Sigma rules for Zumanek
500 rules · scoped to actor · back to Zumanek
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Github Self-Hosted Runner Execution
id: 5bac7a56-da88-4c27-922e-c81e113b20cb
status: test
description: |
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.
Shai-Hulud is an npm supply chain worm targeting CI/CD environments.
It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
references:
- https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
- https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/
author: Daniel Koifman (KoifSec)
date: 2025-11-29
tags:
- attack.command-and-control
- attack.t1102.002
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection_worker_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Worker.exe spawnclient 1288 1252
- Image|endswith: '\Runner.Worker.exe'
- OriginalFileName: 'Runner.Worker.dll'
selection_worker_cli:
CommandLine|contains: 'spawnclient'
selection_listener_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Listener.exe configure --url https://github.com/ABC/ABC --token 123123
- Image|endswith: '\Runner.Listener.exe'
- OriginalFileName: 'Runner.Listener.dll'
selection_listener_cli:
CommandLine|contains:
- 'run'
- 'configure'
condition: all of selection_worker_* or all of selection_listener_*
falsepositives:
- Legitimate GitHub self-hosted runner installations on designated CI/CD infrastructure
- Authorized runner deployments by DevOps/Platform teams following change management
- Scheduled runner updates or reconfigurations on existing build agents
- Self-hosted runners that follow expected/known naming patterns
- Installation via expected/known configuration management tools (reflected mostly as parent process name)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/info.yml
title: Suspicious Curl Change User Agents - Linux
id: b86d356d-6093-443d-971c-9b07db583c68
related:
- id: 3286d37a-00fd-41c2-a624-a672dcd34e60
type: derived
status: test
description: Detects a suspicious curl process start on linux with set useragent options
references:
- https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/curl'
CommandLine|contains:
- ' -A '
- ' --user-agent '
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: medium
title: Change User Agents with WebRequest
id: d4488827-73af-4f8d-9244-7b7662ef046e
status: test
description: |
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
author: frack113
date: 2022-01-23
modified: 2025-07-18
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_webrequest:
ScriptBlockText|contains:
- 'Invoke-WebRequest'
- 'Invoke-RestMethod'
- ' irm ' # Space before and after to avoid false positives with 'irm' as a variable
- 'iwr '
selection_useragent:
ScriptBlockText|contains: '-UserAgent '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Cloudflared Tunnels Related DNS Requests
id: a1d9eec5-33b2-4177-8d24-27fe754d0812
related:
- id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
type: similar
status: test
description: |
Detects DNS requests to Cloudflared tunnels domains.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-20
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1572
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|endswith:
- '.v2.argotunnel.com'
- 'protocol-v2.argotunnel.com'
- 'trycloudflare.com'
- 'update.argotunnel.com'
condition: selection
falsepositives:
- Legitimate use of cloudflare tunnels will also trigger this.
level: medium
title: DNS Query To Visual Studio Code Tunnels Domain
id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
related:
- id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
type: similar
- id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
type: similar
- id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
type: similar
status: test
description: |
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://cydefops.com/vscode-data-exfiltration
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|endswith: '.tunnels.api.visualstudio.com'
condition: selection
falsepositives:
- Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium
title: DNS Query To Devtunnels Domain
id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
related:
- id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
type: similar
- id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
type: similar
- id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
type: similar
status: test
description: |
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
- https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
- https://cydefops.com/devtunnels-unleashed
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1572
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|endswith: '.devtunnels.ms'
condition: selection
falsepositives:
- Legitimate use of Devtunnels will also trigger this.
