Sigma rules for Zumanek
500 rules · scoped to actor · back to Zumanek
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: New RUN Key Pointing to Suspicious Folder
id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
references:
- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2018-08-25
modified: 2025-10-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_target:
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
selection_suspicious_paths_1:
Details|contains:
- ':\Perflogs'
- :\ProgramData'
- ':\Windows\Temp'
- ':\Temp'
- '\AppData\Local\Temp'
- '\AppData\Roaming'
- ':\$Recycle.bin'
- ':\Users\Default'
- ':\Users\public'
- '%temp%'
- '%tmp%'
- '%Public%'
- '%AppData%'
selection_suspicious_paths_user_1:
Details|contains: ':\Users\'
selection_suspicious_paths_user_2:
Details|contains:
- '\Favorites'
- '\Favourites'
- '\Contacts'
- '\Music'
- '\Pictures'
- '\Documents'
- '\Photos'
filter_main_windows_update:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\'
Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
Details|contains|all:
- 'rundll32.exe '
- 'C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
Details|contains:
- '\AppData\Local\Temp\'
- 'C:\Windows\Temp\'
filter_optional_spotify:
Image|endswith:
- 'C:\Program Files\Spotify\Spotify.exe'
- 'C:\Program Files (x86)\Spotify\Spotify.exe'
- '\AppData\Roaming\Spotify\Spotify.exe'
TargetObject|endswith: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify'
Details|endswith: 'Spotify.exe --autostart --minimized'
condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Software using weird folders for updates
level: high
title: Modify User Shell Folders Startup Value
id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
related:
- id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
type: similar
status: test
description: |
Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts.
Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup.
This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md
- https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-10-01
modified: 2026-01-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1547.001
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
TargetObject|endswith:
- '\Common Startup'
- '\Startup'
filter_main_details_null:
Details: null
filter_main_programdata_startup:
Details|contains:
- 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup'
- '%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup'
filter_main_userprofile_startup_1:
Details|contains:
- '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
- '%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
filter_main_userprofile_startup_2:
Details|contains|all:
- 'C:\Users\'
- '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
# Apply more filters if new legitimate paths are identified
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/info.yml
simulation:
- type: atomic-red-team
name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
technique: T1547.001
atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b
title: VBScript Payload Stored in Registry
id: 46490193-1b22-4c29-bdd6-5bf63907216f
status: test
description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
Details|contains:
- 'vbscript:'
- 'jscript:'
- 'mshtml,'
- 'RunHTMLApplication'
- 'Execute('
- 'CreateObject'
- 'window.close'
filter:
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
filter_dotnet:
Image|endswith: '\msiexec.exe'
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\'
Details|contains:
- '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll'
- '<\Microsoft.mshtml,fileVersion='
- '_mshtml_dll_'
- '<\Microsoft.mshtml,culture='
condition: selection and not 1 of filter*
falsepositives:
- Unknown
level: high
title: Narrator's Feedback-Hub Persistence
id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
status: test
description: Detects abusing Windows 10 Narrator's Feedback-Hub
references:
- https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2022-03-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_event
product: windows
detection:
selection1:
EventType: DeleteValue
TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
selection2:
TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
# Add the payload in the (Default)
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Suspicious Run Key from Download
id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
status: test
description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
references:
- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)
date: 2019-10-01
modified: 2025-02-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_event
product: windows
detection:
selection:
Image|contains:
- '\AppData\Local\Packages\Microsoft.Outlook_'
- '\AppData\Local\Microsoft\Olk\Attachments\'
- '\Downloads\'
- '\Temporary Internet Files\Content.Outlook\'
- '\Local Settings\Temporary Internet Files\'
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
condition: selection
falsepositives:
- Software installers downloaded and used by users
level: high
title: Potential Okta Password in AlternateID Field
id: 91b76b84-8589-47aa-9605-c837583b82a9
status: test
description: |
Detects when a user has potentially entered their password into the
username field, which will cause the password to be retained in log files.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data
- https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm
author: kelnage
date: 2023-04-03
modified: 2026-04-27
tags:
- attack.credential-access
- attack.t1552
logsource:
product: okta
service: okta
detection:
selection:
legacyEventType: 'core.user_auth.login_failed'
filter_main:
