Sigma rules for CVE-2021-21999
28 rules · scoped to cve · back to CVE-2021-21999
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2023-08-07
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains:
- '\cachedump'
- '\lsadump'
- '\wceservicepipe'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: critical
title: Zerologon Exploitation Using Well-known Tools
id: 18f37338-b9bd-4117-a039-280c81f7a596
status: stable
description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
references:
- https://www.secura.com/blog/zero-logon
- https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'
date: 2020-10-13
modified: 2021-05-30
tags:
- attack.t1210
- attack.lateral-movement
logsource:
service: system
product: windows
detection:
selection:
EventID:
- 5805
- 5723
keywords:
- kali
- mimikatz
condition: selection and keywords
level: critical
title: Outbound RDP Connections Over Non-Standard Tools
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: test
description: |
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
author: Markus Neis
date: 2019-05-15
modified: 2024-02-09
tags:
- attack.lateral-movement
- attack.t1021.001
- car.2013-07-002
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 3389
Initiated: 'true'
filter_main_mstsc:
Image:
- 'C:\Windows\System32\mstsc.exe'
- 'C:\Windows\SysWOW64\mstsc.exe'
filter_optional_dns:
# Note: https://github.com/SigmaHQ/sigma/pull/2249
Image: 'C:\Windows\System32\dns.exe'
SourcePort: 53
Protocol: 'udp'
filter_optional_avast:
Image|endswith:
- '\Avast Software\Avast\AvastSvc.exe'
- '\Avast\AvastSvc.exe'
filter_optional_sysinternals_rdcman:
Image|endswith: '\RDCMan.exe'
filter_optional_chrome:
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
filter_optional_third_party:
Image|endswith:
- '\FSAssessment.exe'
- '\FSDiscovery.exe'
- '\MobaRTE.exe'
- '\mRemote.exe'
- '\mRemoteNG.exe'
- '\Passwordstate.exe'
- '\RemoteDesktopManager.exe'
- '\RemoteDesktopManager64.exe'
- '\RemoteDesktopManagerFree.exe'
- '\RSSensor.exe'
- '\RTS2App.exe'
- '\RTSApp.exe'
- '\spiceworks-finder.exe'
- '\Terminals.exe'
- '\ws_TunnelService.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_splunk:
Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
filter_optional_sentinel_one:
Image|endswith: '\Ranger\SentinelRanger.exe'
filter_optional_firefox:
Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
filter_optional_tsplus: # Some RAS
Image:
- 'C:\Program Files\TSplus\Java\bin\HTML5service.exe'
- 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
filter_optional_null:
Image: null
filter_optional_empty:
Image: ''
filter_optional_unknown:
Image: '<unknown process>'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Third party RDP tools
level: high
title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-25
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.003
- attack.t1003.004
- attack.t1003.005
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|contains:
- '\fgdump-log'
- '\kirbi'
- '\pwdump'
- '\pwhashes'
- '\wce_ccache'
- '\wce_krbtkts'
- TargetFilename|endswith:
- '\cachedump.exe'
- '\cachedump64.exe'
- '\DumpExt.dll'
- '\DumpSvc.exe'
- '\Dumpy.exe'
- '\fgexec.exe'
- '\lsremora.dll'
- '\lsremora64.dll'
- '\NTDS.out'
- '\procdump.exe'
- '\procdump64.exe'
- '\procdump64a.exe'
- '\pstgdump.exe'
- '\pwdump.exe'
- '\SAM.out'
- '\SECURITY.out'
- '\servpw.exe'
- '\servpw64.exe'
- '\SYSTEM.out'
- '\test.pwd'
- '\wceaux.dll'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml
title: UAC Bypass Tools Using ComputerDefaults
id: 3c05e90d-7eba-4324-9972-5d7f711a60a8
status: test
description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-31
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
Image: 'C:\Windows\System32\ComputerDefaults.exe'
filter:
ParentImage|contains:
- ':\Windows\System32'
- ':\Program Files'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Potential Data Exfiltration Activity Via CommandLine Tools
id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
status: test
description: Detects the use of various CLI utilities exfiltrating data via web requests
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2025-10-19
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_iwr:
Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
CommandLine|contains:
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- 'irm '
- 'iwr '
- 'wget '
CommandLine|contains|all:
- ' -ur' # Shortest possible version of the -uri flag
