Sigma rules for Zumanek
500 rules · scoped to actor · back to Zumanek
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious RASdial Activity
id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e
status: test
description: Detects suspicious process related to rasdial.exe
references:
- https://twitter.com/subTee/status/891298217907830785
author: juju4
date: 2019-01-16
modified: 2021-11-27
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: 'rasdial.exe'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
title: Unusual Parent Process For Cmd.EXE
id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b
status: test
description: Detects suspicious parent process for cmd.exe
references:
- https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-21
modified: 2023-12-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
ParentImage|endswith:
- '\csrss.exe'
- '\ctfmon.exe'
- '\dllhost.exe'
- '\epad.exe'
- '\FlashPlayerUpdateService.exe'
- '\GoogleUpdate.exe'
- '\jucheck.exe'
- '\jusched.exe'
- '\LogonUI.exe'
- '\lsass.exe'
- '\regsvr32.exe'
- '\SearchIndexer.exe'
- '\SearchProtocolHost.exe'
- '\SIHClient.exe'
- '\sihost.exe'
- '\slui.exe'
- '\spoolsv.exe'
- '\sppsvc.exe'
- '\taskhostw.exe'
- '\unsecapp.exe'
- '\WerFault.exe'
- '\wermgr.exe'
- '\wlanext.exe'
- '\WUDFHost.exe'
condition: selection
falsepositives:
- Unknown
level: medium
title: Perl Inline Command Execution
id: f426547a-e0f7-441a-b63e-854ac5bdf54d
status: test
description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\perl.exe'
- OriginalFileName: 'perl.exe' # Also covers perlX.XX.exe
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious Scan Loop Network
id: f8ad2e2c-40b6-4117-84d7-20b89896ab23
status: test
description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
- https://ss64.com/nt/for.html
- https://ss64.com/ps/foreach-object.html
author: frack113
date: 2022-03-12
tags:
- attack.execution
- attack.t1059
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: windows
detection:
selection_loop:
CommandLine|contains:
- 'for '
- 'foreach '
selection_tools:
CommandLine|contains:
- 'nslookup'
- 'ping'
condition: all of selection_*
falsepositives:
- Legitimate script
level: medium
title: Elevated System Shell Spawned From Uncommon Parent Location
id: 178e615d-e666-498b-9630-9ed363038101
related:
- id: 61065c72-5d7d-44ef-bf41-6a36684b545f
type: similar
status: test
description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
references:
- https://github.com/Wh04m1001/SysmonEoP
author: frack113, Tim Shelton (update fp)
date: 2022-12-05
modified: 2025-03-06
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1059
logsource:
product: windows
category: process_creation
detection:
selection_shell:
- Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\cmd.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'powershell_ise.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
selection_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
LogonId: '0x3e7'
filter_main_generic:
# Example 1:
# C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers []
# Example 2:
# ParentImage: C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe" /appid 000000ad-cb03-500b-9459-c46d000000ad
# CommandLine: C:\Windows\system32\cmd.exe /c C:\Program Files "(x86)\Varonis\DatAdvantage\GridCollector\handle_scopes.cmd C:\Collector" Working Share\VaronisWorkDirectoryCollector
ParentImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\ProgramData\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\Temp\' # Installers
- ':\Windows\WinSxS\'
filter_optional_manageengine:
# Example:
# ParentImage: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380
# CommandLine: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA)
ParentImage|endswith: ':\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe'
Image|endswith: '\cmd.exe'
filter_optional_asgard:
CommandLine|contains: ':\WINDOWS\system32\cmd.exe /c "'
CurrentDirectory|contains: ':\WINDOWS\Temp\asgard2-agent\'
filter_optional_ibm_spectrumprotect:
ParentImage|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
CommandLine|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
filter_main_parent_null:
ParentImage: null
filter_main_parent_empty:
ParentImage:
- ''
- '-'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some legitimate applications may spawn shells from uncommon parent locations. Apply additional filters and perform an initial baseline before deploying.
level: medium
title: Potential Dosfuscation Activity
id: a77c1610-fc73-4019-8e29-0f51efc04a51
status: test
description: Detects possible payload obfuscation via the commandline
references:
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
- https://github.com/danielbohannon/Invoke-DOSfuscation
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-15
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '^^'
- '^|^'
- ',;,'
- ';;;;'
- ';; ;;'
- '(,(,'
- '%COMSPEC:~'
- ' c^m^d'
- '^c^m^d'
- ' c^md'
- ' cm^d'
- '^cm^d'
- ' s^et '
- ' s^e^t '
- ' se^t '
# - '%%'
# - '&&'
# - '""'
condition: selection
falsepositives:
- Unknown
level: medium
title: Wscript Shell Run In CommandLine
id: 2c28c248-7f50-417a-9186-a85b223010ee
status: test
description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
references:
- https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html
- https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
modified: 2023-05-15
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'Wscript.'