# Okta service account names start with 0oa
# Email addresses are the default format for Okta usernames, so attempt
# to exclude alternateIds that look like valid emails
# If your Okta configuration uses different character restrictions, you
# will need to update this regular expression to reflect that or disable the rule for your environment
# Possible false negatives are failed login attempts with a password that looks like a valid email address
actor.alternateId|re: '(^0oa.*|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,10})'
condition: selection and not filter_main
falsepositives:
- Unlikely
level: high
title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.initial-access
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.stealth
- attack.t1552
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Update Application
- Update Service principal
condition: selection
falsepositives:
- When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
level: high
title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
- id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.execution
- attack.collection
- attack.t1005
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '/node'
- '/bun'
selection_child:
- Image|endswith:
- '/trufflehog'
- '/gitleaks'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
- id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.collection
- attack.execution
- attack.t1005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '\node.exe'
- '\bun.exe'
selection_child:
- Image|endswith:
- 'trufflehog.exe'
- 'gitleaks.exe'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml
title: Credentials In Files
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: test
description: Detecting attempts to extract passwords with grep and laZagne
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: macos
category: process_creation
detection:
selection1:
Image|endswith: '/grep'
CommandLine|contains: 'password'
selection2:
CommandLine|contains: 'laZagne'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Copy Passwd Or Shadow From TMP Path
id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
status: test
description: Detects when the file "passwd" or "shadow" is copied from tmp path
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-31
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith: '/cp'
selection_path:
CommandLine|contains: '/tmp/'
selection_file:
CommandLine|contains:
- 'passwd'
- 'shadow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Linux Recon Indicators
id: 0cf7a157-8879-41a2-8f55-388dd23746b7
status: test
description: Detects events with patterns found in commands used for reconnaissance on linux systems
references:
- https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
author: Florian Roth (Nextron Systems)
date: 2022-06-20
tags:
- attack.reconnaissance
- attack.t1592.004
- attack.credential-access
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- ' -name .htpasswd'
- ' -perm -4000 '
condition: selection
falsepositives:
- Legitimate administration activities
level: high
title: Credentials In Files - Linux
id: df3fcaea-2715-4214-99c5-0056ea59eb35
status: test
description: 'Detecting attempts to extract passwords with grep'
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2023-04-30
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
keywords:
'|all':
- 'grep'
- 'password'
condition: selection and keywords
falsepositives:
- Unknown
level: high
title: HackTool - Typical HiveNightmare SAM File Export
id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
status: test
description: Detects files written by the different tools that exploit HiveNightmare
references:
- https://github.com/GossiTheDog/HiveNightmare
- https://github.com/FireFart/hivenightmare/
- https://github.com/WiredPulse/Invoke-HiveNightmare
- https://twitter.com/cube0x0/status/1418920190759378944
author: Florian Roth (Nextron Systems)
date: 2021-07-23
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1552.001
- cve.2021-36934
logsource:
product: windows
category: file_event
detection:
selection:
- TargetFilename|contains:
- '\hive_sam_' # Go version
- '\SAM-2021-' # C++ version
- '\SAM-2022-' # C++ version
- '\SAM-2023-' # C++ version
- '\SAM-haxx' # Early C++ versions
- '\Sam.save' # PowerShell version
- TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare
condition: selection
falsepositives:
- Files that accidentally contain these strings
level: high
title: DPAPI Backup Keys And Certificate Export Activity IOC
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
status: test
description: |
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
references:
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
- attack.credential-access
- attack.t1555
- attack.t1552.004
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- 'ntds_capi_'
- 'ntds_legacy_'
- 'ntds_unknown_'
TargetFilename|endswith:
- '.cer'
- '.key'
- '.pfx'
- '.pvk'
condition: selection
falsepositives:
- Unlikely
level: high
title: Suspicious Serv-U Process Pattern
id: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf
status: test
description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems)
date: 2021-07-14
modified: 2022-07-14
tags:
- attack.credential-access
- attack.t1555
- cve.2021-35211
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Serv-U.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\schtasks.exe'
- '\regsvr32.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\mshta.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\forfiles.exe'
- '\scriptrunner.exe'
condition: selection
falsepositives:
- Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution
level: high
title: Powershell Add Name Resolution Policy Table Rule
id: 4368354e-1797-463c-bc39-a309effbe8d7
status: test
description: |
Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.