level: medium
title: Visual Studio Code Tunnel Execution
id: 90d6bd71-dffb-4989-8d86-a827fedd6624
status: test
description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems), citron_ninja
date: 2023-10-25
modified: 2025-10-29
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_only_tunnel:
OriginalFileName: null
CommandLine|endswith: '.exe tunnel'
selection_tunnel_args:
CommandLine|contains|all:
- '.exe tunnel'
- '--accept-server-license-terms'
selection_parent_tunnel:
ParentCommandLine|endswith: ' tunnel'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/d /c '
- '\servers\Stable-'
- 'code-server.cmd'
condition: 1 of selection_*
falsepositives:
- Legitimate use of Visual Studio Code tunnel
level: medium
title: Visual Studio Code Tunnel Shell Execution
id: f4a623c2-4ef5-4c33-b811-0642f702c9f1
status: test
description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\servers\Stable-'
ParentImage|endswith: '\server\node.exe'
ParentCommandLine|contains: '.vscode-server' # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research)
# Note: Child processes (ie: shells) can be whatever technically (with some efforts)
selection_child_1:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains: '\terminal\browser\media\shellIntegration.ps1'
selection_child_2:
Image|endswith:
- '\wsl.exe'
- '\bash.exe'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate use of Visual Studio Code tunnel and running code from there
level: medium
title: Visual Studio Code Tunnel Service Installation
id: 30bf1789-379d-4fdc-900f-55cd0a90a801
status: test
description: Detects the installation of VsCode tunnel (code-tunnel) as a service.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'tunnel '
- 'service'
- 'internal-run'
- 'tunnel-service.log'
condition: selection
falsepositives:
- Legitimate installation of code-tunnel as a service
level: medium
title: Suspicious Base64 Encoded User-Agent
id: d443095b-a221-4957-a2c4-cd1756c9b747
related:
- id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
type: derived
status: test
description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
references:
- https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith:
- 'Q2hyb21l' # Chrome Encoded with offset to not include padding
- 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding
- 'RGFsdmlr' # Dalvik Encoded with offset to not include padding
- 'TW96aWxsY' # Mozilla Encoded with offset to not include padding (as used by YamaBot)
condition: selection
falsepositives:
- Unknown
level: medium
title: Windows PowerShell User Agent
id: c8557060-9221-4448-8794-96320e6f3e74
status: test
description: Detects Windows PowerShell Web Access
references:
- https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|contains: ' WindowsPowerShell/'
condition: selection
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
level: medium
title: Potential Base64 Encoded User-Agent
id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
related:
- id: d443095b-a221-4957-a2c4-cd1756c9b747
type: derived
status: test
description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
references:
- https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
- https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Florian Roth (Nextron Systems), Brian Ingram (update)
date: 2022-07-08
modified: 2023-05-04
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|endswith: '='
condition: selection
falsepositives:
- Unknown
level: medium
title: HTTP Request With Empty User Agent
id: 21e44d78-95e7-421b-a464-ffd8395659c4
status: test
description: |
Detects a potentially suspicious empty user agent strings in proxy log.
Could potentially indicate an uncommon request method.
references:
- https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
c-useragent: ''
condition: selection
falsepositives:
- Unknown
level: medium
title: Telegram API Access
id: b494b165-6634-483d-8c47-2026a6c52372
status: test
description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
references:
- https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
- https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2023-05-18
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.002
logsource:
category: proxy
detection:
selection:
cs-host: 'api.telegram.org' # Often used by Bots
filter:
c-useragent|contains:
# Used https://core.telegram.org/bots/samples for this list
- 'Telegram'
- 'Bot'
condition: selection and not filter
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium
title: Bitbucket User Details Export Attempt Detected
id: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3
status: test
description: Detects user data export activity.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.collection
- attack.reconnaissance
- attack.discovery
- attack.t1213
- attack.t1082
- attack.t1591.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Users and groups'
auditType.action:
- 'User permissions export failed'
- 'User permissions export started'
- 'User permissions exported'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
title: Bitbucket User Permissions Export Attempt
id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2
status: test
description: Detects user permission data export attempt.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.reconnaissance
- attack.collection
- attack.discovery
- attack.t1213
- attack.t1082
- attack.t1591.004
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Users and groups'
auditType.action:
- 'User details export failed'
- 'User details export started'
- 'User details exported'
condition: selection
falsepositives:
- Legitimate user activity.
level: medium
title: System Information Discovery Using sw_vers
id: 5de06a6f-673a-4fc0-8d48-bcfe3837b033
status: test
description: Detects the use of "sw_vers" for system information discovery
references:
- https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
- https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
- https://ss64.com/osx/sw_vers.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# VT Query: 'behavior_processes:"sw_vers" and (behavior_processes:"-productVersion" or behavior_processes:"-productName" or behavior_processes:"-buildVersion") tag:dmg p:5+'
selection_image:
Image|endswith: '/sw_vers'
selection_options:
CommandLine|contains:
- '-buildVersion'
- '-productName'
- '-productVersion'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
title: System Information Discovery Via Sysctl - MacOS
id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
status: test
description: |
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
This process is primarily used to detect and avoid virtualization and analysis environments.
