'
- 'TSAdvertise'
- 'TSAppCompat'
- 'TSEnabled'
- 'TSUserEnabled'
- 'WinStations\RDP-Tcp'
filter_main_values_tls:
CommandLine|contains|all:
- 'SecurityLayer'
- '02' # TLS Enabled
condition: all of selection_main_* and 1 of selection_values_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Suspicious RDP Redirect Using TSCON
id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
status: test
description: Detects a suspicious RDP session redirect using tscon.exe
references:
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
- https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/
author: Florian Roth (Nextron Systems)
date: 2018-03-17
modified: 2023-05-16
tags:
- attack.lateral-movement
- attack.t1563.002
- attack.t1021.001
- car.2013-07-002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' /dest:rdp-tcp#'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Plink Port Forwarding
id: 48a61b29-389f-4032-b317-b30de6b95314
status: test
description: Detects suspicious Plink tunnel port forwarding to a local port
references:
- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
author: Florian Roth (Nextron Systems)
date: 2021-01-19
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1572
- attack.lateral-movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection:
Description: 'Command-line SSH, Telnet, and Rlogin client'
CommandLine|contains: ' -R '
condition: selection
falsepositives:
- Administrative activity using a remote port forwarding to a local port
level: high
title: User Added to Remote Desktop Users Group
id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
related:
- id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
type: similar
- id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
type: similar
status: test
description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
references:
- https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2022-09-09
tags:
- attack.initial-access
- attack.persistence
- attack.lateral-movement
- attack.t1133
- attack.t1136.001
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection_main:
- CommandLine|contains|all:
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
- 'Add-LocalGroupMember '
- ' -Group '
selection_group:
CommandLine|contains:
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
title: RDP over Reverse SSH Tunnel WFP
id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address
references:
- https://twitter.com/SBousseaden/status/1096148422984384514
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
author: Samir Bousseaden
date: 2019-02-16
modified: 2022-09-02
tags:
- attack.command-and-control
- attack.lateral-movement
- attack.t1090.001
- attack.t1090.002
- attack.t1021.001
- car.2013-07-002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
sourceRDP:
SourcePort: 3389
DestAddress:
- '127.*'
- '::1'
destinationRDP:
DestPort: 3389
SourceAddress:
- '127.*'
- '::1'
filter_app_container:
FilterOrigin: 'AppContainer Loopback'
filter_thor: # checking BlueKeep vulnerability
Application|endswith:
- '\thor.exe'
- '\thor64.exe'
condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
falsepositives:
- Programs that connect locally to the RDP port
level: high
title: RDP Login from Localhost
id: 51e33403-2a37-4d66-a574-1fda1782cc31
status: test
description: RDP login with localhost source address may be a tunnelled login
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Thomas Patzke
date: 2019-01-28
modified: 2022-10-09
tags:
- attack.lateral-movement
- car.2013-07-002
- attack.t1021.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 10
IpAddress:
- '::1'
- '127.0.0.1'
condition: selection
falsepositives:
- Unknown
level: high
title: First Time Seen Remote Named Pipe - Zeek
id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
related:
- id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
type: derived
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
- https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
filter_keywords:
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
condition: selection and not 1 of filter_*
falsepositives:
- Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
title: Suspicious PsExec Execution - Zeek
id: f1b3a22a-45e6-4004-afb5-4291f9c21166
related:
- id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
type: derived
status: test
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
references:
- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path|contains|all:
- '\\'
- '\IPC$'
name|endswith:
- '-stdin'
- '-stdout'
- '-stderr'
filter:
name|startswith: 'PSEXESVC'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: HackTool - NetExec File Indicators
id: efc21479-9e83-41da-8cf1-122e06ba8db3
status: experimental
description: |
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory
under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
Active Directory enumeration, credential harvesting, and remote code execution.