- '.Shell'
- '.Run'
condition: selection
falsepositives:
- Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly
level: medium
title: Forfiles Command Execution
id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
related:
- id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
type: obsolete
- id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
type: obsolete
status: test
description: |
Detects the execution of "forfiles" with the "/c" flag.
While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.
Can be used to bypass application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2022-06-14
modified: 2024-03-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\forfiles.exe'
- OriginalFileName: 'forfiles.exe'
selection_cli:
CommandLine|contains|windash: ' -c '
condition: all of selection_*
falsepositives:
- Legitimate use via a batch script or by an administrator.
level: medium
title: Conhost Spawned By Uncommon Parent Process
id: cbb9e3d1-2386-4e59-912e-62f1484f7a89
status: test
description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
references:
- https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2025-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\conhost.exe'
ParentImage|endswith:
- '\explorer.exe'
# - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
# - '\ctfmon.exe' # Seen several times in a testing environment
# - '\dllhost.exe' # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
- '\lsass.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\services.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\userinit.exe'
# - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
- '\wininit.exe'
- '\winlogon.exe'
filter_main_svchost:
ParentCommandLine|contains:
- '-k apphost -s AppHostSvc'
- '-k imgsvc'
- '-k localService -p -s RemoteRegistry'
- '-k LocalSystemNetworkRestricted -p -s NgcSvc'
- '-k NetSvcs -p -s NcaSvc'
- '-k netsvcs -p -s NetSetupSvc'
- '-k netsvcs -p -s wlidsvc'
- '-k NetworkService -p -s DoSvc'
- '-k wsappx -p -s AppXSvc'
- '-k wsappx -p -s ClipSVC'
- '-k wusvcs -p -s WaaSMedicSvc'
filter_optional_dropbox:
ParentCommandLine|contains:
- 'C:\Program Files (x86)\Dropbox\Client\'
- 'C:\Program Files\Dropbox\Client\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: Add Potential Suspicious New Download Source To Winget
id: c15a46a0-07d4-4c87-b4b6-89207835a83b
related:
- id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
type: similar
- id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
type: similar
status: test
description: Detects usage of winget to add new potentially suspicious download sources
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/source
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-12-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_cli:
CommandLine|contains|all:
- 'source '
- 'add '
selection_source_direct_ip:
# This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details
CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
related:
- id: 236d8e89-ed95-4789-a982-36f4643738ba
type: derived
status: test
description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
references:
- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-14
tags:
- attack.execution
- attack.persistence
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VMwareToolBoxCmd.exe'
- OriginalFileName: 'toolbox-cmd.exe'
selection_cli:
CommandLine|contains|all:
- ' script '
- ' set '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Use of OpenConsole
id: 814c95cc-8192-4378-a70a-f1aafd877af1
status: test
description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
references:
- https://twitter.com/nas_bench/status/1537563834478645252
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-16
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'OpenConsole.exe'
- Image|endswith: '\OpenConsole.exe'
filter:
Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.WindowsTerminal' # We exclude the default path for WindowsTerminal
condition: selection and not filter
falsepositives:
- Legitimate use by an administrator
level: medium
title: Potentially Suspicious NTFS Symlink Behavior Modification
id: c0b2768a-dd06-4671-8339-b16ca8d1f27f
status: test
description: |
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
references:
- https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
author: frack113, The DFIR Report
date: 2022-03-02
modified: 2025-11-13
tags:
- attack.execution
- attack.defense-impairment
- attack.t1059
- attack.t1222.001
logsource:
category: process_creation
product: windows
detection:
selection_img_proxy:
# Note: Example command observed: cmd.exe /c "fsutil behaviour set SymlinkEvaluation"
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_fsutil_cli:
CommandLine|contains|all:
- 'fsutil'
- 'behavior'
- 'set'
- 'SymlinkEvaluation'
selection_symlink_params:
CommandLine|contains:
- 'R2L:1' # Remote to Local
- 'R2R:1' # Remote to Remote
- 'L2L:1' # Local to Local
condition: all of selection_*
falsepositives:
- Legitimate usage, investigate the parent process and context to determine if benign.