references:
- https://www.loobins.io/binaries/sysctl/#
- https://evasions.checkpoint.com/techniques/macos.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://objective-see.org/blog/blog_0x1E.html
- https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
author: Pratinav Chandra
date: 2024-05-27
tags:
- attack.stealth
- attack.t1497.001
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/sysctl'
- CommandLine|contains: 'sysctl'
selection_cmd:
CommandLine|contains:
- 'hw.'
- 'kern.'
- 'machdep.'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
title: System Information Discovery Using System_Profiler
id: 4809c683-059b-4935-879d-36835986f8cf
status: test
description: |
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
references:
- https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
- https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
- https://ss64.com/mac/system_profiler.html
- https://objective-see.org/blog/blog_0x62.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
date: 2024-01-02
tags:
- attack.discovery
- attack.stealth
- attack.t1082
- attack.t1497.001
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/system_profiler'
- CommandLine|contains: 'system_profiler'
selection_cmd:
# Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list
CommandLine|contains:
- 'SPApplicationsDataType'
- 'SPHardwareDataType'
- 'SPNetworkDataType'
- 'SPUSBDataType'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
title: System Information Discovery Using Ioreg
id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
status: test
description: |
Detects the use of "ioreg" which will show I/O Kit registry information.
This process is used for system information discovery.
It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
references:
- https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
- https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
- https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
- https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
modified: 2024-01-02
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# Examples:
# /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
# /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver
# /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'
# ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); }
selection_img:
- Image|endswith: '/ioreg'
- CommandLine|contains: 'ioreg'
selection_cmd1:
CommandLine|contains:
- '-l'
- '-c'
selection_cmd2:
CommandLine|contains:
- 'AppleAHCIDiskDriver'
- 'IOPlatformExpertDevice'
- 'Oracle'
- 'Parallels'
- 'USB Vendor Name'
- 'VirtualBox'
- 'VMware'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
title: Uncommon System Information Discovery Via Wmic.EXE
id: 9d5a1274-922a-49d0-87f3-8c653483b909
related:
- id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
type: derived
status: test
description: |
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
and GPU driver products/versions.
Some of these commands were used by Aurora Stealer in late 2022/early 2023.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
- https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
- https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
- https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
- https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
- https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
author: TropChaud
date: 2023-01-26
modified: 2023-12-19
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_wmic:
- Description: 'WMI Commandline Utility'
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_commands:
CommandLine|contains:
- 'LOGICALDISK get Name,Size,FreeSpace'
- 'os get Caption,OSArchitecture,Version'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: PUA - System Informer Execution
id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
related:
- id: 811e0002-b13b-4a15-9d00-a613fce66e42
type: similar
status: test
description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
references:
- https://github.com/winsiderss/systeminformer
author: Florian Roth (Nextron Systems)
date: 2023-05-08
modified: 2024-11-23
tags:
- attack.persistence
- attack.privilege-escalation
- attack.discovery
- attack.stealth
- attack.t1082
- attack.t1564
- attack.t1543
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SystemInformer.exe'
- OriginalFileName: 'SystemInformer.exe'
- Description: 'System Informer'
- Product: 'System Informer'
- Hashes|contains:
# Note: add other hashes as needed
# 3.0.11077.6550
- 'MD5=19426363A37C03C3ED6FEDF57B6696EC'
- 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
- 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
- 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'
condition: selection
falsepositives:
- System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
level: medium
title: System Disk And Volume Reconnaissance Via Wmic.EXE
id: c79da740-5030-45ec-a2e0-479e824a562c
related:
- id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
type: similar
status: test
description: |
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: Stephen Lincoln '@slincoln-aiq' (AttackIQ)
date: 2024-02-02
modified: 2025-10-20
tags:
- attack.execution
- attack.discovery
- attack.t1047
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
- CommandLine|contains:
- ' volumename'
- ' logicaldisk'
- CommandLine|contains|all:
- 'path'
- 'win32_logicaldisk'
- CommandLine|contains|all:
- ' volume'
- ' list '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Potential Product Class Reconnaissance Via Wmic.EXE
id: e568650b-5dcd-4658-8f34-ded0b1e13992
status: test
description: |
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
references:
- https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2023-02-14
modified: 2025-03-17
tags:
- attack.execution
- attack.t1047
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
# Example: wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
CommandLine|contains:
- 'AntiVirusProduct'
- 'AntiSpywareProduct'
- 'FirewallProduct'
condition: all of selection_*
falsepositives:
- Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.