- ' -me' # Shortest possible version of the -method flag
- ' -b'
- ' POST '
selection_curl:
Image|endswith: '\curl.exe'
CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
selection_curl_data:
CommandLine|contains:
- ' -d ' # Shortest possible version of the --data flag
- ' --data '
selection_wget:
Image|endswith: '\wget.exe'
CommandLine|contains:
- '--post-data'
- '--post-file'
payloads:
- CommandLine|re:
- 'net\s+view'
- 'sc\s+query'
- CommandLine|contains:
- 'Get-Content'
- 'GetBytes'
- 'hostname'
- 'ifconfig'
- 'ipconfig'
- 'netstat'
- 'nltest'
- 'qprocess'
- 'systeminfo'
- 'tasklist'
- 'ToBase64String'
- 'whoami'
- CommandLine|contains|all:
- 'type '
- ' > '
- ' C:\'
condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
falsepositives:
- Unlikely
level: high
title: HackTool - Impacket Tools Execution
id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
status: test
description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
references:
- https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
author: Florian Roth (Nextron Systems)
date: 2021-07-24
modified: 2023-02-07
tags:
- attack.collection
- attack.execution
- attack.credential-access
- attack.t1557.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|contains:
- '\goldenPac'
- '\karmaSMB'
- '\kintercept'
- '\ntlmrelayx'
- '\rpcdump'
- '\samrdump'
- '\secretsdump'
- '\smbexec'
- '\smbrelayx'
- '\wmiexec'
- '\wmipersist'
- Image|endswith:
- '\atexec_windows.exe'
- '\dcomexec_windows.exe'
- '\dpapi_windows.exe'
- '\findDelegation_windows.exe'
- '\GetADUsers_windows.exe'
- '\GetNPUsers_windows.exe'
- '\getPac_windows.exe'
- '\getST_windows.exe'
- '\getTGT_windows.exe'
- '\GetUserSPNs_windows.exe'
- '\ifmap_windows.exe'
- '\mimikatz_windows.exe'
- '\netview_windows.exe'
- '\nmapAnswerMachine_windows.exe'
- '\opdump_windows.exe'
- '\psexec_windows.exe'
- '\rdp_check_windows.exe'
- '\sambaPipe_windows.exe'
- '\smbclient_windows.exe'
- '\smbserver_windows.exe'
- '\sniff_windows.exe'
- '\sniffer_windows.exe'
- '\split_windows.exe'
- '\ticketer_windows.exe'
# - '\addcomputer_windows.exe'
# - '\esentutl_windows.exe'
# - '\getArch_windows.exe'
# - '\lookupsid_windows.exe'
# - '\mqtt_check_windows.exe'
# - '\mssqlclient_windows.exe'
# - '\mssqlinstance_windows.exe'
# - '\ntfs-read_windows.exe'
# - '\ping_windows.exe'
# - '\ping6_windows.exe'
# - '\raiseChild_windows.exe'
# - '\reg_windows.exe'
# - '\registry-read_windows.exe'
# - '\services_windows.exe'
# - '\wmiquery_windows.exe'
condition: selection
falsepositives:
- Legitimate use of the impacket tools
level: high
title: DNS Exfiltration and Tunneling Tools Execution
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
status: test
description: Well-known DNS Exfiltration tools execution
references:
- https://github.com/iagox86/dnscat2
- https://github.com/yarrick/iodine
author: Daniil Yugoslavskiy, oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.exfiltration
- attack.t1048.001
- attack.command-and-control
- attack.t1071.004
- attack.t1132.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\iodine.exe'
- Image|contains: '\dnscat2'
condition: selection
falsepositives:
- Unlikely
level: high
title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
id: f50f3c09-557d-492d-81db-9064a8d4e211
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: 8023f872-3f1d-4301-a384-801889917ab4
type: similar
status: test
description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
# Please add new values while respecting the alphabetical order
- '\Active Directory Explorer'
- '\Handle'
- '\LiveKd'
- '\ProcDump'
- '\Process Explorer'
- '\PsExec'
- '\PsLoggedon'
- '\PsLoglist'
- '\PsPasswd'
- '\PsPing'
- '\PsService'
- '\SDelete'
TargetObject|endswith: '\EulaAccepted'
filter:
Image|endswith:
# Please add new values while respecting the alphabetical order
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\PsExec.exe'
- '\PsExec64.exe'
- '\PsLoggedon.exe'
- '\PsLoggedon64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\PsPing.exe'
- '\PsPing64.exe'
- '\PsService.exe'
- '\PsService64.exe'
- '\sdelete.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml
title: Usage of Renamed Sysinternals Tools - RegistrySet
id: 8023f872-3f1d-4301-a384-801889917ab4
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: f50f3c09-557d-492d-81db-9064a8d4e211
type: similar
status: test
description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2023-08-17
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\PsExec'