level: medium
title: Python Inline Command Execution
id: 899133d5-4d7c-4a7f-94ee-27355c879d90
status: test
description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
references:
- https://docs.python.org/3/using/cmdline.html#cmdoption-c
- https://www.revshells.com/
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-10-07
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'python.exe'
- Image|endswith:
- 'python.exe' # no \ bc of e.g. ipython.exe
- 'python3.exe'
- 'python2.exe'
selection_cli:
CommandLine|contains: ' -c'
filter_main_python_1: # Based on baseline
ParentImage|startswith:
- 'C:\Program Files\Python'
- 'C:\Program Files (x86)\Python'
ParentImage|endswith: '\python.exe'
ParentCommandLine|contains: '-E -s -m ensurepip -U --default-pip'
filter_main_python_trace: # Based on baseline
ParentImage|startswith:
- 'C:\Program Files\Python'
- 'C:\Program Files (x86)\Python'
CommandLine|contains|all:
# CommandLine: \"C:\\Program Files\\Python312\\python.exe\" -W ignore::DeprecationWarning -c \"\nimport runpy\nimport sys\nsys.path = ['C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj\\\\pip-23.2.1-py3-none-any.whl'] + sys.path\nsys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj', '--upgrade', 'pip']\nrunpy.run_module(\\\"pip\\\", run_name=\\\"__main__\\\", alter_sys=True)\n\
- '-W ignore::DeprecationWarning'
- "['install', '--no-cache-dir', '--no-index', '--find-links',"
- "'--upgrade', 'pip'"
filter_optional_vscode:
- ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
- ParentImage:
- 'C:\Program Files\Microsoft VS Code\Code.exe'
- 'C:\Program Files (x86)\Microsoft VS Code\Code.exe'
filter_optional_pip:
CommandLine|contains|all:
- '<pip-setuptools-caller>'
- 'exec(compile('
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Python libraries that use a flag starting with "-c". Filter according to your environment
level: medium
title: Ruby Inline Command Execution
id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8
status: test
description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ruby.exe'
- OriginalFileName: 'ruby.exe'
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Php Inline Command Execution
id: d81871ef-5738-47ab-9797-7a9c90cd4bfb
status: test
description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
references:
- https://www.php.net/manual/en/features.commandline.php
- https://www.revshells.com/
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\php.exe'
- OriginalFileName: 'php.exe'
selection_cli:
CommandLine|contains: ' -r'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious Runscripthelper.exe
id: eca49c87-8a75-4f13-9c73-a5a29e845f03
status: test
description: Detects execution of powershell scripts via Runscripthelper.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2022-07-11
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Runscripthelper.exe'
CommandLine|contains: 'surfacecheck'
condition: selection
falsepositives:
- Unknown
level: medium
title: Writing Of Malicious Files To The Fonts Folder
id: ae9b0bd7-8888-4606-b444-0ed7410cb728
status: test
description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
references:
- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
author: Sreeman
date: 2020-04-21
modified: 2022-03-08
tags:
- attack.stealth
- attack.t1211
- attack.t1059
- attack.persistence
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains:
- 'echo'
- 'copy'
- 'type'
- 'file createnew'
- 'cacls'
selection_2:
CommandLine|contains: 'C:\Windows\Fonts\'
selection_3:
CommandLine|contains:
- '.sh'
- '.exe'
- '.dll'
- '.bin'
- '.bat'
- '.cmd'
- '.js'
- '.msh'
- '.reg'
- '.scr'
- '.ps'
- '.vb'
- '.jar'
- '.pl'
- '.inf'
- '.cpl'
- '.hta'
- '.msi'
- '.vbs'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Use of Pcalua For Execution
id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2
related:
- id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
type: obsolete
status: test
description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Pcalua/
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2022-06-14
modified: 2023-01-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\pcalua.exe'
CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a "-a"
condition: selection
falsepositives:
- Legitimate use by a via a batch script or by an administrator.
