Sigma rules for CVE-2020-15523
62 rules · scoped to cve · back to CVE-2020-15523
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Python Reverse Shell Execution Via PTY And Socket Modules
id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
related:
- id: c4042d54-110d-45dd-a0e1-05c47822c937
type: similar
status: test
description: |
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
references:
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-24
modified: 2024-11-04
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'python'
CommandLine|contains|all:
- ' -c '
- 'import'
- 'pty'
- 'socket'
- 'spawn'
- '.connect'
condition: selection
falsepositives:
- Unknown
level: high
title: Inline Python Execution - Spawn Shell Via OS System Library
id: 2d2f44ff-4611-4778-a8fc-323a0e9850cc
status: test
description: |
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
references:
- https://gtfobins.github.io/gtfobins/python/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli:
CommandLine|contains|all:
- ' -c '
- 'os.system('
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Python One-Liners with Base64 Decoding - Linux
id: 55e862a8-dd9c-4651-807a-f21fcad56716
related:
- id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
type: similar
status: experimental
description: |
Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
- https://docs.python.org/3/library/base64.html
- https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.006
- attack.t1027.010
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|contains: '/python'
selection_cli:
CommandLine|contains|all:
- 'import'
- 'base64'
- ' -c'
CommandLine|contains:
- '.decode'
- 'b16decode'
- 'b32decode'
- 'b32hexdecode'
- 'b64decode'
- 'b85decode'
- 'z85decode'
condition: all of selection_*
falsepositives:
- Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high
title: Python Function Execution Security Warning Disabled In Excel
id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
related:
- id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
type: similar
status: test
description: |
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: '@Kostastsale'
date: 2023-08-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\Microsoft\Office\'
- '\Excel\Security'
- 'PythonFunctionWarnings'
CommandLine|contains: ' 0'
condition: selection
falsepositives:
- Unknown
level: high
title: Python One-Liners with Base64 Decoding
id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
related:
- id: 55e862a8-dd9c-4651-807a-f21fcad56716
type: similar
status: experimental
description: |
Detects Python one-liners that use base64 decoding functions in command line executions.
Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
- https://docs.python.org/3/library/base64.html
- https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.006
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\python'
- OriginalFileName|contains: 'python'
selection_cli:
CommandLine|contains|all:
- 'import'
- 'base64'
- ' -c'
CommandLine|contains:
- '.decode'
- 'b16decode'
- 'b32decode'
- 'b32hexdecode'
- 'b64decode'
- 'b85decode'
- 'z85decode'
condition: all of selection_*
falsepositives:
- Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml
title: Python Spawning Pretty TTY on Windows
id: 480e7e51-e797-47e3-8d72-ebfce65b6d8d
related:
- id: 899133d5-4d7c-4a7f-94ee-27355c879d90
type: derived
status: test
description: Detects python spawning a pretty tty
references:
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- 'python.exe' # no \ bc of e.g. ipython.exe
- 'python3.exe'
- 'python2.exe'
selection_cli_1:
CommandLine|contains|all:
- 'import pty'
- '.spawn('
selection_cli_2:
CommandLine|contains: 'from pty import spawn'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
title: Credential Dumping Activity By Python Based Tool
id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
related:
- id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
type: obsolete
- id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
type: obsolete
status: stable
description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
references:
- https://twitter.com/bh4b3sh/status/1303674603819081728
- https://github.com/skelsec/pypykatz
author: Bhabesh Raj, Jonhnathan Ribeiro
date: 2023-11-27
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0349
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains|all:
- '_ctypes.pyd+'
- ':\Windows\System32\KERNELBASE.dll+'
- ':\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains:
- 'python27.dll+'
- 'python3*.dll+'
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Unknown
level: high
title: Python Function Execution Security Warning Disabled In Excel - Registry
id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
related:
- id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
type: similar
status: test
description: |
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2024-08-23
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Office\'
TargetObject|endswith: '\Excel\Security\PythonFunctionWarnings'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
title: Python SQL Exceptions
id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
status: stable
description: Generic rule for SQL exceptions in Python according to PEP 249
references:
- https://www.python.org/dev/peps/pep-0249/#exceptions
author: Thomas Patzke
date: 2017-08-12
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: python
detection:
keywords:
- DataError
- IntegrityError
- ProgrammingError
- OperationalError
condition: keywords
falsepositives:
- Application bugs
level: medium
title: Python WebServer Execution - Linux
id: 3f0f5957-04f8-4792-ad89-192b0303bde6
status: experimental
description: |
Detects the execution of Python web servers via command line interface (CLI).