- '\ProcDump'
- '\Handle'
- '\LiveKd'
- '\Process Explorer'
- '\PsLoglist'
- '\PsPasswd'
- '\Active Directory Explorer'
TargetObject|endswith: '\EulaAccepted'
filter_main_image_names:
Image|endswith:
- '\PsExec.exe'
- '\PsExec64.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
filter_optional_null:
Image: null # Race condition with some logging tools
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
title: Disable Security Tools
id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: macos
detection:
launchctl_unload:
Image: '/bin/launchctl'
CommandLine|contains: 'unload'
security_plists:
CommandLine|contains:
- 'com.objective-see.lulu.plist' # Objective-See firewall management utility
- 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker
- 'com.google.santad.plist' # google santa
- 'com.carbonblack.defense.daemon.plist' # carbon black
- 'com.carbonblack.daemon.plist' # carbon black
- 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility
- 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus
- 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
- 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon
- 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon
- 'osquery' # facebook osquery
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'packetbeat' # elastic network logger/shipper
- 'td-agent' # fluentd log shipper
disable_gatekeeper:
Image: '/usr/sbin/spctl'
CommandLine|contains: 'disable'
condition: (launchctl_unload and security_plists) or disable_gatekeeper
falsepositives:
- Legitimate activities
level: medium
title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-06-17
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1686
logsource:
category: process_creation
product: linux
detection:
selection_iptables_1:
Image|endswith: '/service'
CommandLine|contains|all:
- 'iptables'
- 'stop'
selection_iptables_2:
Image|endswith: '/service'
CommandLine|contains|all:
- 'ip6tables'
- 'stop'
selection_iptables_3:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'iptables'
- 'stop'
selection_iptables_4:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'ip6tables'
- 'stop'
selection_firewall_1:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'firewalld'
- 'stop'
selection_firewall_2:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'firewalld'
- 'disable'
selection_carbonblack_1:
Image|endswith: '/service'
CommandLine|contains|all:
- 'cbdaemon'
- 'stop'
selection_carbonblack_2:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'cbdaemon'
- 'off'
selection_carbonblack_3:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'cbdaemon'
- 'stop'
selection_carbonblack_4:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'cbdaemon'
- 'disable'
selection_selinux:
Image|endswith: '/setenforce'
CommandLine|contains: '0'
selection_crowdstrike_1:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'stop'
- 'falcon-sensor'
selection_crowdstrike_2:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'disable'
- 'falcon-sensor'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: medium
title: Disabling Security Tools - Builtin
id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
related:
- id: e3a8a052-111f-4606-9aee-f28ebeb76776
type: derived
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-06-17
modified: 2022-11-26
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
service: syslog
detection:
keywords:
- 'stopping iptables'
- 'stopping ip6tables'
- 'stopping firewalld'
- 'stopping cbdaemon'
- 'stopping falcon-sensor'
condition: keywords
falsepositives:
- Legitimate administration activities
level: medium
title: SQL Client Tools PowerShell Session Detection
id: a746c9b8-a2fb-4ee5-a428-92bee9e99060
status: test
description: |
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml
- https://twitter.com/pabraeken/status/993298228840992768
author: 'Agro (@agro_sev) oscd.communitly'
date: 2020-10-13
modified: 2022-02-25
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\sqltoolsps.exe'
- ParentImage|endswith: '\sqltoolsps.exe'
- OriginalFileName: '\sqltoolsps.exe'
filter:
ParentImage|endswith: '\smss.exe'
condition: selection and not filter
falsepositives:
- Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
level: medium
title: Potential Network Sniffing Activity Using Network Tools
id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
status: test
description: |
Detects potential network sniffing via use of network tools such as "tshark", "windump".