This will bypass the default DNS server and uses a specified server for answering the query.
references:
- https://twitter.com/NathanMcNulty/status/1569497348841287681
- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
author: Borna Talebi
date: 2021-09-14
modified: 2022-10-09
tags:
- attack.impact
- attack.t1565
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Add-DnsClientNrptRule'
- '-Namesp'
- '-NameSe'
condition: selection
falsepositives:
- Unknown
level: high
title: History File Deletion
id: 1182f3b3-e716-4efa-99ab-d2685d04360f
status: test
description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
references:
- https://github.com/sleventyeleven/linuxprivchecker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
- attack.impact
- attack.t1565.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/rm'
- '/unlink'
- '/shred'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
level: high
title: Commands to Clear or Remove the Syslog - Builtin
id: e09eb557-96d2-4de9-ba2d-30f712a5afd3
status: test
description: Detects specific commands commonly used to remove or empty the syslog
references:
- https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
author: Max Altgelt (Nextron Systems)
date: 2021-09-10
modified: 2022-11-26
tags:
- attack.impact
- attack.t1565.001
logsource:
product: linux
detection:
selection:
- 'rm /var/log/syslog'
- 'rm -r /var/log/syslog'
- 'rm -f /var/log/syslog'
- 'rm -rf /var/log/syslog'
- 'mv /var/log/syslog'
- ' >/var/log/syslog'
- ' > /var/log/syslog'
falsepositives:
- '/syslog.'
condition: selection and not falsepositives
falsepositives:
- Log rotation
level: high
title: Okta FastPass Phishing Detection
id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e
status: test
description: Detects when Okta FastPass prevents a known phishing site.
references:
- https://sec.okta.com/fastpassphishingdetection
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2023-05-07
modified: 2026-04-27
tags:
- attack.initial-access
- attack.t1566
logsource:
product: okta
service: okta
detection:
selection:
outcome.reason: 'FastPass declined phishing attempt'
outcome.result: FAILURE
eventType: user.authentication.auth_via_mfa
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential Malicious Usage of CloudTrail System Manager
id: 38e7f511-3f74-41d4-836e-f57dfa18eead
status: test
description: |
Detect when System Manager successfully executes commands against an instance.
references:
- https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
author: jamesc-grafana
date: 2024-07-11
modified: 2025-12-08
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.t1566
- attack.t1566.002
logsource:
product: aws
service: cloudtrail
detection:
selection_event:
eventName: 'SendCommand'
eventSource: 'ssm.amazonaws.com'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event and 1 of selection_status_*
falsepositives:
- There are legitimate uses of SSM to send commands to EC2 instances
- Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them
level: high
title: Phishing Pattern ISO in Archive
id: fcdf69e5-a3d3-452a-9724-26f2308bf2b1
status: test
description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
references:
- https://twitter.com/1ZRR4H/status/1534259727059787783
- https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/
author: Florian Roth (Nextron Systems)
date: 2022-06-07
tags:
- attack.initial-access
- attack.t1566
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\Winrar.exe'
- '\7zFM.exe'
- '\peazip.exe'
Image|endswith:
- '\isoburn.exe'
- '\PowerISO.exe'
- '\ImgBurn.exe'
condition: selection
falsepositives:
- Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction
level: high
title: Suspicious Microsoft OneNote Child Process
id: c27515df-97a9-4162-8a60-dc0eeb51b775
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50 # Generic rule for suspicious office application child processes
