Sigma rules for CVE-2002-1001
30 rules · scoped to cve · back to CVE-2002-1001
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Okta User Session Start Via An Anonymising Proxy Service
id: bde30855-5c53-4c18-ae90-1ff79ebc9578
status: test
description: Detects when an Okta user session starts where the user is behind an anonymising proxy service.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: okta
service: okta
detection:
selection:
eventType: 'user.session.start'
securityContext.isProxy: 'true'
condition: selection
falsepositives:
- If a user requires an anonymising proxy due to valid justifications.
level: high
title: Remote Thread Creation Ttdinject.exe Proxy
id: c15e99a3-c474-48ab-b9a7-84549a7a9d16
status: test
description: Detects a remote thread creation of Ttdinject.exe used as proxy
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
author: frack113
date: 2022-05-16
modified: 2022-06-02
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith: '\ttdinject.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution
id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'SOFTWARE\Microsoft\Provisioning\Commands\'
condition: selection
falsepositives:
- Unknown
level: high
title: PUA - Fast Reverse Proxy (FRP) Execution
id: 32410e29-5f94-4568-b6a3-d91a8adad863
status: test
description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
references:
- https://asec.ahnlab.com/en/38156/
- https://github.com/fatedier/frp
author: frack113, Florian Roth
date: 2022-09-02
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\frpc.exe'
- '\frps.exe'
selection_cli:
CommandLine|contains: '\frpc.ini'
selection_hashes:
# v0.44.0
Hashes|contains:
- "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
- "SHA1=06DDC9280E1F1810677935A2477012960905942F"
- "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
condition: 1 of selection_*
falsepositives:
- Legitimate use
level: high
title: Potential Manage-bde.wsf Abuse To Proxy Execution
id: c363385c-f75d-4753-a108-c1a8e28bdbda
status: test
description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
references:
- https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/
- https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
- https://twitter.com/bohops/status/980659399495741441
- https://twitter.com/JohnLaTwC/status/1223292479270600706
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-13
modified: 2023-02-03
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_wscript_img:
- Image|endswith: '\wscript.exe'
- OriginalFileName: 'wscript.exe'
selection_wscript_cli:
CommandLine|contains: 'manage-bde.wsf'
selection_parent:
ParentImage|endswith:
- '\cscript.exe'
- '\wscript.exe'
ParentCommandLine|contains: 'manage-bde.wsf'
selection_filter_cmd:
Image|endswith: '\cmd.exe'
condition: all of selection_wscript_* or (selection_parent and not selection_filter_cmd)
falsepositives:
- Unlikely
level: high
title: Proxy Execution Via Wuauclt.EXE
id: af77cf95-c469-471c-b6a0-946c685c4798
related:
- id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
type: obsolete
- id: d7825193-b70a-48a4-b992-8b5b3015cc11
type: obsolete
status: test
description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
references:
- https://dtm.uk/wuauclt/
- https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
date: 2020-10-12
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wuauclt.exe'
- OriginalFileName: 'wuauclt.exe'
selection_cli:
CommandLine|contains|all:
- 'UpdateDeploymentProvider'
- 'RunHandlerComServer'
filter_main_generic:
# Note: Please enhance this if you find the full path
CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
filter_main_wuaueng:
# Note: Please enhance this if you find the full path
CommandLine|contains: ' wuaueng.dll '
filter_main_uus:
CommandLine|contains:
- ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
- ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
filter_main_winsxs:
CommandLine|contains|all:
- ':\Windows\WinSxS\'
- '\UpdateDeploy.dll /ClassId '
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download
id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
status: test
description: |
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
references:
- https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
author: frack113
date: 2022-05-28
modified: 2023-08-17
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
id: 7021255e-5db3-4946-a8b9-0ba7a4644a69
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
status: test
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Swachchhanda Shrawan Poudel
date: 2023-08-02
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1218