After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver
- https://docs.python.org/3/library/http.server.html
- https://docs.python.org/2/library/simplehttpserver.html
author: Mohamed LAKRI
date: 2025-10-17
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: linux
category: process_creation
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_module:
CommandLine|contains:
- 'http.server'
- 'SimpleHTTPServer'
condition: all of selection_*
falsepositives:
- Testing or development activity
level: medium
title: Python Spawning Pretty TTY Via PTY Module
id: c4042d54-110d-45dd-a0e1-05c47822c937
related:
- id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
type: similar
status: test
description: |
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
references:
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
modified: 2024-11-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli_import:
CommandLine|contains:
- 'import pty'
- 'from pty '
selection_cli_spawn:
CommandLine|contains: 'spawn'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Python Initiated Connection
id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6
status: test
description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python
- https://pypi.org/project/scapy/
author: frack113
date: 2021-12-10
modified: 2025-03-05
tags:
- attack.discovery
- attack.t1046
logsource:
category: network_connection
product: windows
definition: 'Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type'
detection:
selection:
Initiated: 'true'
Image|contains|all:
- '\python'
- '.exe'
filter_optional_conda:
# Related to anaconda updates. Command example: "conda update conda"
# This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe
CommandLine|contains|all:
- ':\ProgramData\Anaconda3\Scripts\conda-script.py'
- 'update'
filter_optional_conda_jupyter_notebook:
# Related to anaconda opening an instance of Jupyter Notebook
# This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
ParentImage: C:\ProgramData\Anaconda3\python.exe
CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py'
filter_main_local_communication:
# This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances
DestinationIp: 127.0.0.1
SourceIp: 127.0.0.1
filter_main_pip:
CommandLine|contains|all:
- 'pip.exe'
- 'install'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.
level: medium
title: Python Inline Command Execution
id: 899133d5-4d7c-4a7f-94ee-27355c879d90
status: test
description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
references:
- https://docs.python.org/3/using/cmdline.html#cmdoption-c
- https://www.revshells.com/
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-10-07
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'python.exe'
- Image|endswith:
- 'python.exe' # no \ bc of e.g. ipython.exe
- 'python3.exe'
- 'python2.exe'
selection_cli:
CommandLine|contains: ' -c'
filter_main_python_1: # Based on baseline
ParentImage|startswith:
- 'C:\Program Files\Python'
- 'C:\Program Files (x86)\Python'
ParentImage|endswith: '\python.exe'
ParentCommandLine|contains: '-E -s -m ensurepip -U --default-pip'
filter_main_python_trace: # Based on baseline
ParentImage|startswith:
- 'C:\Program Files\Python'
- 'C:\Program Files (x86)\Python'
CommandLine|contains|all:
# CommandLine: \"C:\\Program Files\\Python312\\python.exe\" -W ignore::DeprecationWarning -c \"\nimport runpy\nimport sys\nsys.path = ['C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj\\\\pip-23.2.1-py3-none-any.whl'] + sys.path\nsys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj', '--upgrade', 'pip']\nrunpy.run_module(\\\"pip\\\", run_name=\\\"__main__\\\", alter_sys=True)\n\
- '-W ignore::DeprecationWarning'
- "['install', '--no-cache-dir', '--no-index', '--find-links',"
- "'--upgrade', 'pip'"
filter_optional_vscode:
- ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
- ParentImage:
- 'C:\Program Files\Microsoft VS Code\Code.exe'
- 'C:\Program Files (x86)\Microsoft VS Code\Code.exe'
filter_optional_pip:
CommandLine|contains|all:
- '<pip-setuptools-caller>'
- 'exec(compile('
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Python libraries that use a flag starting with "-c". Filter according to your environment
level: medium
title: Potential Python DLL SideLoading
id: d36f7c12-14a3-4d48-b6b8-774b9c66f44d
status: test
description: Detects potential DLL sideloading of Python DLL files.
references:
- https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/
- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/
- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
author: Swachchhanda Shrawan Poudel
date: 2024-10-06
modified: 2025-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\python39.dll'
- '\python310.dll'
- '\python311.dll'
- '\python312.dll'
filter_main_default_install_paths:
- ImageLoaded|startswith:
- 'C:\Program Files\Python3'
- 'C:\Program Files (x86)\Python3'
- ImageLoaded|contains: '\AppData\Local\Programs\Python\Python3'
filter_optional_visual_studio:
ImageLoaded|startswith: 'C:\Program Files\Microsoft Visual Studio\'
filter_optional_anaconda:
ImageLoaded|startswith: 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
filter_optional_cpython:
ImageLoaded|contains:
- '\cpython\externals\'
- '\cpython\PCbuild\'
filter_optional_pyinstaller:
# Triggered by programs bundled with PyInstaller
ImageLoaded|startswith: 'C:\Users'
ImageLoaded|contains: '\AppData\Local\Temp\_MEI'
filter_main_legit_signature_details:
Product: 'Python'
Signed: 'true'
Description: 'Python'
Company: 'Python Software Foundation'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software using Python DLLs
level: medium
title: Python Image Load By Non-Python Process
id: cbb56d62-4060-40f7-9466-d8aaf3123f83
status: test
description: |
Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code.
Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables.
Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.
references:
- https://www.py2exe.org/
- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
author: Patrick St. John, OTR (Open Threat Research)
date: 2020-05-03
modified: 2025-08-18
tags:
- attack.stealth
- attack.t1027.002
logsource:
product: windows
category: image_load
detection:
selection:
Description: 'Python Core'
filter_main_generic:
- Image|contains: 'Python' # FPs with python38.dll, python.exe etc.
- Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
filter_optional_null_image:
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate Py2Exe Binaries
- Known false positive caused with Python Anaconda
- Various legitimate software is bundled from Python code into executables
level: low
title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\WCE.exe'
- '\WCE64.exe'
selection_hash:
Hashes|contains:
- 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
- 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
- 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
- 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
- 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
- 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
- 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
- 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
- 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- Unknown
level: critical
title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9002
condition: selection
falsepositives:
- Unlikely
level: high
title: Windows LAPS Credential Dump From Entra ID
id: a4b25073-8947-489c-a8dd-93b41c23f26d
status: test
description: Detects when an account dumps the LAPS password from Entra ID.
references:
- https://twitter.com/NathanMcNulty/status/1785051227568632263
- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/
- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487
author: andrewdanis
date: 2024-06-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.005
logsource:
product: azure
service: auditlogs
detection:
selection:
category: 'Device'
activityType|contains: 'Recover device local administrator password'
additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id'
condition: selection
falsepositives:
- Approved activity performed by an Administrator.
level: high
title: Tamper Windows Defender - PSClassic
id: ec19ebab-72dc-40e1-9728-4c0b805d722c
related:
- id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
type: similar
status: test
description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-06-07
modified: 2024-01-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_classic_provider_start
detection:
selection_set_mppreference:
Data|contains: 'Set-MpPreference'
selection_options_bool_allow:
Data|contains:
- '-dbaf $true'
- '-dbaf 1'
- '-dbm $true'
- '-dbm 1'
- '-dips $true'
- '-dips 1'
- '-DisableArchiveScanning $true'
- '-DisableArchiveScanning 1'
- '-DisableBehaviorMonitoring $true'
- '-DisableBehaviorMonitoring 1'
- '-DisableBlockAtFirstSeen $true'
- '-DisableBlockAtFirstSeen 1'
- '-DisableCatchupFullScan $true'
- '-DisableCatchupFullScan 1'
- '-DisableCatchupQuickScan $true'
- '-DisableCatchupQuickScan 1'
- '-DisableIntrusionPreventionSystem $true'
- '-DisableIntrusionPreventionSystem 1'
- '-DisableIOAVProtection $true'
- '-DisableIOAVProtection 1'
- '-DisableRealtimeMonitoring $true'
- '-DisableRealtimeMonitoring 1'
- '-DisableRemovableDriveScanning $true'
- '-DisableRemovableDriveScanning 1'
- '-DisableScanningMappedNetworkDrivesForFullScan $true'
- '-DisableScanningMappedNetworkDrivesForFullScan 1'
- '-DisableScanningNetworkFiles $true'
- '-DisableScanningNetworkFiles 1'
- '-DisableScriptScanning $true'
- '-DisableScriptScanning 1'
- '-MAPSReporting $false'
- '-MAPSReporting 0'
- '-drdsc $true'
- '-drdsc 1'
- '-drtm $true'
- '-drtm 1'
- '-dscrptsc $true'
- '-dscrptsc 1'
- '-dsmndf $true'
- '-dsmndf 1'
- '-dsnf $true'
- '-dsnf 1'
- '-dss $true'
- '-dss 1'
selection_options_actions_func:
Data|contains:
- 'HighThreatDefaultAction Allow'
- 'htdefac Allow'
- 'LowThreatDefaultAction Allow'
- 'ltdefac Allow'
- 'ModerateThreatDefaultAction Allow'
- 'mtdefac Allow'
- 'SevereThreatDefaultAction Allow'
- 'stdefac Allow'
condition: selection_set_mppreference and 1 of selection_options_*
falsepositives:
- Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
level: high
title: Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
id: ae2bdd58-0681-48ac-be7f-58ab4e593458
related:
- id: 07e3cb2c-0608-410d-be4b-1511cb1a0448
type: similar
status: test
description: Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_remove:
ScriptBlockText|contains: 'Remove-MpPreference'
selection_tamper:
ScriptBlockText|contains:
- '-ControlledFolderAccessProtectedFolders '
- '-AttackSurfaceReductionRules_Ids '
- '-AttackSurfaceReductionRules_Actions '
- '-CheckForSignaturesBeforeRunningScan '
condition: all of selection_*
falsepositives:
- Legitimate PowerShell scripts
level: high
title: Tamper Windows Defender - ScriptBlockLogging
id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
related:
- id: ec19ebab-72dc-40e1-9728-4c0b805d722c
type: derived
status: test
description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-16