type: derived
status: test
description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18
- https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0
author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
date: 2022-10-21
modified: 2023-02-10
tags:
- attack.t1566
- attack.t1566.001
- attack.initial-access
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\onenote.exe'
selection_opt_img:
- OriginalFileName:
- 'bitsadmin.exe'
- 'CertOC.exe'
- 'CertUtil.exe'
- 'Cmd.Exe'
- 'CMSTP.EXE'
- 'cscript.exe'
- 'curl.exe'
- 'HH.exe'
- 'IEExec.exe'
- 'InstallUtil.exe'
- 'javaw.exe'
- 'Microsoft.Workflow.Compiler.exe'
- 'msdt.exe'
- 'MSHTA.EXE'
- 'msiexec.exe'
- 'Msxsl.exe'
- 'odbcconf.exe'
- 'pcalua.exe'
- 'PowerShell.EXE'
- 'RegAsm.exe'
- 'RegSvcs.exe'
- 'REGSVR32.exe'
- 'RUNDLL32.exe'
- 'schtasks.exe'
- 'ScriptRunner.exe'
- 'wmic.exe'
- 'WorkFolders.exe'
- 'wscript.exe'
- Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certoc.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cmstp.exe'
- '\control.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\ieexec.exe'
- '\installutil.exe'
- '\javaw.exe'
- '\mftrace.exe'
- '\Microsoft.Workflow.Compiler.exe'
- '\msbuild.exe'
- '\msdt.exe'
- '\mshta.exe'
- '\msidb.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\odbcconf.exe'
- '\pcalua.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regasm.exe'
- '\regsvcs.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\svchost.exe'
- '\verclsid.exe'
- '\wmic.exe'
- '\workfolders.exe'
- '\wscript.exe'
selection_opt_explorer:
Image|endswith: '\explorer.exe'
CommandLine|contains:
- '.hta'
- '.vb'
- '.wsh'
- '.js'
- '.ps'
- '.scr'
- '.pif'
- '.bat'
- '.cmd'
selection_opt_paths:
Image|contains:
- '\AppData\'
- '\Users\Public\'
- '\ProgramData\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
- '\Windows\System32\Tasks\'
filter_teams:
Image|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
CommandLine|endswith: '-Embedding'
filter_onedrive:
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
Image|endswith: '\FileCoAuth.exe'
CommandLine|endswith: '-Embedding'
condition: selection_parent and 1 of selection_opt_* and not 1 of filter_*
falsepositives:
- File located in the AppData folder with trusted signature
level: high
title: Suspicious External WebDAV Execution
id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398
related:
- id: 4c55738d-72d8-490e-a2db-7969654e375f
type: similar
status: test
description: |
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
references:
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
author: Ahmed Farouk
date: 2024-05-10
tags:
- attack.initial-access
- attack.resource-development
- attack.t1584
- attack.t1566
logsource:
category: proxy
detection:
selection_webdav:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
selection_execution:
c-uri|endswith:
- '.7z'
- '.bat'
- '.dat'
- '.cmd'
- '.exe'
- '.js'
- '.lnk'
- '.ps1'
- '.rar'
- '.url'
- '.vbe'
- '.vbs'
- '.zip'
filter_main_local_ips:
dst_ip|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: ISO File Created Within Temp Folders
id: 2f9356ae-bf43-41b8-b858-4496d83b2acb
status: test
description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
references:
- https://twitter.com/Sam0x90/status/1552011547974696960
- https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
author: '@sam0x90'
date: 2022-07-30
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection_1:
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.zip\'
TargetFilename|endswith: '.iso'
selection_2:
TargetFilename|contains: '\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\'
TargetFilename|endswith: '.iso'
condition: 1 of selection*
falsepositives:
- Potential FP by sysadmin opening a zip file containing a legitimate ISO file
level: high
title: Suspicious File Created in Outlook Temporary Directory