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-21
modified: 2023-02-20
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_tshark:
Image|endswith: '\tshark.exe'
CommandLine|contains: '-i'
selection_windump:
Image|endswith: '\windump.exe'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activity to troubleshoot network issues
level: medium
title: Security Tools Keyword Lookup Via Findstr.EXE
id: 4fe074b4-b833-4081-8f24-7dcfeca72b42
related:
- id: fe63010f-8823-4864-a96b-a7b4a0f7b929
type: derived
status: test
description: |
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
This detection focuses on the keywords that the attacker might use as a filter.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-10-20
modified: 2023-11-14
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|endswith:
# Note: Add additional keywords to increase and enhance coverage
# Note:
# We use the double quote variation because in cases of where the command is executed through cmd for example:
# cmd /c "tasklist | findstr virus"
# Logging utilties such as Sysmon would capture the end quote as part of findstr execution
- ' avira'
- ' avira"'
- ' cb'
- ' cb"'
- ' cylance'
- ' cylance"'
- ' defender'
- ' defender"'
- ' kaspersky'
- ' kaspersky"'
- ' kes'
- ' kes"'
- ' mc'
- ' mc"'
- ' sec'
- ' sec"'
- ' sentinel'
- ' sentinel"'
- ' symantec'
- ' symantec"'
- ' virus'
- ' virus"'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml
simulation:
- type: atomic-red-team
name: Security Software Discovery
technique: T1518.001
atomic_guid: f92a380f-ced9-491f-b338-95a991418ce2
title: Private Keys Reconnaissance Via CommandLine Tools
id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
status: test
description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-20
modified: 2023-03-06
tags:
- attack.credential-access
- attack.t1552.004
logsource:
category: process_creation
product: windows
detection:
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_cli:
CommandLine|contains: 'dir '
selection_pwsh_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains: 'Get-ChildItem '
selection_findstr:
- Image|endswith: '\findstr.exe'
- OriginalFileName: 'FINDSTR.EXE'
selection_ext:
CommandLine|contains:
- '.key'
- '.pgp'
- '.gpg'
- '.ppk'
- '.p12'
- '.pem'
- '.pfx'
- '.cer'
- '.p7b'
- '.asc'
condition: selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or selection_findstr)
falsepositives:
- Unknown
level: medium
title: Potential Binary Impersonating Sysinternals Tools
id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9
status: test
description: |
Detects binaries that use the same name as legitimate sysinternals tools to evade detection.
This rule looks for the execution of binaries that are named similarly to Sysinternals tools.
Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-12-20
modified: 2025-04-12
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection_exe:
Image|endswith:
- '\accesschk.exe'
- '\accesschk64.exe'
- '\AccessEnum.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADInsight.exe'
- '\ADInsight64.exe'
- '\adrestore.exe'
- '\adrestore64.exe'
- '\Autologon.exe'
- '\Autologon64.exe'
- '\Autoruns.exe'
- '\Autoruns64.exe'
- '\autorunsc.exe'
- '\autorunsc64.exe'
- '\Bginfo.exe'
- '\Bginfo64.exe'
- '\Cacheset.exe'
- '\Cacheset64.exe'
- '\Clockres.exe'
- '\Clockres64.exe'
- '\Contig.exe'
- '\Contig64.exe'
- '\Coreinfo.exe'
- '\Coreinfo64.exe'
- '\CPUSTRES.EXE'
- '\CPUSTRES64.EXE'
- '\ctrl2cap.exe'
- '\Dbgview.exe'
- '\dbgview64.exe'
- '\Desktops.exe'
- '\Desktops64.exe'
- '\disk2vhd.exe'
- '\disk2vhd64.exe'
- '\diskext.exe'
- '\diskext64.exe'
- '\Diskmon.exe'
- '\Diskmon64.exe'
- '\DiskView.exe'
- '\DiskView64.exe'
- '\du.exe'
- '\du64.exe'
- '\efsdump.exe'
- '\FindLinks.exe'
- '\FindLinks64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\hex2dec.exe'
- '\hex2dec64.exe'
- '\junction.exe'
- '\junction64.exe'
- '\ldmdump.exe'
- '\listdlls.exe'
- '\listdlls64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\loadOrd.exe'
- '\loadOrd64.exe'
- '\loadOrdC.exe'
- '\loadOrdC64.exe'
- '\logonsessions.exe'
- '\logonsessions64.exe'
- '\movefile.exe'
- '\movefile64.exe'
- '\notmyfault.exe'
- '\notmyfault64.exe'
- '\notmyfaultc.exe'
- '\notmyfaultc64.exe'
- '\ntfsinfo.exe'
- '\ntfsinfo64.exe'
- '\pendmoves.exe'
- '\pendmoves64.exe'
- '\pipelist.exe'
- '\pipelist64.exe'
- '\portmon.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\Procmon.exe'
- '\Procmon64.exe'
- '\psExec.exe'
- '\psExec64.exe'
- '\psfile.exe'
- '\psfile64.exe'
- '\psGetsid.exe'
- '\psGetsid64.exe'
- '\psInfo.exe'
- '\psInfo64.exe'
- '\pskill.exe'
- '\pskill64.exe'
- '\pslist.exe'
- '\pslist64.exe'
- '\psLoggedon.exe'
- '\psLoggedon64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\psping.exe'
- '\psping64.exe'
- '\psService.exe'
- '\psService64.exe'
- '\psshutdown.exe'
- '\psshutdown64.exe'
- '\pssuspend.exe'
- '\pssuspend64.exe'
- '\RAMMap.exe'
- '\RAMMap64.exe'
- '\RDCMan.exe'
- '\RegDelNull.exe'
- '\RegDelNull64.exe'
- '\regjump.exe'
- '\ru.exe'
- '\ru64.exe'
- '\sdelete.exe'
- '\sdelete64.exe'
- '\ShareEnum.exe'
- '\ShareEnum64.exe'
- '\shellRunas.exe'
- '\sigcheck.exe'
- '\sigcheck64.exe'
- '\streams.exe'
- '\streams64.exe'
- '\strings.exe'
- '\strings64.exe'
- '\sync.exe'
- '\sync64.exe'
- '\Sysmon.exe'
- '\Sysmon64.exe'
- '\tcpvcon.exe'
- '\tcpvcon64.exe'
- '\tcpview.exe'
- '\tcpview64.exe'
- '\Testlimit.exe'
- '\Testlimit64.exe'
- '\vmmap.exe'
- '\vmmap64.exe'
- '\Volumeid.exe'
- '\Volumeid64.exe'
- '\whois.exe'
- '\whois64.exe'
- '\Winobj.exe'
- '\Winobj64.exe'
- '\ZoomIt.exe'
- '\ZoomIt64.exe'
selection_arm64:
Image|endswith:
- '\accesschk64a.exe'
- '\ADExplorer64a.exe'
- '\ADInsight64a.exe'
- '\adrestore64a.exe'
- '\Autologon64a.exe'
- '\Autoruns64a.exe'
- '\autorunsc64a.exe'
- '\Clockres64a.exe'
- '\Contig64a.exe'
- '\Coreinfo64a.exe'
- '\Dbgview64a.exe'
- '\disk2vhd64a.exe'
- '\diskext64a.exe'
- '\DiskView64a.exe'
- '\du64a.exe'
- '\FindLinks64a.exe'
- '\handle64a.exe'
- '\hex2dec64a.exe'
- '\junction64a.exe'
- '\LoadOrd64a.exe'
- '\LoadOrdC64a.exe'
- '\logonsessions64a.exe'
- '\movefile64a.exe'
- '\notmyfault64a.exe'
- '\notmyfaultc64a.exe'
- '\pendmoves64a.exe'
- '\pipelist64a.exe'
- '\procdump64a.exe'
- '\procexp64a.exe'
- '\Procmon64a.exe'
- '\PsExec64a.exe'
- '\psfile64a.exe'
- '\PsGetsid64a.exe'
- '\PsInfo64a.exe'
- '\pskill64a.exe'
- '\psloglist64a.exe'
- '\pspasswd64a.exe'
- '\psping64a.exe'
- '\PsService64a.exe'
- '\pssuspend64a.exe'
- '\RAMMap64a.exe'
- '\RegDelNull64a.exe'
- '\ru64a.exe'
- '\sdelete64a.exe'
- '\sigcheck64a.exe'
- '\streams64a.exe'
- '\strings64a.exe'
- '\sync64a.exe'
- '\Sysmon64a.exe'
- '\tcpvcon64a.exe'
- '\tcpview64a.exe'
- '\vmmap64a.exe'
- '\whois64a.exe'