level: medium
title: Add New Download Source To Winget
id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
related:
- id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
type: similar
- id: c15a46a0-07d4-4c87-b4b6-89207835a83b
type: similar
status: test
description: Detects usage of winget to add new additional download sources
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/source
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_cli:
CommandLine|contains|all:
- 'source '
- 'add '
condition: all of selection_*
falsepositives:
- False positive are expected with legitimate sources
level: medium
title: Potential Arbitrary Command Execution Via FTP.EXE
id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
status: test
description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2024-04-23
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\ftp.exe'
selection_child_img:
- Image|endswith: '\ftp.exe'
- OriginalFileName: 'ftp.exe'
selection_child_cli:
CommandLine|contains|windash: '-s:'
condition: selection_parent or all of selection_child_*
falsepositives:
- Unknown
level: medium
title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d
status: experimental
description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
references:
- https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/
- https://x.com/Threatlabz/status/1879956781360976155
author: X__Junior
date: 2025-01-20
tags:
- attack.execution
- attack.t1059
logsource:
category: image_load
product: windows
detection:
selection_dll:
ImageLoaded|endswith: '\clfs.sys'
selection_folders_1:
Image|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
- '\Windows\Temp\'
selection_folders_2:
- Image|contains|all:
- ':\Users\'
- '\Favorites\'
- Image|contains|all:
- ':\Users\'
- '\Favourites\'
- Image|contains|all:
- ':\Users\'
- '\Contacts\'
- Image|contains|all:
- ':\Users\'
- '\Pictures\'
condition: selection_dll and 1 of selection_folders_*
falsepositives:
- Unknown
level: medium
title: Powershell Execute Batch Script
id: b5522a23-82da-44e5-9c8b-e10ed8955f88
status: test
description: |
Adversaries may abuse the Windows command shell for execution.
The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
author: frack113
date: 2022-01-02
tags:
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_start:
ScriptBlockText|contains: Start-Process
selection_batch:
ScriptBlockText|contains:
- '.cmd'
- '.bat'
condition: all of selection_*
falsepositives:
- Legitimate administration script
level: medium
title: PUA - AdvancedRun Execution
id: d2b749ee-4225-417e-b20e-a8d2193cbb84
related:
- id: fa00b701-44c6-4679-994d-5a18afa8a707
type: similar
status: test
description: Detects the execution of AdvancedRun utility
references:
- https://twitter.com/splinter_code/status/1483815103279603714
- https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
- https://www.elastic.co/security-labs/operation-bleeding-bear
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-20
modified: 2023-02-21
tags:
- attack.execution
- attack.privilege-escalation
- attack.stealth
- attack.t1564.003
- attack.t1134.002
- attack.t1059.003
logsource:
product: windows
category: process_creation
detection:
selection:
- OriginalFileName: 'AdvancedRun.exe'
- CommandLine|contains|all:
- ' /EXEFilename '
- ' /Run'
- CommandLine|contains|all:
- ' /WindowState 0'
- ' /RunAs '
- ' /CommandLine '
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml
title: Powershell Executed From Headless ConHost Process
id: 056c7317-9a09-4bd4-9067-d051312752ea
related:
- id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
type: derived
status: test
description: |
Detects the use of powershell commands from headless ConHost window.
The "--headless" flag hides the windows from the user upon execution.
references:
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1059.003
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\conhost.exe'
- OriginalFileName: 'CONHOST.EXE'
selection_cli:
CommandLine|contains|all:
- '--headless'
- 'powershell'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml
title: Command Line Execution with Suspicious URL and AppData Strings
id: 1ac8666b-046f-4201-8aba-1951aaec03a3
status: test
description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
references:
- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2021-11-27
tags:
- attack.execution
- attack.command-and-control
- attack.t1059.003
- attack.t1059.001
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'http' # captures both http and https
- '://'
- '%AppData%'
condition: selection
falsepositives:
- High
level: medium
title: HackTool - Jlaive In-Memory Assembly Execution
id: 0a99eb3e-1617-41bd-b095-13dc767f3def
status: test
description: Detects the use of Jlaive to execute assemblies in a copied PowerShell
references:
- https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool
- https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
date: 2022-05-24
modified: 2023-02-22
tags:
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: process_creation
detection:
parent_selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|endswith: '.bat'
selection1:
Image|endswith: '\xcopy.exe'
CommandLine|contains|all:
- 'powershell.exe'
- '.bat.exe'
selection2:
Image|endswith: '\xcopy.exe'
CommandLine|contains|all:
- 'pwsh.exe'
- '.bat.exe'
selection3:
Image|endswith: '\attrib.exe'
CommandLine|contains|all:
- '+s'
- '+h'
- '.bat.exe'
condition: parent_selection and (1 of selection*)
falsepositives:
- Unknown
level: medium
title: OpenEDR Spawning Command Shell
id: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
status: experimental
description: |
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
author: '@kostastsale'
date: 2026-02-19
references:
- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
- attack.execution
- attack.t1059.003
- attack.lateral-movement
- attack.t1021.004
- attack.command-and-control
- attack.t1219
logsource:
product: windows
category: process_creation
detection:
selection_img:
ParentImage|endswith: '\ITSMService.exe'
Image|endswith: '\ssh-shellhost.exe'
CommandLine|contains: '--pty'
selection_cli_shell:
CommandLine|contains:
- 'bash'
- 'cmd'
- 'powershell'
- 'pwsh'
condition: all of selection_*
falsepositives:
- Legitimate use of OpenEDR for remote command execution
level: medium
title: Suspicious Usage of For Loop with Recursive Directory Search in CMD
id: 2782fbd8-b662-4eb5-9962-5bfbfb671e7b
status: experimental
description: |
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
This behavior has been observed in various malicious lnk files.