id: fabb0e80-030c-4e3e-a104-d09676991ac3
related:
- id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
type: obsolete
status: experimental
description: |
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
references:
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection_extension:
TargetFilename|endswith:
- '.cpl'
- '.hta'
- '.iso'
- '.rdp'
- '.svg'
- '.vba'
- '.vbe'
- '.vbs'
selection_location:
- TargetFilename|contains:
- '\AppData\Local\Packages\Microsoft.Outlook_'
- '\AppData\Local\Microsoft\Olk\Attachments\'
- TargetFilename|contains|all:
- '\AppData\Local\Microsoft\Windows\'
- '\Content.Outlook\'
condition: all of selection_*
falsepositives:
- Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
level: high
title: Office Macro File Creation From Suspicious Process
id: b1c50487-1967-4315-a026-6491686d860e
status: test
description: Detects the creation of a office macro file from a a suspicious process
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2023-02-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
detection:
selection_cmd:
- Image|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_ext:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Execution From Outlook Temporary Folder
id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
status: test
description: Detects a suspicious program execution in Outlook temp folder
author: Florian Roth (Nextron Systems)
references:
- Internal Research
date: 2019-10-01
modified: 2022-10-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '\Temporary Internet Files\Content.Outlook\'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious Double Extension File Execution
id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
related:
- id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c # ParentImage/ParentCommandLine
type: similar
status: stable
description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
references:
- https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
- https://twitter.com/blackorbird/status/1140519090961825792
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
date: 2019-06-26
modified: 2025-05-30
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- ' .exe'
- '______.exe'
- '.doc.exe'
- '.doc.js'
- '.docx.exe'
- '.docx.js'
- '.gif.exe'
- '.jpeg.exe'
- '.jpg.exe'
- '.mkv.exe'
- '.mov.exe'
- '.mp3.exe'
- '.mp4.exe'
- '.pdf.exe'
- '.pdf.js'
- '.png.exe'
- '.ppt.exe'
- '.ppt.js'
- '.pptx.exe'
- '.pptx.js'
- '.rtf.exe'
- '.rtf.js'
- '.svg.exe'
- '.txt.exe'
- '.txt.js'
- '.xls.exe'
- '.xls.js'
- '.xlsx.exe'
- '.xlsx.js'
- '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
CommandLine|contains:
- ' .exe'
- '______.exe'
- '.doc.exe'
- '.doc.js'
- '.docx.exe'
- '.docx.js'
- '.gif.exe'
- '.jpeg.exe'
- '.jpg.exe'
- '.mkv.exe'
- '.mov.exe'
- '.mp3.exe'
- '.mp4.exe'
- '.pdf.exe'
- '.pdf.js'
- '.png.exe'
- '.ppt.exe'
- '.ppt.js'
- '.pptx.exe'
- '.pptx.js'
- '.rtf.exe'
- '.rtf.js'
- '.svg.exe'
- '.txt.exe'
- '.txt.js'
- '.xls.exe'
- '.xls.js'
- '.xlsx.exe'
- '.xlsx.js'
- '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
condition: selection
falsepositives:
- Unknown
level: high
title: Monero Crypto Coin Mining Pool Lookup
id: b593fd50-7335-4682-a36c-4edcb68e4641
status: stable
description: Detects suspicious DNS queries to Monero mining pools
references:
- https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
author: Florian Roth (Nextron Systems)
date: 2021-10-24
tags:
- attack.impact
- attack.t1496
- attack.exfiltration
- attack.t1567
logsource:
category: dns
detection:
selection:
query|contains:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
condition: selection
falsepositives:
- Legitimate crypto coin mining
level: high
title: Linux HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: test
description: Detects known hacktool execution based on image name.