level: medium
title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
- https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
- attack.collection
- attack.discovery
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1685.001
- attack.t1547.001
- attack.t1505.005
- attack.t1556.002
- attack.t1685
- attack.t1574.007
- attack.t1564.002
- attack.t1546.008
- attack.t1546.007
- attack.t1547.014
- attack.t1547.010
- attack.t1547.002
- attack.t1557
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\secedit.exe'
- OriginalFileName: 'SeCEdit'
selection_flags_discovery:
CommandLine|contains|all:
- '/export'
- '/cfg'
selection_flags_configure:
CommandLine|contains|all:
- '/configure'
- '/db'
# filter:
# SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log
condition: selection_img and (1 of selection_flags_*)
falsepositives:
- Legitimate administrative use
level: medium
title: Potential Discovery Activity Using Find - MacOS
id: 85de3a19-b675-4a51-bfc6-b11a5186c971
related:
- id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/find'
CommandLine|contains:
- '-perm -4000'
- '-perm -2000'
- '-perm 0777'
- '-perm -222'
- '-perm -o w'
- '-perm -o x'
- '-perm -u=s'
- '-perm -g=s'
condition: selection
falsepositives:
- Unknown
level: medium
title: Shell Invocation via Apt - Linux
id: bb382fd5-b454-47ea-a264-1828e4c766d6
status: test
description: |
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/apt/
- https://gtfobins.github.io/gtfobins/apt-get/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/apt'
- '/apt-get'
CommandLine|contains: 'APT::Update::Pre-Invoke::='
condition: selection
falsepositives:
- Unknown
level: medium
title: Potential Discovery Activity Using Find - Linux
id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
related:
- id: 85de3a19-b675-4a51-bfc6-b11a5186c971
type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/find'
CommandLine|contains:
- '-perm -4000'
- '-perm -2000'
- '-perm 0777'
- '-perm -222'
- '-perm -o w'
- '-perm -o x'
- '-perm -u=s'
- '-perm -g=s'
condition: selection
falsepositives:
- Unknown
level: medium
title: PUA - TruffleHog Execution - Linux
id: d7a650c4-226c-451e-948f-cc490db506aa
related:
- id: 44030449-b0df-4c94-aae1-502359ab28ee
type: similar
status: experimental
description: |
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
- attack.discovery
- attack.credential-access
- attack.t1083
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/trufflehog'
selection_cli_platform:
CommandLine|contains:
- ' docker --image '
- ' Git '
- ' GitHub '
- ' Jira '
- ' Slack '
- ' Confluence '
- ' SharePoint '
- ' s3 '
- ' gcs '
selection_cli_verified:
CommandLine|contains: ' --results=verified'
condition: selection_img or all of selection_cli_*
falsepositives:
- Legitimate use of TruffleHog by security teams or developers.