references:
- https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2025-11-12
tags:
- attack.execution
- attack.stealth
- attack.t1059.003
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_tokens:
CommandLine|contains|all:
- 'for /f'
- 'tokens='
- 'in ('
- 'dir'
selection_tokens_parent:
ParentCommandLine|contains|all:
- 'for /f'
- 'tokens='
- 'in ('
- 'dir'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
title: Read Contents From Stdin Via Cmd.EXE
id: 241e802a-b65e-484f-88cd-c2dc10f9206d
related:
- id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003
type: obsolete
status: test
description: Detect the use of "<" to read and potentially execute a file via cmd.exe
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md
- https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-07
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|contains: '<'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: AppLocker Prevented Application or Script from Running
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
status: test
description: |
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
author: Pushkarev Dmitry
date: 2020-06-28
modified: 2025-12-03
tags:
- attack.execution
- attack.t1204.002
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.006
- attack.t1059.007
logsource:
product: windows
service: applocker
detection:
selection:
EventID:
- 8004 # EXE and DLL
- 8007 # MSI and Script
- 8022 # Packaged app execution
- 8025 # Packaged app deployment
condition: selection
falsepositives:
- Unlikely, since this event notifies about blocked application execution. Tune your applocker rules to avoid blocking legitimate applications.
level: medium
title: Registry Modification Attempt Via VBScript - PowerShell
id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
related:
- id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
type: similar
- id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
type: similar
status: experimental
description: |
Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands.
Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools.
This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.
references:
- https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
- https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
- https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad
date: 2025-08-13
author: Swachchhanda Shrawan Poudel (Nextron Systems)
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
- attack.t1059.005
logsource:
category: ps_script
product: windows
detection:
selection:
ScriptBlockText|contains|all:
- 'CreateObject'
- 'Wscript.shell'
- '.RegWrite'
condition: selection
falsepositives:
- Some legitimate admin or install scripts may use these processes for registry modifications.
level: medium
title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
id: 575dce0c-8139-4e30-9295-1ee75969f7fe
related:
- id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
type: similar
- id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
type: similar
status: test
description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
references:
- https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: blueteamer8699
date: 2022-01-03
modified: 2023-02-08
tags:
- attack.discovery
- attack.execution
- attack.t1615
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
- OriginalFileName:
- 'cscript.exe'
- 'wscript.exe'
selection_cli:
CommandLine|contains: 'gatherNetworkInfo.vbs'
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
title: Uncommon Child Process Of BgInfo.EXE
id: aaf46cdc-934e-4284-b329-34aa701e3771
related:
- id: 811f459f-9231-45d4-959a-0266c6311987
type: similar
status: test
description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2019-10-26
modified: 2023-08-16
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\bginfo.exe'
- '\bginfo64.exe'
condition: selection
falsepositives:
- Unknown
level: medium
title: XSL Script Execution Via WMIC.EXE
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
related:
- id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
type: similar
- id: 8d63dadf-b91b-4187-87b6-34a1114577ea
type: similar
status: test
description: |
Detects the execution of WMIC with the "format" flag to potentially load local XSL files.
Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel
date: 2019-10-21
modified: 2026-01-24
tags:
- attack.stealth
- attack.t1047
- attack.t1220
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
- Hashes|contains: # Sysmon field hashes contains all types
- 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
- 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
- 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
- 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
- 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
selection_cmd:
CommandLine|contains|windash: '-format:' # wmic process list -FORMAT /? or wmic process list /FORMAT /?
filter_main_known_format:
CommandLine|contains:
- 'Format:List'
- 'Format:htable'
- 'Format:hform'
- 'Format:table'
- 'Format:mof'
- 'Format:value'
- 'Format:rawxml'
- 'Format:xml'
- 'Format:csv'
filter_main_remote_operation: # Covered by 8d63dadf-b91b-4187-87b6-34a1114577ea
CommandLine|contains:
- '://'
- '\\\\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
- Static format arguments - https://petri.com/command-line-wmi-part-3
level: medium
title: Registry Modification Attempt Via VBScript
id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
related:
- id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
type: similar
- id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
type: similar
status: experimental
description: |
Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs.
It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell.
Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.
references:
- https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
- https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
date: 2025-08-13
author: Swachchhanda Shrawan Poudel (Nextron Systems)
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'CreateObject'
- 'Wscript.shell'
- '.RegWrite'
condition: selection
falsepositives:
- Unknown
level: medium
title: Potential Dropper Script Execution Via WScript/CScript/MSHTA
id: cea72823-df4d-4567-950c-0b579eaf0846
related:
- id: 1e33157c-53b1-41ad-bbcc-780b80b58288
type: similar
status: test
description: Detects wscript/cscript/mshta executions of scripts located in user directories
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://redcanary.com/blog/gootloader/
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems), Dave Johnson
date: 2019-01-16
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_exec:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
selection_paths:
CommandLine|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\Temp\'
- '\Start Menu\Programs\Startup\'
- '\Temporary Internet'
- '\Windows\Temp'
- '%LocalAppData%\Temp\'
- '%TEMP%'
- '%TMP%'
selection_ext:
CommandLine|contains:
- '.hta'
- '.js'
- '.jse'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
condition: all of selection_*
falsepositives:
- Some installers might generate a similar behavior. An initial baseline is required
level: medium
title: MMC Loading Script Engines DLLs
id: a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad
status: experimental
description: |
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://www.elastic.co/security-labs/grimresource
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218.014
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\mmc.exe'
ImageLoaded|endswith:
- '\vbscript.dll'
- '\jscript.dll'
- '\jscript9.dll'
condition: selection
falsepositives:
- Legitimate MMC operations or extensions loading these libraries
level: medium
title: Registry Tampering by Potentially Suspicious Processes
id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
related:
- id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
type: similar
- id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
type: similar
status: experimental
description: |
Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.
These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry
without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.
references:
- https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
- https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-08-13
modified: 2026-04-14
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
- attack.t1059.005
logsource:
category: registry_event
product: windows
detection:
selection:
Image|endswith:
# Add more suspicious processes
- '\mshta.exe'
- '\wscript.exe'
- '\cscript.exe'
filter_main_binary_data:
Details: 'Binary Data'
filter_main_null:
Details: null
filter_main_wscript_legit_1:
Image|endswith: '\wscript.exe'
TargetObject|contains:
- 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\'
- '\Services\bam\State\UserSettings\S-1-'
- 'Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\'
- 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\'
filter_main_wscript_legit_2:
Image|endswith: '\wscript.exe'
TargetObject|contains: '\wscript.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some legitimate admin or install scripts may use these processes for registry modifications.
level: medium
title: Kubernetes Events Deleted
id: 3132570d-cab2-4561-9ea6-1743644b2290
related:
- id: 225d8b09-e714-479c-a0e4-55e6f29adf35
type: derived
status: test
description: |
Detects when events are deleted in Kubernetes.