modified: 2024-01-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_options_disabling_preference:
ScriptBlockText|contains: 'Set-MpPreference'
selection_options_disabling_function:
ScriptBlockText|contains:
- '-dbaf $true'
- '-dbaf 1'
- '-dbm $true'
- '-dbm 1'
- '-dips $true'
- '-dips 1'
- '-DisableArchiveScanning $true'
- '-DisableArchiveScanning 1'
- '-DisableBehaviorMonitoring $true'
- '-DisableBehaviorMonitoring 1'
- '-DisableBlockAtFirstSeen $true'
- '-DisableBlockAtFirstSeen 1'
- '-DisableCatchupFullScan $true'
- '-DisableCatchupFullScan 1'
- '-DisableCatchupQuickScan $true'
- '-DisableCatchupQuickScan 1'
- '-DisableIntrusionPreventionSystem $true'
- '-DisableIntrusionPreventionSystem 1'
- '-DisableIOAVProtection $true'
- '-DisableIOAVProtection 1'
- '-DisableRealtimeMonitoring $true'
- '-DisableRealtimeMonitoring 1'
- '-DisableRemovableDriveScanning $true'
- '-DisableRemovableDriveScanning 1'
- '-DisableScanningMappedNetworkDrivesForFullScan $true'
- '-DisableScanningMappedNetworkDrivesForFullScan 1'
- '-DisableScanningNetworkFiles $true'
- '-DisableScanningNetworkFiles 1'
- '-DisableScriptScanning $true'
- '-DisableScriptScanning 1'
- '-MAPSReporting $false'
- '-MAPSReporting 0'
- '-drdsc $true'
- '-drdsc 1'
- '-drtm $true'
- '-drtm 1'
- '-dscrptsc $true'
- '-dscrptsc 1'
- '-dsmndf $true'
- '-dsmndf 1'
- '-dsnf $true'
- '-dsnf 1'
- '-dss $true'
- '-dss 1'
selection_other_default_actions_allow:
ScriptBlockText|contains: 'Set-MpPreference'
selection_other_default_actions_func:
ScriptBlockText|contains:
- 'HighThreatDefaultAction Allow'
- 'htdefac Allow'
- 'LowThreatDefaultAction Allow'
- 'ltdefac Allow'
- 'ModerateThreatDefaultAction Allow'
- 'mtdefac Allow'
- 'SevereThreatDefaultAction Allow'
- 'stdefac Allow'
condition: all of selection_options_disabling_* or all of selection_other_default_actions_*
falsepositives:
- Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
level: high
title: Clearing Windows Console History
id: bde47d4b-9987-405c-94c7-b080410e8ea7
status: test
description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
references:
- https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
- https://www.shellhacks.com/clear-history-powershell/
- https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1070
- attack.t1070.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection1:
ScriptBlockText|contains: Clear-History
selection2a:
ScriptBlockText|contains:
- Remove-Item
- rm
selection2b:
ScriptBlockText|contains:
- ConsoleHost_history.txt
- (Get-PSReadlineOption).HistorySavePath
condition: selection1 or selection2a and selection2b
falsepositives:
- Unknown
level: high
title: PowerShell Set-Acl On Windows Folder - PsScript
id: 3bf1d859-3a7e-44cb-8809-a99e066d3478
related:
- id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
type: derived
- id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
type: derived
- id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
type: derived
status: test
description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
- attack.defense-impairment
- attack.t1222
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection_cmdlet:
ScriptBlockText|contains|all:
- 'Set-Acl '
- '-AclObject '
selection_paths:
# Note: Add more suspicious paths
ScriptBlockText|contains:
- '-Path "C:\Windows'
- '-Path "C:/Windows'
- "-Path 'C:\\Windows"
- "-Path 'C:/Windows"
- '-Path C:\\Windows'
- '-Path C:/Windows'
- '-Path $env:windir'
- '-Path "$env:windir'
- "-Path '$env:windir"
selection_permissions:
# Note: Add more suspicious permissions
ScriptBlockText|contains:
- 'FullControl'
- 'Allow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Windows Binaries Write Suspicious Extensions
id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
related:
- id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
type: derived
status: test
description: Detects Windows executables that write files with suspicious extensions
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1036
logsource:
category: file_event
product: windows
detection:
selection_generic:
Image|endswith:
- '\csrss.exe'
- '\lsass.exe'
- '\RuntimeBroker.exe'
- '\sihost.exe'
- '\smss.exe'
- '\wininit.exe'
- '\winlogon.exe'
TargetFilename|endswith:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.iso'
- '.ps1'
- '.txt'
- '.vbe'
- '.vbs'
selection_special:
Image|endswith:
- '\dllhost.exe'
- '\rundll32.exe'
- '\svchost.exe'
TargetFilename|endswith:
- '.bat'
- '.hta'
- '.iso'
- '.ps1'
- '.vbe'
- '.vbs'
filter_main_AppLockerPolicyTest:
Image: 'C:\Windows\System32\dllhost.exe'
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\__PSScriptPolicyTest_'
TargetFilename|endswith: '.ps1'
filter_main_script_gpo_machine:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Windows\System32\GroupPolicy\DataStore\'
- '\sysvol\'