level: medium
title: Powershell Directory Enumeration
id: 162e69a7-7981-4344-84a9-0f1c9a217a52
status: test
description: Detects technique used by MAZE ransomware to enumerate directories using Powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
- https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
author: frack113
date: 2022-03-17
tags:
- attack.discovery
- attack.t1083
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- foreach
- Get-ChildItem
- '-Path '
- '-ErrorAction '
- SilentlyContinue
- 'Out-File '
- '-append'
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
title: Powershell Sensitive File Discovery
id: 7d416556-6502-45b2-9bad-9d2f05f38997
related:
- id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
type: derived
status: test
description: Detect adversaries enumerate sensitive files
references:
- https://twitter.com/malmoeb/status/1570814999370801158
author: frack113
date: 2022-09-16
tags:
- attack.discovery
- attack.t1083
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_action:
ScriptBlockText|contains:
- ls
- get-childitem
- gci
selection_recurse:
ScriptBlockText|contains: '-recurse'
selection_file:
ScriptBlockText|contains:
- '.pass'
- '.kdbx'
- '.kdb'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: PUA - TruffleHog Execution
id: 44030449-b0df-4c94-aae1-502359ab28ee
related:
- id: d7a650c4-226c-451e-948f-cc490db506aa
type: similar
status: experimental
description: |
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
- attack.discovery
- attack.credential-access
- attack.t1083
- attack.t1552.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\trufflehog.exe'
selection_cli_platform:
CommandLine|contains:
- ' docker --image '
- ' Git '
- ' GitHub '
- ' Jira '
- ' Slack '
- ' Confluence '
- ' SharePoint '
- ' s3 '
- ' gcs '
selection_cli_verified:
CommandLine|contains: ' --results=verified'
condition: selection_img or all of selection_cli_*
falsepositives:
- Legitimate use of TruffleHog by security teams or developers.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_trufflehog/info.yml
title: Source Code Enumeration Detection by Keyword
id: 953d460b-f810-420a-97a2-cfca4c98e602
status: test
description: Detects source code enumeration that use GET requests by keyword searches in URL strings
references:
- https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
- https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
author: James Ahearn
date: 2019-06-08
modified: 2022-10-05
tags:
- attack.discovery
- attack.t1083
logsource:
category: webserver
detection:
keywords:
- '.git/'
condition: keywords
falsepositives:
- Unknown
level: medium
title: Cloudflared Quick Tunnel Execution
id: 222129f7-f4dc-4568-b0d2-22440a9639ba
related:
- id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
type: similar
- id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
type: similar
status: test
description: |
Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.
The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.
The tool has been observed in use by threat groups including Akira ransomware.
references:
- https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
- https://github.com/cloudflare/cloudflared
- https://www.intrinsec.com/akira_ransomware/
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
author: Sajid Nawaz Khan
tags:
- attack.command-and-control
- attack.t1090.001
date: 2023-12-20
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cloudflared.exe'
- '\cloudflared-windows-386.exe'
- '\cloudflared-windows-amd64.exe'
- Hashes|contains:
- 'SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29'
- 'SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8'
- 'SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039'
- 'SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28'
- 'SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7'
- 'SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373'
- 'SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670'
- 'SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a'
- 'SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0'
- 'SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1'
- 'SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2'
- 'SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac'
- 'SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f'
- 'SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d'
- 'SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499'
- 'SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b'
- 'SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f'
- 'SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032'
- 'SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234'
- 'SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f'
- 'SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058'
- 'SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c'
- 'SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f'
- 'SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5'
- 'SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3'
- 'SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4'
- 'SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c'
- 'SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4'
- 'SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f'
- 'SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad'
- 'SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7'
- 'SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75'
- 'SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6'
- 'SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688'
- 'SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f'
- 'SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663'
- 'SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77'
- 'SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078'
# Note:
# Accounts for the cloudflared binaries being renamed
# `tunnel` is optional, but has been included to reduce the possibility of parameter collision when not observed with known binary names
selection_param:
- CommandLine|contains|all:
- '-url'
- 'tunnel'
- CommandLine|contains:
- '.exe -url'
- '.exe --url'
selection_other:
CommandLine|contains|all:
- '-url'
- '-no-autoupdate'
condition: (selection_img and selection_param) or selection_other
falsepositives:
- Legitimate usage of Cloudflare Quick Tunnel
level: medium
title: Cloudflared Portable Execution
id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd
status: test
description: |
Detects the execution of the "cloudflared" binary from a non standard location.