logsource:
category: registry_set
product: windows
definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored'
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
id: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac
related:
- id: 953b895e-5cc9-454b-b183-7f3db555452e
type: obsolete
- id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
type: obsolete
- id: 37325383-740a-403d-b1a2-b2b4ab7992e7
type: obsolete
- id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
type: obsolete
status: test
description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
- https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
author: Markus Neis, Florian Roth (Nextron Systems)
date: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection_amazon_1:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'GET'
c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
cs-host: 'www.amazon.com'
cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection_amazon_2:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'POST'
c-uri: '/N4215/adj/amzn.us.sr.aps'
cs-host: 'www.amazon.com'
selection_generic_1:
c-useragent:
- 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
- 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
selection_generic_2:
c-useragent|endswith: '; MANM; MANM)'
selection_oscp:
c-uri|contains: '/oscp/'
cs-host: 'ocsp.verisign.com'
selection_onedrive:
cs-method: 'GET'
c-uri|endswith: '\?manifest=wac'
cs-host: 'onedrive.live.com'
filter_main_onedrive:
c-uri|startswith: 'http'
c-uri|contains: '://onedrive.live.com/'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Okta Admin Functions Access Through Proxy
id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
status: test
description: Detects access to Okta admin functions through proxy.
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://dataconomy.com/2023/10/23/okta-data-breach/
- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
author: Muhammad Faisal @faisalusuf
date: 2023-10-25
tags:
- attack.credential-access
logsource:
service: okta
product: okta
detection:
selection:
debugContext.debugData.requestUri|contains: 'admin'
securityContext.isProxy: 'true'
condition: selection
falsepositives:
- False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
level: medium
title: Potential Binary Proxy Execution Via Cdb.EXE
id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
status: test
description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
- https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- https://twitter.com/nas_bench/status/1534957360032120833
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2024-04-22
tags:
- attack.execution
- attack.stealth
- attack.t1106
- attack.t1218
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cdb.exe'
- OriginalFileName: 'CDB.Exe'
selection_cli:
CommandLine|contains:
- ' -c ' # Using a debugger script
- ' -cf '
condition: all of selection*
falsepositives:
- Legitimate use of debugging tools
level: medium
title: Lolbin Runexehelper Use As Proxy
id: cd71385d-fd9b-4691-9b98-2b1f7e508714
status: test
description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
references:
- https://twitter.com/0gtweet/status/1206692239839289344
- https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/
author: frack113
date: 2022-12-29
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\runexehelper.exe'
condition: selection
falsepositives:
- Unknown
level: medium
title: Potential Process Execution Proxy Via CL_Invocation.ps1
id: a0459f02-ac51-4c09-b511-b8c9203fc429
status: test
description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
references:
- https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
- https://twitter.com/bohops/status/948061991012327424
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
date: 2020-10-14
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
CommandLine|contains: 'SyncInvoke '
condition: selection
falsepositives:
- Unknown
level: medium
title: REGISTER_APP.VBS Proxy Execution
id: 1c8774a0-44d4-4db0-91f8-e792359c70bd
status: test
description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
references:
- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\register_app.vbs'
- '-register'
condition: selection
falsepositives:
- Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign
level: medium
title: Proxy Execution via Vshadow
id: d7c75059-2901-4578-b209-8837fd31c6a8
status: experimental
description: |
Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.
VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,
attackers can leverage this parameter to proxy the execution of malware.