- '\Policies\'
- '\Machine\Scripts\Startup\'
TargetFilename|endswith:
- '.ps1'
- '.bat'
filter_main_clipchamp:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Program Files\WindowsApps\Clipchamp'
- '.ps1'
filter_main_powershell_preview:
Image:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|startswith:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
TargetFilename|endswith: '.ps1'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Windows Shell/Scripting Application File Write to Suspicious Folder
id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
status: test
description: Detects Windows shells and scripting applications that write files to suspicious folders
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-20
modified: 2023-03-29
tags:
- attack.execution
- attack.t1059
logsource:
category: file_event
product: windows
detection:
selection_1:
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- '\powershell.exe'
- '\pwsh.exe'
- '\sh.exe'
- '\wscript.exe'
TargetFilename|startswith:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
selection_2:
Image|endswith:
- '\certutil.exe'
- '\forfiles.exe'
- '\mshta.exe'
# - '\rundll32.exe' # Potential FP
- '\schtasks.exe'
- '\scriptrunner.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
TargetFilename|contains:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
- 'C:\Windows\Temp\'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: UAC Bypass Using Windows Media Player - File
id: 68578b43-65df-4f81-9a9b-92f32711a951
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection1:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll'
selection2:
Image: 'C:\Windows\system32\DllHost.exe'
TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
id: 129966c9-de17-4334-a123-8b58172e664d
status: test
description: |
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
references:
- https://twitter.com/mrd0x/status/1460597833917251595
author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-26
modified: 2024-06-21
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_dump:
Image|startswith: ':\Program Files'
Image|contains: '\Microsoft Visual Studio\'
Image|endswith: '\dump64.exe'
selection_tools_procdump:
- OriginalFileName: 'procdump'
- CommandLine|contains:
- ' -ma ' # Full Dump
- ' -mp ' # Mini Plus
condition: selection_dump and 1 of selection_tools_*
falsepositives:
- Unknown
level: high
title: Suspicious Windows Service Tampering
id: ce72ef99-22f1-43d4-8695-419dcb5d9330
related:
- id: eb87818d-db5d-49cc-a987-d5da331fbd90
type: obsolete
- id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
type: obsolete
- id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
type: obsolete
status: test
description: |
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
references:
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
- https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
- https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/delete-method-in-class-win32-service
author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
date: 2022-09-01
modified: 2025-08-27
tags:
- attack.impact
- attack.defense-impairment
- attack.t1489
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_tools_img:
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'psservice.exe'
- 'pwsh.dll'
- 'sc.exe'
- 'wmic.exe'
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- '\PowerShell_ISE.EXE'
- '\powershell.exe'
- '\PsService.exe'
- '\PsService64.exe'
- '\pwsh.exe'
- '\sc.exe'
- '\wmic.exe' # wmic process call win32_service where name='servicename' delete
selection_tools_cli:
- CommandLine|contains:
- ' delete '
- '.delete()' # Get-WmiObject win32_service -Filter "name='$serviceName'" ).delete()
- ' pause ' # Covers flags from: PsService and Sc.EXE
- ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE
- 'Stop-Service '
- 'Remove-Service '
- CommandLine|contains|all:
- 'config'
- 'start=disabled'
selection_services:
CommandLine|contains:
- '143Svc'
- 'Acronis VSS Provider'
- 'AcronisAgent'
- 'AcrSch2Svc'
- 'AdobeARMservice'
- 'AHS Service'
- 'Antivirus'
- 'Apache4'
- 'ARSM'
- 'aswBcc'
- 'AteraAgent'
- 'Avast Business Console Client Antivirus Service'
- 'avast! Antivirus'
- 'AVG Antivirus'
- 'avgAdminClient'
- 'AvgAdminServer'
- 'AVP1'
- 'BackupExec'
- 'bedbg'
- 'BITS'
- 'BrokerInfrastructure'
- 'CASLicenceServer'
- 'CASWebServer'
- 'Client Agent 7.60'
- 'Core Browsing Protection'
- 'Core Mail Protection'
- 'Core Scanning Server'
- 'DCAgent'
- 'dwmrcs'
- 'EhttpSr'
- 'ekrn'
- 'Enterprise Client Service'
- 'epag'
- 'EPIntegrationService'
- 'EPProtectedService'
- 'EPRedline'
- 'EPSecurityService'
- 'EPUpdateService'
- 'EraserSvc11710'
- 'EsgShKernel'
- 'ESHASRV'
- 'FA_Scheduler'
- 'FirebirdGuardianDefaultInstance'
- 'FirebirdServerDefaultInstance'