references:
- https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
- https://github.com/cloudflare/cloudflared
- https://www.intrinsec.com/akira_ransomware/
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
- https://github.com/cloudflare/cloudflared/releases
author: Nasreddine Bencherchali (Nextron Systems)
tags:
- attack.command-and-control
- attack.t1090.001
date: 2023-12-20
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cloudflared.exe'
filter_main_admin_location:
Image|contains:
- ':\Program Files (x86)\cloudflared\'
- ':\Program Files\cloudflared\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate usage of Cloudflared portable versions
level: medium
title: Suspicious Non-Browser Network Communication With Google API
id: 7e9cf7b6-e827-11ed-a05b-0242ac120003
status: experimental
description: |
Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
references:
- https://github.com/looCiprian/GC2-sheet
- https://youtu.be/n2dFlSaBBKo
- https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf
- https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/
- https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
author: Gavin Knapp
date: 2023-05-01
modified: 2025-02-22
tags:
- attack.command-and-control
- attack.t1102
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname|contains:
# Note: Please add additional google API related domains that might be abused.
- 'drive.googleapis.com'
- 'oauth2.googleapis.com'
- 'sheets.googleapis.com'
- 'www.googleapis.com'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image|endswith:
- ':\Program Files\Google\Chrome\Application\chrome.exe'
- ':\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_google_drive:
Image|contains: ':\Program Files\Google\Drive File Stream\'
Image|endswith: '\GoogleDriveFS.exe'
filter_optional_firefox:
Image|endswith:
- ':\Program Files\Mozilla Firefox\firefox.exe'
- ':\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image|endswith:
- ':\Program Files (x86)\Internet Explorer\iexplore.exe'
- ':\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|contains: ':\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith:
- ':\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- ':\Program Files\Microsoft\Edge\Application\msedge.exe'
- '\WindowsApps\MicrosoftEdge.exe'
filter_optional_edge_2:
Image|contains:
- ':\Program Files (x86)\Microsoft\EdgeCore\'
- ':\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
filter_optional_googleupdate:
Image|endswith: '\GoogleUpdate.exe'
filter_optional_outlook_exe:
Image|endswith: '\outlook.exe'
filter_main_null:
Image: null
filter_main_empty:
Image: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.
level: medium
title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
related:
- id: e043f529-8514-4205-8ab0-7f7d2927b400
type: derived
status: test
description: |
Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
references:
- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
modified: 2024-07-16
tags:
- attack.command-and-control
- attack.t1102
- attack.t1102.001
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith: 'azurewebsites.net'
# Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
# Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
filter_main_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_main_chrome_appdata:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
filter_main_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_main_firefox_appdata:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
filter_main_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_main_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_main_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_main_safari:
Image|contains:
- 'C:\Program Files (x86)\Safari\'
- 'C:\Program Files\Safari\'
Image|endswith: '\safari.exe'
filter_main_defender:
Image|contains:
- 'C:\Program Files\Windows Defender Advanced Threat Protection\'
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith:
- '\MsMpEng.exe' # Microsoft Defender executable
- '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
filter_main_prtg:
# Paessler's PRTG Network Monitor
Image|endswith:
- 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
- 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
filter_main_brave:
Image|startswith: 'C:\Program Files\BraveSoftware\'
Image|endswith: '\brave.exe'
filter_main_maxthon:
Image|contains: '\AppData\Local\Maxthon\'
Image|endswith: '\maxthon.exe'
filter_main_opera:
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\opera.exe'
filter_main_seamonkey:
Image|startswith:
- 'C:\Program Files\SeaMonkey\'
- 'C:\Program Files (x86)\SeaMonkey\'
Image|endswith: '\seamonkey.exe'
filter_main_vivaldi:
Image|contains: '\AppData\Local\Vivaldi\'
Image|endswith: '\vivaldi.exe'
filter_main_whale:
Image|startswith:
- 'C:\Program Files\Naver\Naver Whale\'
- 'C:\Program Files (x86)\Naver\Naver Whale\'
Image|endswith: '\whale.exe'