author: David Faiss
date: 2025-05-26
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/
- https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
tags:
- attack.stealth
- attack.t1202
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\vshadow.exe'
- OriginalFileName: 'vshadow.exe'
selection_cli:
CommandLine|contains: '-exec'
condition: all of selection_*
falsepositives:
- System backup or administrator tools
- Legitimate administrative scripts
level: medium
title: Arbitrary File Download Via MSEDGE_PROXY.EXE
id: e84d89c4-f544-41ca-a6af-4b92fd38b023
status: test
description: Detects usage of "msedge_proxy.exe" to download arbitrary files
references:
- https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\msedge_proxy.exe'
- OriginalFileName: 'msedge_proxy.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Binary Proxy Execution Via Dotnet-Trace.EXE
id: 9257c05b-4a4a-48e5-a670-b7b073cf401b
status: test
description: Detects commandline arguments for executing a child process via dotnet-trace.exe
references:
- https://twitter.com/bohops/status/1740022869198037480
author: Jimmy Bayne (@bohops)
date: 2024-01-02
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dotnet-trace.exe'
- OriginalFileName: 'dotnet-trace.dll'
selection_cli:
CommandLine|contains|all:
- '-- '
- 'collect'
condition: all of selection_*
falsepositives:
- Legitimate usage of the utility in order to debug and trace a program.
level: medium
title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d
status: test
description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
references:
- https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113
date: 2022-05-21
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_pwsh:
ParentImage|endswith:
# Note: to avoid potential FPs we assume the script was launched from powershell. But in theory it can be launched by any Powershell like process
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\powershell.exe'
CommandLine|contains: ' -nologo -windowstyle minimized -file '
selection_temp:
# Note: Since the function uses "env:temp" the value will change depending on the context of exec
CommandLine|contains:
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: UtilityFunctions.ps1 Proxy Dll
id: 0403d67d-6227-4ea8-8145-4e72db7da120
status: test
description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
references:
- https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/
author: frack113
date: 2022-05-28
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'UtilityFunctions.ps1'
- 'RegSnapin '
condition: selection
falsepositives:
- Unknown
level: medium
title: Program Executed Using Proxy/Local Command Via SSH.EXE
id: 7d6d30b8-5b91-4b90-a891-46cccaf29598
status: test
description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ssh/
- https://github.com/LOLBAS-Project/LOLBAS/pull/211/files
- https://gtfobins.github.io/gtfobins/ssh/
- https://man.openbsd.org/ssh_config#ProxyCommand
- https://man.openbsd.org/ssh_config#LocalCommand
author: frack113, Nasreddine Bencherchali
date: 2022-12-29
modified: 2025-10-16
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
# ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R'
ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe'
selection_cli_img:
- Image|endswith: '\ssh.exe'
- Product: 'OpenSSH for Windows'
- Hashes|contains:
- 'IMPHASH=55b4964d29aad5438b9e950052dbbbc0'
- 'IMPHASH=334d66c33503ccbf647c15b47c27eef4'
- 'IMPHASH=27b0da080ef92afb37983d30d839141e'
- 'IMPHASH=977eb4c263d384e47daa0712d34713ab'
- 'IMPHASH=3eaadce9ae43d5a918bb082065815c3b'
- 'IMPHASH=980fe6cf0d996ab1eedf877222e722aa'
- 'IMPHASH=5f959422308ac3d721010d66647e100e'
- 'IMPHASH=a49aaa3d03d1cd9c8dc7fca60f7f480b'
- 'IMPHASH=dd335f759b6d5d6a8382b71dd9d65791'
selection_cli_flags:
- CommandLine|contains: 'ProxyCommand='
- CommandLine|contains|all:
- 'PermitLocalCommand=yes'
- ' LocalCommand'
condition: selection_parent or all of selection_cli_*
falsepositives:
- Legitimate usage for administration purposes
level: medium
title: Potential Binary Proxy Execution Via VSDiagnostics.EXE
id: ac1c92b4-ac81-405a-9978-4604d78cc47e
status: test
description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
references:
- https://twitter.com/0xBoku/status/1679200664013135872
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-03
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VSDiagnostics.exe'
- OriginalFileName: 'VSDiagnostics.exe'
selection_cli_start:
CommandLine|contains: 'start'
selection_cli_launch:
CommandLine|contains:
- ' /launch:'
- ' -launch:'
condition: all of selection_*
falsepositives:
- Legitimate usage for tracing and diagnostics purposes
level: medium
title: Potential Provlaunch.EXE Binary Proxy Execution Abuse
id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
related:
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\provlaunch.exe'
filter_main_covered_children:
# Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- Image|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\AppData\Temp\'
- '\Windows\System32\Tasks\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Lolbin Unregmp2.exe Use As Proxy
id: 727454c0-d851-48b0-8b89-385611ab0704
status: test
description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
references:
- https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/
author: frack113
date: 2022-12-29
modified: 2024-06-04
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\unregmp2.exe'
- OriginalFileName: 'unregmp2.exe'
selection_cmd:
CommandLine|contains|windash: ' /HideWMP'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Launch-VsDevShell.PS1 Proxy Execution
id: 45d3a03d-f441-458c-8883-df101a3bb146
status: test
description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
references:
- https://twitter.com/nas_bench/status/1535981653239255040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
- attack.stealth
- attack.t1216.001
logsource:
category: process_creation
product: windows
detection:
selection_script:
CommandLine|contains: 'Launch-VsDevShell.ps1'
selection_flags:
CommandLine|contains:
- 'VsWherePath '
- 'VsInstallationPath '
condition: all of selection_*
falsepositives:
- Legitimate usage of the script by a developer
level: medium
title: Pubprn.vbs Proxy Execution
id: 1fb76ab8-fa60-4b01-bddd-71e89bf555da
status: test
description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
references:
- https://lolbas-project.github.io/lolbas/Scripts/Pubprn/
author: frack113
date: 2022-05-28
tags:
- attack.stealth
- attack.t1216.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\pubprn.vbs'
- 'script:'
condition: selection
falsepositives:
- Unknown
level: medium
title: Insecure Proxy/DOH Transfer Via Curl.EXE
id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77
status: test
description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
references:
- https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_cli:
CommandLine|contains:
- '--doh-insecure'
- '--proxy-insecure'
condition: all of selection_*
falsepositives:
- Access to badly maintained internal or development systems
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml
title: Process Proxy Execution Via Squirrel.EXE
id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
related:
- id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
type: similar
- id: fa4b21c9-0057-4493-b289-2556416ae4d7
type: obsolete
status: test
description: |
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2022-06-09
modified: 2025-10-07
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\squirrel.exe'
- '\update.exe'
selection_exec:
CommandLine|contains:
- '--processStart'
- '--processStartAndWait'
- '--createShortcut'
filter_optional_discord:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\Discord\Update.exe'
- 'Discord.exe'
CommandLine|contains:
- '--createShortcut'
- '--processStart'
filter_optional_github_desktop:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\GitHubDesktop\Update.exe'
- 'GitHubDesktop.exe'
CommandLine|contains:
- '--createShortcut'
- '--processStartAndWait'
filter_optional_teams:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\Microsoft\Teams\Update.exe'
- 'Teams.exe'
CommandLine|contains:
- '--processStart'
- '--createShortcut'
filter_optional_yammer:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\yammerdesktop\Update.exe'
- 'Yammer.exe'
CommandLine|contains:
- '--processStart'
- '--createShortcut'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
level: medium
title: F5 BIG-IP iControl Rest API Command Execution - Proxy
id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
related:
- id: 85254a62-22be-4239-b79c-2ec17e566c37
type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
- https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
- https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: proxy
detection:
selection:
cs-method: 'POST'
c-uri|endswith: '/mgmt/tm/util/bash'
condition: selection
falsepositives:
- Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium
title: Rclone Activity via Proxy
id: 2c03648b-e081-41a5-b9fb-7d854a915091
status: test
description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
references:
- https://rclone.org/
- https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
author: Janantha Marasinghe
date: 2022-10-18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'rclone/v'
condition: selection
falsepositives:
- Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
level: medium
title: Connection Proxy
id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
status: test
description: Detects setting proxy configuration
author: Ömer Günal
date: 2020-06-17
modified: 2022-10-05
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- 'http_proxy='
- 'https_proxy='
condition: selection
falsepositives:
- Legitimate administration activities
level: low