references:
- https://github.com/Gui774ume/ebpfkit
- https://github.com/pathtofile/bad-bpf
- https://github.com/carlospolop/PEASS-ng
- https://github.com/t3l3machus/hoaxshell
- https://github.com/t3l3machus/Villain
- https://github.com/HavocFramework/Havoc
- https://github.com/1N3/Sn1per
- https://github.com/Ne0nd0g/merlin
- https://github.com/Pennyw0rth/NetExec/
author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
date: 2023-01-03
modified: 2024-09-19
tags:
- attack.execution
- attack.resource-development
- attack.t1587
logsource:
product: linux
category: process_creation
detection:
selection_c2_frameworks:
Image|endswith:
- '/crackmapexec'
- '/havoc'
- '/merlin-agent'
- '/merlinServer-Linux-x64'
- '/msfconsole'
- '/msfvenom'
- '/ps-empire server'
- '/ps-empire'
- '/sliver-client'
- '/sliver-server'
- '/Villain.py'
selection_c2_framework_cobaltstrike:
Image|contains:
- '/cobaltstrike'
- '/teamserver'
selection_scanners:
Image|endswith:
- '/autorecon'
- '/httpx'
- '/legion'
- '/naabu'
- '/netdiscover'
- '/nuclei'
- '/recon-ng'
selection_scanners_sniper:
Image|contains: '/sniper'
selection_web_enum:
Image|endswith:
- '/dirb'
- '/dirbuster'
- '/eyewitness'
- '/feroxbuster'
- '/ffuf'
- '/gobuster'
- '/wfuzz'
- '/whatweb'
selection_web_vuln:
Image|endswith:
- '/joomscan'
- '/nikto'
- '/wpscan'
selection_exploit_tools:
Image|endswith:
- '/aircrack-ng'
- '/bloodhound-python'
- '/bpfdos'
- '/ebpfki'
- '/evil-winrm'
- '/hashcat'
- '/hoaxshell.py'
- '/hydra'
- '/john'
- '/ncrack'
# default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
- '/nxc-ubuntu-latest'
- '/pidhide'
- '/pspy32'
- '/pspy32s'
- '/pspy64'
- '/pspy64s'
- '/setoolkit'
- '/sqlmap'
- '/writeblocker'
selection_linpeas:
# covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
Image|contains: '/linpeas'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Uncommon File Created In Office Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: test
description: Detects the creation of a file with an uncommon extension in an Office application startup folder
references:
- https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
- http://addbalance.com/word/startup.htm
- https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
- https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-05
modified: 2023-12-13
tags:
- attack.resource-development
- attack.t1587.001
logsource:
product: windows
category: file_event
detection:
selection_word_paths:
- TargetFilename|contains: '\Microsoft\Word\STARTUP'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\STARTUP'
filter_exclude_word_ext:
TargetFilename|endswith:
- '.docb' # Word binary document introduced in Microsoft Office 2007
- '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
- '.docx' # Word document
- '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
- '.mdb' # MS Access DB
- '.mdw' # MS Access DB
- '.pdf' # PDF documents
- '.wll' # Word add-in
- '.wwl' # Word add-in
selection_excel_paths:
- TargetFilename|contains: '\Microsoft\Excel\XLSTART'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\XLSTART'
filter_exclude_excel_ext:
TargetFilename|endswith:
- '.xll'
- '.xls'
- '.xlsm'
- '.xlsx'
- '.xlt'
- '.xltm'
- '.xlw'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
Image|endswith:
- '\winword.exe'
- '\excel.exe'
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
falsepositives:
- False positive might stem from rare extensions used by other Office utilities.