references:
- https://github.com/Pennyw0rth/NetExec
- https://www.netexec.wiki/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-08
tags:
- attack.execution
- attack.lateral-movement
- attack.discovery
- attack.t1021.002
- attack.t1059.005
logsource:
product: windows
category: file_event
detection:
selection:
- Image|contains: '\nxc-windows-latest\'
- TargetFilename|contains|all:
- '\Temp\_MEI'
- '\nxc\data\'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml
title: Rundll32 Execution Without Parameters
id: 5bb68627-3198-40ca-b458-49f973db8752
status: test
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-31
modified: 2023-02-28
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1570
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- 'rundll32.exe'
- 'rundll32'
condition: selection
falsepositives:
- False positives may occur if a user called rundll32 from CLI with no options
level: high
title: Windows Internet Hosted WebDav Share Mount Via Net.EXE
id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0
status: test
description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-21
modified: 2023-07-25
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ' http'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: HackTool - SharpMove Tool Execution
id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
status: test
description: |
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
references:
- https://github.com/0xthirteen/SharpMove/
- https://pentestlab.blog/tag/sharpmove/
author: Luca Di Bartolomeo (CrimpSec)
date: 2024-01-29
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SharpMove.exe'
- OriginalFileName: SharpMove.exe
selection_cli_computer:
# In its current implementation the "computername" flag is required in all actions
CommandLine|contains: 'computername='
selection_cli_actions:
CommandLine|contains:
- 'action=create'
- 'action=dcom'
- 'action=executevbs'
- 'action=hijackdcom'
- 'action=modschtask'
- 'action=modsvc'
- 'action=query'
- 'action=scm'
- 'action=startservice'
- 'action=taskscheduler'
condition: selection_img or all of selection_cli_*
falsepositives:
- Unknown
level: high
title: Rundll32 UNC Path Execution
id: 5cdb711b-5740-4fb2-ba88-f7945027afac
status: test
description: Detects rundll32 execution where the DLL is located on a remote location (share)
references:
- https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-10
tags:
- attack.execution
- attack.lateral-movement
- attack.stealth
- attack.t1021.002
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
- CommandLine|contains: 'rundll32'
selection_cli:
CommandLine|contains: ' \\\\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Wmiprvse Wbemcomn DLL Hijack
id: 7707a579-e0d8-4886-a853-ce47e4575aaa
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-10-09
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\wmiprvse.exe'
ImageLoaded|endswith: '\wbem\wbemcomn.dll'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious PsExec Execution
id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
status: test
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
references:
- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-08-11
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName|endswith:
- '-stdin'
- '-stdout'
- '-stderr'
filter:
RelativeTargetName|startswith: 'PSEXESVC'
condition: selection1 and not filter
falsepositives:
- Unknown
level: high
title: SMB Create Remote File Admin Share
id: b210394c-ba12-4f89-9117-44a2464b9511
status: test
description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
references:
- https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml
- https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file
author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
date: 2020-08-06
modified: 2025-10-17
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|endswith: 'C$'
AccessMask: '0x2'
filter_main_subjectusername:
SubjectUserName|endswith: '$'
filter_optional_local_ip:
IpAddress: '::1'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
title: Metasploit SMB Authentication
id: 72124974-a68b-4366-b990-d30e0b2a190d
status: test
description: Alerts on Metasploit host's authentications on the domain.
references:
- https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020-05-06
modified: 2024-01-25
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4625
- 4624
LogonType: 3
AuthenticationPackageName: 'NTLM'
WorkstationName|re: '^[A-Za-z0-9]{16}$'
selection2:
EventID: 4776
Workstation|re: '^[A-Za-z0-9]{16}$'
condition: 1 of selection*
falsepositives:
- Linux hostnames composed of 16 characters.
level: high
title: Protected Storage Service Access
id: 45545954-4016-43c6-855e-eae8f1c369dc
status: test
description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
references:
- https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2021-11-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|contains: 'IPC'
RelativeTargetName: 'protected_storage'
condition: selection
falsepositives:
- Unknown
level: high
title: Metasploit Or Impacket Service Installation Via SMB PsExec
id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
related:
- id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
type: derived
status: test
description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-21
modified: 2022-10-05
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1570
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
ServiceStartType: 3 # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
ServiceType: '0x10'
filter:
ServiceName: 'PSEXESVC'
condition: selection and not filter
falsepositives:
- Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
level: high
title: CobaltStrike Service Installations - Security
id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
related:
- id: 5a105d34-05fc-401e-8553-272b45c1522d
type: derived
status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
references:
- https://www.sans.org/webcasts/119395
- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-26
modified: 2022-11-27
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
event_id:
EventID: 4697
selection1:
ServiceFileName|contains|all:
- 'ADMIN$'
- '.exe'
selection2:
ServiceFileName|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
selection3:
ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
selection4:
ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
condition: event_id and 1 of selection*
falsepositives:
- Unknown
level: high
title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
id: c39f0c81-7348-4965-ab27-2fde35a1b641
status: test
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-11-26
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Impacket PsExec Execution
id: 32d56ea1-417f-44ff-822b-882873f5f43b
status: test
description: Detects execution of Impacket's psexec.py.
references:
- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Bhabesh Raj
date: 2020-12-14
modified: 2022-09-22
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName|contains:
- 'RemCom_stdin'
- 'RemCom_stdout'
- 'RemCom_stderr'
condition: selection1
falsepositives:
- Unknown
level: high
title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
- https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden
date: 2019-04-03
modified: 2023-03-14
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
false_positives:
RelativeTargetName:
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'lsass'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
- 'sql\query'
- 'eventlog'
condition: selection1 and not false_positives
falsepositives:
- Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
title: T1047 Wmiprvse Wbemcomn DLL Hijack
id: f6c68d5f-e101-4b86-8c84-7d96851fd65c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-02-24
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|endswith: '\wbem\wbemcomn.dll'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: smbexec.py Service Installation
id: 52a85084-6989-40c3-8f32-091e12e13f09
status: test
description: Detects the use of smbexec.py tool by detecting a specific service installation
references:
- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
- https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
- https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name
author: Omer Faruk Celik
date: 2018-03-20
modified: 2023-11-09
tags:
- attack.lateral-movement
- attack.execution
- attack.t1021.002
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service_name:
ServiceName: 'BTOBTO'
selection_service_image:
ImagePath|contains:
- '.bat & del '
- '__output 2^>^&1 >'
condition: selection_eid and 1 of selection_service_*
falsepositives:
- Unknown
level: high
title: Potential CobaltStrike Service Installations - Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
status: test
description: |
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
references:
- https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
author: Wojciech Lesicki
date: 2021-06-29
modified: 2024-03-25
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
category: registry_set
product: windows
detection:
selection_key:
- TargetObject|contains: '\System\CurrentControlSet\Services'
- TargetObject|contains|all:
- '\System\ControlSet'
- '\Services'
selection_details:
- Details|contains|all:
- 'ADMIN$'
- '.exe'
- Details|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Suspicious Filename with Embedded Base64 Commands
id: 179b3686-6271-4d87-807d-17d843a8af73
status: experimental
description: |
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
references:
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1027
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains:
- '{echo'
- '{base64,-d}'
condition: selection
falsepositives:
- Legitimate files with similar naming patterns (very unlikely).