- 'FontCache3.0.0.0'
- 'HealthTLService'
- 'hmpalertsvc'
- 'HMS'
- 'HostControllerService'
- 'hvdsvc'
- 'IAStorDataMgrSvc'
- 'IBMHPS'
- 'ibmspsvc'
- 'IISAdmin'
- 'IMANSVC'
- 'IMAP4Svc'
- 'instance2'
- 'KAVFS'
- 'KAVFSGT'
- 'kavfsslp'
- 'KeyIso'
- 'klbackupdisk'
- 'klbackupflt'
- 'klflt'
- 'klhk'
- 'KLIF'
- 'klim6'
- 'klkbdflt'
- 'klmouflt'
- 'klnagent'
- 'klpd'
- 'kltap'
- 'KSDE1.0.0'
- 'LogProcessorService'
- 'M8EndpointAgent'
- 'macmnsvc'
- 'masvc'
- 'MBAMService'
- 'MBCloudEA'
- 'MBEndpointAgent'
- 'McAfeeDLPAgentService'
- 'McAfeeEngineService'
- 'MCAFEEEVENTPARSERSRV'
- 'McAfeeFramework'
- 'MCAFEETOMCATSRV530'
- 'McShield'
- 'McTaskManager'
- 'mfefire'
- 'mfemms'
- 'mfevto'
- 'mfevtp'
- 'mfewc'
- 'MMS'
- 'mozyprobackup'
- 'mpssvc'
- 'MSComplianceAudit'
- 'MSDTC'
- 'MsDtsServer'
- 'MSExchange'
- 'msftesq1SPROO'
- 'msftesql$PROD'
- 'msftesql$SQLEXPRESS'
- 'MSOLAP$SQL_2008'
- 'MSOLAP$SYSTEM_BGC'
- 'MSOLAP$TPS'
- 'MSOLAP$TPSAMA'
- 'MSOLAPSTPS'
- 'MSOLAPSTPSAMA'
- 'mssecflt'
- 'MSSQ!I.SPROFXENGAGEMEHT'
- 'MSSQ0SHAREPOINT'
- 'MSSQ0SOPHOS'
- 'MSSQL'
- 'MSSQLFDLauncher$'
- 'MySQL'
- 'NanoServiceMain'
- 'NetMsmqActivator'
- 'NetPipeActivator'
- 'netprofm'
- 'NetTcpActivator'
- 'NetTcpPortSharing'
- 'ntrtscan'
- 'nvspwmi'
- 'ofcservice'
- 'Online Protection System'
- 'OracleClientCache80'
- 'OracleDBConsole'
- 'OracleMTSRecoveryService'
- 'OracleOraDb11g_home1'
- 'OracleService'
- 'OracleVssWriter'
- 'osppsvc'
- 'PandaAetherAgent'
- 'PccNTUpd'
- 'PDVFSService'
- 'POP3Svc'
- 'postgresql-x64-9.4'
- 'POVFSService'
- 'PSUAService'
- 'Quick Update Service'
- 'RepairService'
- 'ReportServer'
- 'ReportServer$'
- 'RESvc'
- 'RpcEptMapper'
- 'sacsvr'
- 'SamSs'
- 'SAVAdminService'
- 'SAVService'
- 'ScSecSvc'
- 'SDRSVC'
- 'SearchExchangeTracing'
- 'sense'
- 'SentinelAgent'
- 'SentinelHelperService'
- 'SepMasterService'
- 'ShMonitor'
- 'Smcinst'
- 'SmcService'
- 'SMTPSvc'
- 'SNAC'
- 'SntpService'
- 'Sophos'
- 'SQ1SafeOLRService'
- 'SQL Backups'
- 'SQL Server'
- 'SQLAgent'
- 'SQLANYs_Sage_FAS_Fixed_Assets'
- 'SQLBrowser'
- 'SQLsafe'
- 'SQLSERVERAGENT'
- 'SQLTELEMETRY'
- 'SQLWriter'
- 'SSISTELEMETRY130'
- 'SstpSvc'
- 'storflt'
- 'svcGenericHost'
- 'swc_service'
- 'swi_filter'
- 'swi_service'
- 'swi_update'
- 'Symantec'
- 'sysmon'
- 'TeamViewer'
- 'Telemetryserver'
- 'ThreatLockerService'
- 'TMBMServer'
- 'TmCCSF'
- 'TmFilter'
- 'TMiCRCScanService'
- 'tmlisten'
- 'TMLWCSService'
- 'TmPfw'
- 'TmPreFilter'
- 'TmProxy'
- 'TMSmartRelayService'
- 'tmusa'
- 'Tomcat'
- 'Trend Micro Deep Security Manager'
- 'TrueKey'
- 'UFNet'
- 'UI0Detect'
- 'UniFi'
- 'UTODetect'
- 'vds'
- 'Veeam'
- 'VeeamDeploySvc'
- 'Veritas System Recovery'
- 'vmic'
- 'VMTools'
- 'vmvss'
- 'VSApiNt'
- 'VSS'
- 'W3Svc'
- 'wbengine'
- 'WdNisSvc'
- 'WeanClOudSve'
- 'Weems JY'
- 'WinDefend'
- 'wmms'
- 'wozyprobackup'
- 'WPFFontCache_v0400'
- 'WRSVC'
- 'wsbexchange'
- 'WSearch'
- 'wscsvc'
- 'Zoolz 2 Service'
condition: all of selection_*
falsepositives:
- Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
level: high
title: UAC Bypass Using Windows Media Player - Process
id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection_img_1:
Image: 'C:\Program Files\Windows Media Player\osk.exe'
selection_img_2:
Image: 'C:\Windows\System32\cmd.exe'
ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
selection_integrity:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: 1 of selection_img_* and selection_integrity
falsepositives:
- Unknown
level: high
title: Suspicious Uninstall of Windows Defender Feature via PowerShell
id: c443012c-7928-43bf-ac20-7eda5efe61ad
status: experimental
description: |
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.windows.servermanager.migration/uninstall-windowsfeature
- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware
author: yxinmiracle
date: 2025-08-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_uninstall:
CommandLine|contains:
- 'Uninstall-WindowsFeature'
- 'Remove-WindowsFeature' # Only supported in Windows Server 2008 R2 and Windows 2012 R2
selection_cli_defender_feature:
CommandLine|contains: 'Windows-Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Windows Defender Context Menu Removed
id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
related:
- id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
type: similar
status: experimental
description: |
Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
references:
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'powershell_ise.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_action:
CommandLine|contains:
- 'del'
- 'Remove-Item'
- 'ri '
selection_reg_path:
CommandLine|contains: '\shellex\ContextMenuHandlers\EPP'
condition: all of selection_*
falsepositives:
- May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment.