level: high
title: Potential PsExec Remote Execution
id: ea011323-7045-460b-b2d7-0f7442ea6b38
status: test
description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2025-09-01
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Accepting EULA in commandline - often used in automated attacks
CommandLine|contains|all:
- 'accepteula'
- ' -u '
- ' -p '
- ' \\\\'
filter_main_localhost:
CommandLine|contains:
- '\\\\localhost'
- '\\\\127.'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: PsExec/PAExec Escalation to LOCAL SYSTEM
id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
related:
- id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags
type: similar
status: test
description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-23
modified: 2024-03-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection_sys: # Escalation to LOCAL_SYSTEM
CommandLine|contains|windash:
# Note that you don't need to add the ".exe" part when using psexec/paexec
# The "-" can also be replaced with "/"
# The order of args isn't important
# "cmd" can be replaced by "powershell", "pwsh" or any other console like software
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
# Pwsh (For PowerShell 7)
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
# PowerShell (For PowerShell 5)
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
selection_other:
CommandLine|contains:
- 'psexec'
- 'paexec'
- 'accepteula'
condition: all of selection_*
falsepositives:
- Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
- Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high
title: Potential Privilege Escalation To LOCAL SYSTEM
id: 207b0396-3689-42d9-8399-4222658efc99
related:
- id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule
type: similar
status: test
description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-05-22
modified: 2024-03-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Escalation to LOCAL_SYSTEM
CommandLine|contains|windash:
# Note that you don't need to add the ".exe" part when using psexec/paexec
# The "-" can also be replaced with "/"
# The order of args isn't important
# "cmd" can be replaced by "powershell", "pwsh" or any other console like software
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
# Pwsh (For PowerShell 7)
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
# PowerShell (For PowerShell 5)
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
filter_main_exclude_coverage:
# This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
CommandLine|contains:
- 'paexec'
- 'PsExec'
- 'accepteula'
condition: selection and not 1 of filter_main_*
falsepositives:
- Weird admins that rename their tools
- Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
level: high
title: PUA - CsExec Execution
id: d08a2711-ee8b-4323-bdec-b7d85e892b31
status: test
description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
references:
- https://github.com/malcomvetter/CSExec
- https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
author: Florian Roth (Nextron Systems)
date: 2022-08-22
modified: 2023-02-21
tags:
- attack.resource-development
- attack.t1587.001
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csexec.exe'
selection_pe:
Description: 'csexec'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
status: test
description: |
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.resource-development
- attack.t1588
logsource:
category: antivirus
detection:
selection_path:
Filename|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\'
- '/www/'
# - '\Client\'
- '\inetpub\'
- '\tsclient\'
- 'apache'
- 'nginx'
- 'tomcat'
- 'weblogic'
selection_ext:
Filename|endswith:
- '.asax'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cfm'
- '.cgi'
- '.chm'
- '.cmd'
- '.dat'
- '.ear'
- '.gif'
- '.hta'
- '.jpeg'
- '.jpg'
- '.jsp'
- '.jspx'
- '.lnk'
- '.msc'
- '.php'
- '.pl'
- '.png'
- '.ps1'
- '.psm1'
- '.py'
- '.pyc'
- '.rb'
- '.scf'
- '.sct'
- '.sh'
- '.svg'
- '.txt'
- '.vbe'
- '.vbs'
- '.war'
- '.wll'
- '.wsf'
- '.wsh'
- '.xll'
- '.xml'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Relevant Anti-Virus Signature Keywords In Application Log
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
status: test
description: |
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
references:
- https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
- https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
- https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2017-02-19
modified: 2024-12-25
tags:
- attack.resource-development
- attack.t1588
logsource:
product: windows
service: application
detection:
keywords:
- 'Adfind'
- 'ASP/BackDoor '
- 'ATK/'
- 'Backdoor.ASP'
- 'Backdoor.Cobalt'
- 'Backdoor.JSP'
- 'Backdoor.PHP'
- 'Blackworm'
- 'Brutel'
- 'BruteR'
- 'Chopper'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'CRYPTES'
- 'Cryptor'
- 'Destructor'
- 'DumpCreds'
- 'Exploit.Script.CVE'
- 'FastReverseProxy'
- 'Filecoder'
- 'GrandCrab '
- 'HackTool'
- 'HKTL'
- 'HTool-'
- '/HTool'
- '.HTool'
- 'IISExchgSpawnCMD'
- 'Impacket'
- 'JSP/BackDoor '
- 'Keylogger'
- 'Koadic'
- 'Krypt'
- 'Lazagne'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'mikatz'
- 'Mimikatz'
- 'Mpreter'
- 'MsfShell'
- 'Nighthawk'
- 'Packed.Generic.347'
- 'PentestPowerShell'
- 'Phobos'
- 'PHP/BackDoor '
- 'Potato'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'Ransom'
- 'Rozena'
- 'Ryzerlo'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool '
- 'SharpDump'
- 'Shellcode'
- 'Sliver'
- 'Splinter'
- 'Swrort'
- 'Tescrypt'
- 'TeslaCrypt'
- 'TurtleLoader'
- 'Valyria'
- 'Webshell'