- '\Winobj64a.exe'
- '\ZoomIt64a.exe'
filter_valid:
- Company:
- 'Sysinternals - www.sysinternals.com'
- 'Sysinternals'
- Product|startswith: 'Sysinternals'
filter_empty:
- Company: null
- Product: null
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
title: Disable Internal Tools or Feature in Registry
id: e2482f8d-3443-4237-b906-cc145d87a076
status: test
description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
date: 2022-03-18
modified: 2025-06-04
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_set_1:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL'
- 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter'
- 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD'
Details: 'DWORD (0x00000001)'
selection_set_0:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'
- 'Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled'
- 'SYSTEM\CurrentControlSet\Control\Storage\Write Protection'
- 'SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect'
Details: 'DWORD (0x00000000)'
condition: 1 of selection_set_*
falsepositives:
- Legitimate admin script
level: medium
title: Potential Persistence Via Visual Studio Tools for Office
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
status: test
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
references:
- https://twitter.com/_vivami/status/1347925307643355138
- https://vanmieghem.io/stealth-outlook-persistence/
author: Bhabesh Raj
date: 2021-01-10
modified: 2026-01-09
tags:
- attack.t1137.006
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Office\Outlook\Addins\'
- '\Software\Microsoft\Office\Word\Addins\'
- '\Software\Microsoft\Office\Excel\Addins\'
- '\Software\Microsoft\Office\Powerpoint\Addins\'
- '\Software\Microsoft\VSTO\Security\Inclusion\'
filter_main_system:
Image:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\regsvr32.exe'
- 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
filter_main_office_click_to_run:
Image|startswith:
- 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_integrator:
Image:
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
filter_main_office_apps:
Image|startswith:
- 'C:\Program Files\Microsoft Office\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\OFFICE'
- 'C:\Program Files\Microsoft Office\Root\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
- 'C:\PROGRA~2\MICROS~2\Office'
Image|endswith:
- '\excel.exe'
- '\Integrator.exe'
- '\OneNote.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\Teams.exe'
- '\visio.exe'
- '\winword.exe'
filter_main_vsto:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
- 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
Image|endswith: '\VSTOInstaller.exe'
filter_optional_avg:
Image:
- 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate Addin Installation
level: medium
title: PUA - Sysinternals Tools Execution - Registry
id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: 9841b233-8df8-4ad7-9133-b0b4402a9014
type: obsolete
status: test
description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
references:
- https://twitter.com/Moti_B/status/1008587936735035392
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\Active Directory Explorer'
- '\Handle'
- '\LiveKd'
- '\Process Explorer'
- '\ProcDump'
- '\PsExec'
- '\PsLoglist'
- '\PsPasswd'
- '\SDelete'
- '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
TargetObject|endswith: '\EulaAccepted'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml
title: Suspicious User-Agents Related To Recon Tools
id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
status: test
description: Detects known suspicious (default) user-agents related to scanning/recon tools
references:
- https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb
- https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst
- https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-07-19
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-user-agent|contains:
# Add more tools as you see fit
- 'Wfuzz/'
- 'WPScan v'
- 'Recon-ng/v'
- 'GIS - AppSec Team - Project Vision'
condition: selection
falsepositives:
- Unknown
level: medium
title: Linux Network Service Scanning Tools Execution
id: 3e102cd9-a70d-4a7a-9508-403963092f31
status: test
description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
- https://github.com/projectdiscovery/naabu
- https://github.com/Tib3rius/AutoRecon
author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])
date: 2020-10-21
modified: 2024-09-19
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: linux
detection:
selection_netcat:
Image|endswith:
- '/nc'
- '/ncat'
- '/netcat'
- '/socat'
selection_network_scanning_tools:
Image|endswith:
- '/autorecon'
- '/hping'
- '/hping2'
- '/hping3'
- '/naabu'
- '/nmap'
- '/nping'
- '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
- '/zenmap'
filter_main_netcat_listen_flag:
CommandLine|contains:
- ' --listen '
- ' -l '
condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools
falsepositives:
- Legitimate administration activities
level: low
title: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
id: db809f10-56ce-4420-8c86-d6a7d793c79c
status: test
description: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2025-12-03
tags:
- attack.stealth
- attack.t1006
logsource:
product: windows
category: raw_access_thread
detection:
filter_main_floppy:
Device|contains: floppy
filter_main_generic:
Image|startswith:
- 'C:\$WINDOWS.~BT\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\CCM\'
- 'C:\Windows\explorer.exe'
- 'C:\Windows\servicing\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemApps\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\uus\'
- 'C:\Windows\WinSxS\'
filter_main_system_images:
Image:
- 'Registry'
- 'System'
filter_main_windefender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith:
- '\MsMpEng.exe'
- '\MpDefenderCoreService.exe'
filter_main_microsoft_appdata:
Image|startswith: 'C:\Users\'
Image|contains|all:
- '\AppData\'
- '\Microsoft\'
filter_main_ssd_nvme:
Image|startswith: 'C:\Windows\Temp\'
Image|endswith:
- '\Executables\SSDUpdate.exe'
- '\HostMetadata\NVMEHostmetadata.exe'
filter_main_null:
Image: null
filter_main_systemsettings:
Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
filter_main_update:
Image|startswith: 'C:\$WinREAgent\Scratch\'
filter_optional_github_desktop:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\GitHubDesktop\app-'
Image|endswith: '\resources\app\git\mingw64\bin\git.exe'
filter_optional_nextron:
Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
Image|endswith: '\thor.exe'
filter_optional_Keybase:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Keybase\upd.exe'
condition: not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely
level: low
title: Potential Execution of Sysinternals Tools
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
status: test
description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
references:
- https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2024-03-13
tags:
- attack.resource-development
- attack.t1588.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|windash: ' -accepteula'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same command line flag
level: low
title: Sysinternals Tools AppX Versions Execution
id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
status: test
description: |
Detects execution of Sysinternals tools via an AppX package.
Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
modified: 2023-09-12
tags:
- attack.execution
- attack.stealth
logsource:
product: windows
service: appmodel-runtime
detection:
selection:
EventID: 201
ImageName:
- 'procdump.exe'
- 'psloglist.exe'
- 'psexec.exe'
- 'livekd.exe'
- 'ADExplorer.exe'
condition: selection
falsepositives:
- Legitimate usage of sysinternals applications from the Windows Store will trigger this. Apply exclusions as needed.
level: low