An adversary may delete Kubernetes events in an attempt to evade detection.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.stealth
- attack.t1070
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'delete'
objectRef.resource: 'events'
condition: selection
falsepositives:
- Unknown
level: medium
title: SES Identity Has Been Deleted
id: 20f754db-d025-4a8f-9d74-e0037e999a9a
status: test
description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022-12-13
modified: 2022-12-28
tags:
- attack.stealth
- attack.t1070
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ses.amazonaws.com'
eventName: 'DeleteIdentity'
condition: selection
falsepositives:
- Unknown
level: medium
title: IIS WebServer Access Logs Deleted
id: 3eb8c339-a765-48cc-a150-4364c04652bf
related:
- id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
type: similar
status: test
description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
references:
- https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-16
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|contains: '\inetpub\logs\LogFiles\'
TargetFilename|endswith: '.log'
condition: selection
falsepositives:
- During uninstallation of the IIS service
- During log rotation
level: medium
title: PowerShell Console History Logs Deleted
id: ff301988-c231-4bd0-834c-ac9d73b86586
status: test
description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|endswith: '\PSReadLine\ConsoleHost_history.txt'
condition: selection
falsepositives:
- Unknown
level: medium
title: Tomcat WebServer Logs Deleted
id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8
status: test
description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
- https://linuxhint.com/view-tomcat-logs-windows/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-16
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|contains|all:
- '\Tomcat'
- '\logs\'
TargetFilename|contains:
- 'catalina.'
- '_access_log.'
- 'localhost.'
condition: selection
falsepositives:
- During uninstallation of the tomcat server
- During log rotation
level: medium
title: EventLog EVTX File Deleted
id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc
status: test
description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
TargetFilename|endswith: '.evtx'
condition: selection
falsepositives:
- Unknown
level: medium
title: IIS WebServer Log Deletion via CommandLine Utilities
id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
related:
- id: 3eb8c339-a765-48cc-a150-4364c04652bf
type: similar
status: experimental
description: |
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.
Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-02
tags:
- attack.stealth
- attack.t1070
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'cmd.exe'
- 'powershell.exe'
- 'powershell_ise.exe'
- 'pwsh.dll'
selection_cli_del:
CommandLine|contains:
- 'del '
- 'erase '
- 'rm '
- 'remove-item '
- 'rmdir '
selection_cli_iis_dir:
CommandLine|contains: '\inetpub\logs\'
condition: all of selection_*
falsepositives:
- Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities.
- Legitimate schedule tasks or scripts that clean up log files regularly.
# More Fp cases
# https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage#02
level: medium
title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
status: test
description: Detects potential malicious and unauthorized usage of bcdedit.exe
references:
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
- https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
author: '@neu5ron'
date: 2019-02-07
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070
- attack.persistence
- attack.t1542.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcdedit.exe'
- OriginalFileName: 'bcdedit.exe'
selection_cli:
CommandLine|contains:
- 'delete'
- 'deletevalue'
- 'import'
- 'safeboot'
- 'network'
condition: all of selection_*
level: medium
title: Filter Driver Unloaded Via Fltmc.EXE
id: 4931188c-178e-4ee7-a348-39e8a7a56821
related:
- id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific
type: derived
status: test
description: Detect filter driver unloading activity via fltmc.exe
references:
- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
- https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-13
modified: 2025-10-07
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- attack.t1685.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\fltMC.exe'
- OriginalFileName: 'fltMC.exe'
selection_cli:
CommandLine|contains: 'unload'
filter_optional_avira:
ParentImage|contains:
- '\AppData\Local\Temp\'
- ':\Windows\Temp\'
ParentImage|endswith: '\endpoint-protection-installer-x64.tmp'
CommandLine|endswith:
- 'unload rtp_filesystem_filter'
- 'unload rtp_filter'
filter_optional_manageengine:
ParentImage: 'C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe'
CommandLine|endswith: 'unload DFMFilter'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: DLL Load By System Process From Suspicious Locations
id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
status: test
description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
references:
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2023-09-18
tags:
- attack.stealth
- attack.t1070
logsource:
product: windows
category: image_load
detection:
selection:
Image|startswith: 'C:\Windows\'
ImageLoaded|startswith:
# TODO: Add more suspicious paths as you see fit in your env
- 'C:\Users\Public\'
- 'C:\PerfLogs\'
condition: selection
falsepositives:
- Unknown
level: medium
title: Potentially Suspicious Rundll32.EXE Execution of UDL File
id: 0ea52357-cd59-4340-9981-c46c7e900428
status: test
description: |
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
references:
- https://trustedsec.com/blog/oops-i-udld-it-again
author: '@kostastsale'
date: 2024-08-16
tags:
- attack.execution
- attack.command-and-control
- attack.stealth
- attack.t1218.011
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'oledb32.dll'
- ',OpenDSLFile '
- '\\Users\\*\\Downloads\\' # Note: You can adjust the path to the download directory or other directories according to your environment.
CommandLine|endswith: '.udl'
condition: all of selection_*
falsepositives:
- UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
level: medium