# Note: The TOR browser shouldn't be something you allow in your corporate network.
# filter_main_tor:
# Image|contains: '\Tor Browser\'
filter_main_whaterfox:
Image|startswith:
- 'C:\Program Files\Waterfox\'
- 'C:\Program Files (x86)\Waterfox\'
Image|endswith: '\Waterfox.exe'
filter_main_slimbrowser:
Image|startswith:
- 'C:\Program Files\SlimBrowser\'
- 'C:\Program Files (x86)\SlimBrowser\'
Image|endswith: '\slimbrowser.exe'
filter_main_flock:
Image|contains: '\AppData\Local\Flock\'
Image|endswith: '\Flock.exe'
filter_main_phoebe:
Image|contains: '\AppData\Local\Phoebe\'
Image|endswith: '\Phoebe.exe'
filter_main_falkon:
Image|startswith:
- 'C:\Program Files\Falkon\'
- 'C:\Program Files (x86)\Falkon\'
Image|endswith: '\falkon.exe'
filter_main_qtweb:
Image|startswith:
- 'C:\Program Files (x86)\QtWeb\'
- 'C:\Program Files\QtWeb\'
Image|endswith: '\QtWeb.exe'
filter_main_avant:
Image|startswith:
- 'C:\Program Files (x86)\Avant Browser\'
- 'C:\Program Files\Avant Browser\'
Image|endswith: '\avant.exe'
filter_main_discord:
Image|contains: '\AppData\Local\Discord\'
Image|endswith: '\Discord.exe'
filter_main_null:
Image: null
filter_main_empty:
Image: ''
# filter_optional_qlik:
# Image|endswith: '\Engine.exe' # Process from qlik.com app
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Suspicious Non-Browser Network Communication With Telegram API
id: c3dbbc9f-ef1d-470a-a90a-d343448d5875
status: test
description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
tags:
- attack.command-and-control
- attack.exfiltration
- attack.t1102
- attack.t1567
- attack.t1105
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname|contains: 'api.telegram.org'
# Other browsers or apps known to use telegram should be added
# TODO: Add full paths for default install locations
filter_main_brave:
Image|endswith: '\brave.exe'
filter_main_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_main_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_main_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_main_maxthon:
Image|endswith: '\maxthon.exe'
filter_main_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_main_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_main_opera:
Image|endswith: '\opera.exe'
filter_main_safari:
Image|endswith: '\safari.exe'
filter_main_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_main_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_main_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc.
level: medium
title: Cloudflared Tunnel Execution
id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
status: test
description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
references:
- https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
- https://github.com/cloudflare/cloudflared
- https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-20
tags:
- attack.command-and-control
- attack.t1102
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' tunnel '
- ' run '
CommandLine|contains:
- '-config '
- '-credentials-contents '
- '-credentials-file '
- '-token '
condition: selection
falsepositives:
- Legitimate usage of Cloudflared tunnel.
level: medium
title: Cloudflared Tunnel Connections Cleanup
id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
status: test
description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
references:
- https://github.com/cloudflare/cloudflared
- https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-21
tags:
- attack.command-and-control
- attack.t1102
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' tunnel '
- 'cleanup '
CommandLine|contains:
- '-config '
- '-connector-id '
condition: selection
falsepositives:
- Legitimate usage of Cloudflared.
level: medium
title: Potential Binary Proxy Execution Via Cdb.EXE
id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
status: test
description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
- https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- https://twitter.com/nas_bench/status/1534957360032120833
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2024-04-22
tags:
- attack.execution
- attack.stealth
- attack.t1106
- attack.t1218
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cdb.exe'
- OriginalFileName: 'CDB.Exe'
selection_cli:
CommandLine|contains:
- ' -c ' # Using a debugger script
- ' -cf '
condition: all of selection*
falsepositives:
- Legitimate use of debugging tools
level: medium
title: Potential Direct Syscall of NtOpenProcess
id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
status: test
description: Detects potential calls to NtOpenProcess directly from NTDLL.