level: high
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
related:
- id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- '&&'
- 'rundll32'
- 'shell32.dll'
- 'shellexec_rundll'
Payload|contains:
- 'value'
- 'invoke'
- 'comspec'
- 'iex'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
related:
- id: 73e67340-0d25-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use MSHTA - PowerShell Module
id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
related:
- id: e55a5195-4724-480e-a77e-3ebe64bd3759
type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2023-01-04
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains|all:
- 'set'
- '&&'
- 'mshta'
- 'vbscript:createobject'
- '.run'
- '(window.close)'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
related:
- id: e54f5149-6ba3-49cf-b153-070d24679126
type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
id: 2f211361-7dce-442d-b78a-c04039677378
related:
- id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
type: derived
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-12-31
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_payload:
- Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- Payload|re: '\*mdr\*\W\s*\)\.Name'
- Payload|re: '\$VerbosePreference\.ToString\('
- Payload|re: '\[String\]\s*\$VerbosePreference'
condition: selection_payload
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
related:
- id: 779c8c12-0eb1-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR+ Launcher - PowerShell Module
id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
related:
- id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Stdin - PowerShell Module
id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
related:
- id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Clip - PowerShell Module
id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
related:
- id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
condition: selection_4103
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
date: 2019-11-08
modified: 2022-12-31
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_iex:
- ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ScriptBlockText|re: '\*mdr\*\W\s*\)\.Name'
- ScriptBlockText|re: '\$VerbosePreference\.ToString\('
condition: selection_iex
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Stdin - Powershell
id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell
id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- '&&'
- 'rundll32'
- 'shell32.dll'
- 'shellexec_rundll'
ScriptBlockText|contains:
- 'value'
- 'invoke'
- 'comspec'
- 'iex'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR+ Launcher - PowerShell
id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation CLIP+ Launcher - PowerShell
id: 73e67340-0d25-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Clip - Powershell
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-15
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
id: e54f5149-6ba3-49cf-b153-070d24679126
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use MSHTA - PowerShell
id: e55a5195-4724-480e-a77e-3ebe64bd3759
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'set'
- '&&'
- 'mshta'
- 'vbscript:createobject'
- '.run'
- '(window.close)'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation STDIN+ Launcher - Powershell
id: 779c8c12-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"'
condition: selection_4104
falsepositives:
- Unknown
level: high
title: Potential Winnti Dropper Activity
id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
status: test
description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
references:
- https://redmimicry.com/posts/redmimicry-winnti/#dropper
author: Alexander Rausch
date: 2020-06-24
modified: 2023-01-05
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\gthread-3.6.dll'
- '\sigcmm-2.4.dll'
- '\Windows\Temp\tmp.bat'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Get-Variable.exe Creation
id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
status: test
description: |
Get-Variable is a valid PowerShell cmdlet
WindowsApps is by default in the path where PowerShell is executed.
So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
- https://www.joesandbox.com/analysis/465533/0/html
author: frack113
date: 2022-04-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1546
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Base64 Encoded PowerShell Command Detected
id: e32d4572-9826-4738-b651-95fa63747e8a
status: test
description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
references:
- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
author: Florian Roth (Nextron Systems)
date: 2020-01-29
modified: 2023-01-26
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1140
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '::FromBase64String('
condition: selection
falsepositives:
- Administrative script libraries
level: high
title: Ping Hex IP
id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd
status: test
description: Detects a ping command that uses a hex encoded IP address
references:
- https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna
- https://twitter.com/vysecurity/status/977198418354491392
author: Florian Roth (Nextron Systems)
date: 2018-03-23
modified: 2025-10-17
tags:
- attack.stealth
- attack.t1140
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ping.exe'
CommandLine|re: '0x[a-fA-F0-9]{8}'
condition: selection
falsepositives:
- Unlikely, because no sane admin pings IP addresses in a hexadecimal form
level: high
title: Invoke-Obfuscation VAR+ Launcher
id: 27aec9c9-dbb0-4939-8422-1742242471d0
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-15
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
# Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
CommandLine|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
condition: selection
falsepositives:
- Unknown
level: high