# - 'FRP.'
# - 'Locker'
# - 'PWS.'
# - 'PWSX'
# - 'Razy'
# - 'Ryuk'
filter_optional_generic:
- 'anti_ransomware_service.exe'
- 'Anti-Ransomware'
- 'Crack'
- 'cyber-protect-service.exe'
- 'encryptor'
- 'Keygen'
filter_optional_information:
Level: 4 # Information level
filter_optional_restartmanager:
Provider_Name: 'Microsoft-Windows-RestartManager'
condition: keywords and not 1 of filter_optional_*
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
title: SCM Database Handle Failure
id: 13addce7-47b2-4ca0-a98f-1de964d1d669
status: test
description: Detects non-system users failing to get a handle of the SCM database.
references:
- https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2022-07-11
tags:
- attack.discovery
- attack.t1010
logsource:
product: windows
service: security
detection:
selection:
EventID: 4656
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'ServicesActive'
AccessMask: '0xf003f' # is used in the reference; otherwise too many FPs
# Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816
filter:
SubjectLogonId: '0x3e4'
condition: selection and not filter
falsepositives:
- Unknown
# triggering on many hosts in some environments
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
related:
- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
Payload|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
Payload|endswith: 'readtoend'
condition: selection_4103
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
id: a23791fe-8846-485a-b16b-ca691e1b03d4
related:
- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection_4103
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
- 'powershell'
condition: selection_4104
falsepositives:
- Unknown
level: medium
title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
ScriptBlockText|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
ScriptBlockText|endswith: 'readtoend'
condition: selection_4104
falsepositives:
- Unknown
level: medium
title: PUA - Potential PE Metadata Tamper Using Rcedit
id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
status: test
description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
references:
- https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
- https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
- https://github.com/electron/rcedit
author: Micah Babinski
date: 2022-12-11
modified: 2023-03-05
tags:
- attack.stealth
- attack.t1036.003
- attack.t1036
- attack.t1027.005
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\rcedit-x64.exe'
- '\rcedit-x86.exe'
- Description: 'Edit resources of exe'
- Product: 'rcedit'
selection_flags:
CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string"
selection_attributes:
CommandLine|contains:
- 'OriginalFileName'
- 'CompanyName'
- 'FileDescription'
- 'ProductName'
- 'ProductVersion'
- 'LegalCopyright'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool by administrators or users to update metadata of a binary
level: medium
title: Certificate Exported Via Certutil.EXE
id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5
status: test
description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
references:
- https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-exportPFX '
condition: all of selection_*
falsepositives:
- There legitimate reasons to export certificates. Investigate the activity to determine if it's benign
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml
title: Suspicious XOR Encoded PowerShell Command
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
related:
- id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
type: obsolete
status: test
description: Detects presence of a potentially xor encoded powershell command
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://redcanary.com/blog/yellow-cockatoo/
- https://zero2auto.com/2020/05/19/netwalker-re/
- https://mez0.cc/posts/cobaltstrike-powershell-exec/
author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
date: 2018-09-05
modified: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1140
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Description: 'Windows PowerShell'
- Product: 'PowerShell Core 6'
selection_cli_xor:
CommandLine|contains: 'bxor'
selection_cli_other:
CommandLine|contains:
- 'ForEach'
- 'for('
- 'for '
- '-join '
- "-join'"
- '-join"'
- '-join`'
- '::Join'
- '[char]'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious Download Via Certutil.EXE
id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
related:
- id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
tags:
- attack.stealth
- attack.t1027
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
- 'URL '
selection_http:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/info.yml
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-12-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
CommandLine|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
- 'readtoend('
condition: selection
falsepositives:
- Unknown
level: medium
title: File Encoded To Base64 Via Certutil.EXE
id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-02-24
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-encode'
condition: all of selection_*
falsepositives:
- As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/info.yml
title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
id: 74403157-20f5-415d-89a7-c505779585cf
status: test
description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-02-01
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains: 'ConvertTo-SecureString'
condition: all of selection_*
falsepositives:
- Legitimate use to pass password to different powershell commands
level: medium