level: high
title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
id: 452bce90-6fb0-43cc-97a5-affc283139b3
status: test
description: |
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
references:
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
- https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
- https://tria.ge/241231-j9yatstqbm/behavioral1
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-22
modified: 2025-06-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_root_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_root_path:
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\'
- 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center'
- 'SOFTWARE\Policies\Microsoft\Windows Defender\'
selection_dword_0:
CommandLine|contains|all:
- ' add '
- 'd 0'
CommandLine|contains:
- 'DisallowExploitProtectionOverride'
- 'EnableControlledFolderAccess'
- 'MpEnablePus'
- 'PUAProtection'
- 'SpynetReporting'
- 'SubmitSamplesConsent'
- 'TamperProtection'
selection_dword_1:
CommandLine|contains|all:
- ' add '
- 'd 1'
CommandLine|contains:
- 'DisableAccess'
- 'DisableAntiSpyware'
- 'DisableAntiSpywareRealtimeProtection'
- 'DisableAntiVirus'
- 'DisableAntiVirusSignatures'
- 'DisableArchiveScanning'
- 'DisableBehaviorMonitoring'
- 'DisableBlockAtFirstSeen'
- 'DisableCloudProtection'
- 'DisableConfig'
- 'DisableEnhancedNotifications'
- 'DisableIntrusionPreventionSystem'
- 'DisableIOAVProtection'
- 'DisableNetworkProtection'
- 'DisableOnAccessProtection'
- 'DisablePrivacyMode'
- 'DisableRealtimeMonitoring'
- 'DisableRoutinelyTakingAction'
- 'DisableScanOnRealtimeEnable'
- 'DisableScriptScanning'
- 'DisableSecurityCenter'
- 'Notification_Suppress'
- 'SignatureDisableUpdateOnStartupWithoutEngine'
condition: all of selection_root_* and 1 of selection_dword_*
falsepositives:
- Rare legitimate use by administrators to test software (should always be investigated)
level: high
title: Disabling Windows Defender WMI Autologger Session via Reg.exe
id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
related:
- id: f37b4bce-49d0-4087-9f5b-58bffda77316
type: similar
status: experimental
description: |
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
references:
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
author: Matt Anderson (Huntress)
date: 2025-07-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_path:
CommandLine|contains:
- '\Control\WMI\Autologger\DefenderApiLogger\Start'
- '\Control\WMI\Autologger\DefenderAuditLogger\Start'
selection_reg_add:
CommandLine|contains|all:
- 'add'
- '0'
filter_main_enable:
CommandLine|contains: '0x00000001'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Highly unlikely
level: high
title: Windows Internet Hosted WebDav Share Mount Via Net.EXE
id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0
status: test
description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-21
modified: 2023-07-25
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ' http'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Windows EventLog Autologger Session Registry Modification Via CommandLine
id: d7b81144-b866-48a4-9bcc-275dc69d870e
related:
- id: f37b4bce-49d0-4087-9f5b-58bffda77316
type: similar
status: experimental
description: |
Detects attempts to disable Windows EventLog autologger sessions via registry modification.
The AutoLogger event tracing session records events that occur early in the operating system boot process.
Applications and device drivers can use the AutoLogger session to capture traces before the user logs in.
Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
- https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://ptylu.github.io/content/report/report.html?report=25
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\reg.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'reg.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_action:
CommandLine|contains:
- 'add '
- 'Set-ItemProperty'
- 'New-ItemProperty'
- 'si ' # Set-ItemProperty alias
selection_cli_base:
CommandLine|contains: '\Control\WMI\Autologger\'
selection_cli_key:
CommandLine|contains:
- 'Start' # Key used to disable specific autologger session like EventLog-Application, EventLog-System etc.
- 'Enabled' # Key used to disable specific provider of autologger session
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification/info.yml
simulation:
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
technique: T1562.001
atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
technique: T1562.001
atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - Cmd
technique: T1562.001
atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
technique: T1562.001
atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
- id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.collection
- attack.execution
- attack.t1005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '\node.exe'
- '\bun.exe'
selection_child:
- Image|endswith:
- 'trufflehog.exe'
- 'gitleaks.exe'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml
title: Windows AMSI Related Registry Tampering Via CommandLine
id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981
related:
- id: aa37cbb0-da36-42cb-a90f-fdf216fc7467 # AMSI Disabled via Registry Modification
type: similar
status: experimental
description: |
Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell.
AMSI provides a generic interface for applications and services to integrate with antimalware products.
Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
references:
- https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md
- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_key:
CommandLine|contains|all:
- '\Software\Microsoft\Windows Script\Settings'
- 'AmsiEnable'
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cmd:
CommandLine|contains: 'add'
selection_powershell_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_powershell_cmd:
CommandLine|contains:
- 'Set-ItemProperty'
- 'New-ItemProperty'
- 'sp '
condition: selection_key and (all of selection_powershell_* or all of selection_reg_*)
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/info.yml
simulation:
- type: atomic-red-team
name: AMSI Bypass - Create AMSIEnable Reg Key
technique: T1562.001
atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
title: File Download Via Windows Defender MpCmpRun.EXE
id: 46123129-1024-423e-9fae-43af4a0fa9a5
status: test
description: Detects the use of Windows Defender MpCmdRun.EXE to download files
references:
- https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
author: Matthew Matchen
date: 2020-09-04
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'MpCmdRun.exe'
- Image|endswith: '\MpCmdRun.exe'
- CommandLine|contains: 'MpCmdRun.exe'
- Description: 'Microsoft Malware Protection Command Line Utility'
selection_cli:
CommandLine|contains|all:
- 'DownloadFile'
- 'url'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Potential Signing Bypass Via Windows Developer Features
id: a383dec4-deec-4e6e-913b-ed9249670848
related:
- id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
type: similar
status: test
description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SystemSettingsAdminFlows.exe'
- OriginalFileName: 'SystemSettingsAdminFlows.EXE'
selection_flag:
CommandLine|contains: 'TurnOnDeveloperFeatures'
selection_options:
CommandLine|contains:
- 'DeveloperUnlock'
- 'EnableSideloading'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: test
description: Detects a Windows command line executable started from MMC
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Karneades, Swisscom CSIRT
date: 2019-08-05
modified: 2022-07-14
tags:
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage|endswith: '\mmc.exe'
selection2:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\reg.exe'
- '\regsvr32.exe'
- Image|contains: '\BITSADMIN'
condition: all of selection*
level: high
title: Tamper Windows Defender Remove-MpPreference
id: 07e3cb2c-0608-410d-be4b-1511cb1a0448
related:
- id: ae2bdd58-0681-48ac-be7f-58ab4e593458
type: similar
status: test
description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection_remove:
CommandLine|contains: 'Remove-MpPreference'
selection_tamper:
CommandLine|contains:
- '-ControlledFolderAccessProtectedFolders '
- '-AttackSurfaceReductionRules_Ids '
- '-AttackSurfaceReductionRules_Actions '
- '-CheckForSignaturesBeforeRunningScan '
condition: all of selection_*
falsepositives:
- Legitimate PowerShell scripts
level: high
title: Remote Access Tool - Renamed MeshAgent Execution - Windows
id: b471f462-eb0d-4832-be35-28d94bdb4780
related:
- id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
type: similar
- id: 2fbbe9ff-0afc-470b-bdc0-592198339968
type: derived
status: experimental
description: |
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
- attack.command-and-control
- attack.stealth
- attack.t1219.002
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_meshagent:
- CommandLine|contains: '--meshServiceName'
- OriginalFileName|contains: 'meshagent'
filter_main_legitimate:
Image|endswith: '\meshagent.exe'
condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Suspicious Windows Update Agent Empty Cmdline
id: 52d097e2-063e-4c9c-8fbb-855c8948d135
status: test
description: |
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-26
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Wuauclt.exe'
- OriginalFileName: 'Wuauclt.exe'
selection_cli:
CommandLine|endswith:
- 'Wuauclt'
- 'Wuauclt.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
title: Potential Windows Defender Tampering Via Wmic.EXE
id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
status: test
description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
- https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
author: frack113
date: 2022-12-11
modified: 2023-02-14
tags:
- attack.execution
- attack.defense-impairment
- attack.t1047
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Windows Defender Definition Files Removed
id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
author: frack113
date: 2021-07-07
modified: 2023-07-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\MpCmdRun.exe'
- OriginalFileName: MpCmdRun.exe
selection_cli:
CommandLine|contains|all:
- ' -RemoveDefinitions'
- ' -All'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Disable Windows Defender AV Security Monitoring
id: a7ee1722-c3c5-aeff-3212-c777e4733217
status: test
description: Detects attackers attempting to disable Windows Defender using Powershell
references:
- https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
- https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: 'ok @securonix invrep-de, oscd.community, frack113'
date: 2020-10-12
modified: 2022-11-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pwsh_binary:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- '-DisableBehaviorMonitoring $true'
- '-DisableRuntimeMonitoring $true'
selection_sc_binary:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sc_tamper_cmd_stop:
CommandLine|contains|all:
- 'stop'
- 'WinDefend'
selection_sc_tamper_cmd_delete:
CommandLine|contains|all:
- 'delete'
- 'WinDefend'
selection_sc_tamper_cmd_disabled:
CommandLine|contains|all:
- 'config'
- 'WinDefend'
- 'start=disabled'
condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)
falsepositives:
- 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
level: high
title: PowerShell Set-Acl On Windows Folder
id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
related:
- id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
type: derived
- id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
type: derived
- id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
type: derived
status: test
description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-18
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cmdlet:
CommandLine|contains|all:
- 'Set-Acl '
- '-AclObject '
selection_paths:
# Note: Add more suspicious paths
CommandLine|contains:
- '-Path "C:\Windows'
- "-Path 'C:\\Windows"
- '-Path %windir%'
- '-Path $env:windir'
selection_permissions:
# Note: Add more suspicious permissions
CommandLine|contains:
- 'FullControl'
- 'Allow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Disable Windows IIS HTTP Logging
id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
status: test
description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
author: frack113
date: 2022-01-09
modified: 2023-01-22
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_cli:
CommandLine|contains|all:
- 'set'
- 'config'
- 'section:httplogging'
- 'dontLog:true'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
id: cd1f961e-0b96-436b-b7c6-38da4583ec00
status: test
description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
references:
- https://twitter.com/0gtweet/status/1359039665232306183?s=21
- https://ss64.com/nt/logman.html
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2023-02-21
tags:
- attack.defense-impairment
- attack.t1685
- attack.t1685.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\logman.exe'
- OriginalFileName: 'Logman.exe'
selection_action:
CommandLine|contains:
- 'stop '
- 'delete '
selection_service:
CommandLine|contains:
- 'Circular Kernel Context Logger'
- 'EventLog-' # Cover multiple traces starting with EventLog-*
- 'SYSMON TRACE'
- 'SysmonDnsEtwSession'
condition: all of selection*
falsepositives:
- Legitimate deactivation by administrative staff
- Installer tools that disable services, e.g. before log collection agent installation
level: high