references:
- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
author: Christian Burkard (Nextron Systems), Tim Shelton (FP)
date: 2021-07-28
modified: 2023-12-13
tags:
- attack.execution
- attack.t1106
logsource:
category: process_access
product: windows
detection:
selection:
CallTrace|startswith: 'UNKNOWN'
filter_main_vcredist:
TargetImage|endswith: 'vcredist_x64.exe'
SourceImage|endswith: 'vcredist_x64.exe'
filter_main_generic:
# Examples include "systeminfo", "backgroundTaskHost", "AUDIODG"
SourceImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
TargetImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
filter_main_kerneltrace_edge:
# Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
filter_optional_vmware:
TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
SourceImage|endswith: 'setup64.exe' # vmware
filter_optional_cylance:
SourceImage|endswith: ':\Windows\Explorer.EXE'
TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
filter_optional_amazon:
SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
filter_optional_vscode: # VsCode
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
filter_optional_teams: # MS Teams
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
filter_optional_discord: # Discord
TargetImage|contains: '\AppData\Local\Discord\'
TargetImage|endswith: '\Discord.exe'
filter_optional_yammer:
SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
SourceImage|endswith: '\Yammer.exe'
TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
TargetImage|endswith: '\Yammer.exe'
GrantedAccess: '0x1000'
filter_optional_evernote:
TargetImage|endswith: '\Evernote\Evernote.exe'
filter_optional_adobe_acrobat:
SourceImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
SourceImage|endswith: '\AcroCEF.exe'
TargetImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
TargetImage|endswith: '\AcroCEF.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: Windows Screen Capture with CopyFromScreen
id: d4a11f63-2390-411c-9adf-d791fd152830
status: test
description: |
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
author: frack113
date: 2021-12-28
modified: 2022-07-07
tags:
- attack.collection
- attack.t1113
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: '.CopyFromScreen'
condition: selection
falsepositives:
- Unknown
level: medium
title: Screen Capture Activity Via Psr.EXE
id: 2158f96f-43c2-43cb-952a-ab4580f32382
status: test
description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Psr/
- https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: Beyu Denis, oscd.community
date: 2019-10-12
modified: 2024-01-04
tags:
- attack.collection
- attack.t1113
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Psr.exe'
CommandLine|contains:
- '/start'
- '-start'
condition: selection
falsepositives:
- Unknown
level: medium
title: Windows Recall Feature Enabled Via Reg.EXE
id: 817f252c-5143-4dae-b418-48c3e9f63728
related:
- id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
type: similar
- id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
type: similar
status: test
description: |
Detects the enabling of the Windows Recall feature via registry manipulation.
Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0.
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
- attack.collection
- attack.t1113
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_value:
# HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
CommandLine|contains|all:
- 'Microsoft\Windows\WindowsAI'
- 'DisableAIDataAnalysis'
selection_action_add:
CommandLine|contains:
- 'add'
- '0'
selection_action_delete:
CommandLine|contains: 'delete'
condition: selection_img and selection_value and 1 of selection_action_*
falsepositives:
- Legitimate use/activation of Windows Recall
level: medium
title: Windows Recall Feature Enabled - Registry
id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
related:
- id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
type: similar
- id: 817f252c-5143-4dae-b418-48c3e9f63728
type: similar
status: test
description: |
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0".
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
- attack.collection
- attack.t1113
logsource:
category: registry_set
product: windows
detection:
selection:
# HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
TargetObject|endswith: '\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate use/activation of Windows Recall
level: medium
title: Periodic Backup For System Registry Hives Enabled
id: 973ef012-8f1a-4c40-93b4-7e659a5cd17f
status: test
description: |
Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups.
Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-01
tags:
- attack.collection
- attack.t1113
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Control\Session Manager\Configuration Manager\EnablePeriodicBackup'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Legitimate need for RegBack feature by administrators.
level: medium
title: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
related:
- id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
type: similar
- id: 817f252c-5143-4dae-b418-48c3e9f63728
type: similar
status: test
description: |
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value.
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
- attack.collection
- attack.t1113
logsource:
category: registry_delete
product: windows
detection:
selection:
# HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
EventType: DeleteValue
TargetObject|endswith: '\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis'
condition: selection
falsepositives:
- Legitimate use/activation of Windows Recall
level: medium
title: PowerShell Get Clipboard
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
status: test
description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-01-04
tags:
- attack.collection
- attack.t1115
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains: 'Get-Clipboard'
condition: selection
falsepositives:
- Unknown
level: medium
title: PowerShell Get-Clipboard Cmdlet Via CLI
id: b9aeac14-2ffd-4ad3-b967-1354a4e628c3
related:
- id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
type: derived
status: test
description: Detects usage of the 'Get-Clipboard' cmdlet via CLI
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-02
modified: 2022-12-25
tags:
- attack.collection
- attack.t1115
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'Get-Clipboard'
condition: selection
falsepositives:
- Unknown
level: medium