Sigma rules for CVE-2023-3676
72 rules · scoped to cve · back to CVE-2023-3676
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Kubernetes Events Deleted
id: 3132570d-cab2-4561-9ea6-1743644b2290
related:
- id: 225d8b09-e714-479c-a0e4-55e6f29adf35
type: derived
status: test
description: |
Detects when events are deleted in Kubernetes.
An adversary may delete Kubernetes events in an attempt to evade detection.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.stealth
- attack.t1070
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'delete'
objectRef.resource: 'events'
condition: selection
falsepositives:
- Unknown
level: medium
title: Kubernetes Admission Controller Modification
id: eed82177-38f5-4299-8a76-098d50d225ab
related:
- id: 6ad91e31-53df-4826-bd27-0166171c8040
type: similar
status: test
description: |
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://security.padok.fr/en/blog/kubernetes-webhook-attackers
author: kelnage
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'admissionregistration.k8s.io'
objectRef.resource:
- 'mutatingwebhookconfigurations'
- 'validatingwebhookconfigurations'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
title: Kubernetes CronJob/Job Modification
id: 0c9b3bda-41a6-4442-9345-356ae86343dc
related:
- id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
type: similar
status: test
description: |
Detects when a Kubernetes CronJob or Job is created or modified.
A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.
An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
author: kelnage
date: 2024-07-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'batch'
objectRef.resource:
- 'cronjobs'
- 'jobs'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
title: Kubernetes Potential Enumeration Activity
id: 597a7e84-187d-458b-9e4f-2f5a0e676711
status: experimental
description: |
Detects potential Kubernetes enumeration or attack activity via the audit log.
This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
references:
- https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
- https://github.com/trufflesecurity/trufflehog
- https://github.com/corneliusweig/rakkess
author: uniqu3-us3r
date: 2026-04-28
tags:
- attack.execution
- attack.discovery
- attack.t1609
- attack.t1613
logsource:
product: kubernetes
service: audit
detection:
selection_status:
responseStatus.code: 'ALLOW'
selection_request_uri:
requestURI|contains:
# Shells Encoded
- '%2fbin%2fash'
- '%2fbin%2fbash'
- '%2fbin%2fbusybox'
- '%2fbin%2fdash'
- '%2fbin%2fsh'
- '%2fbin%2fzsh'
# Shells Plain
- '/bin/ash'
- '/bin/bash'
- '/bin/busybox'
- '/bin/dash'
- '/bin/sh'
- '/bin/zsh'
# Tools Encoded
- '%2fusr%2fbin%2fcurl'
- '%2fusr%2fbin%2fkubectl'
- '%2fusr%2fbin%2fperl'
- '%2fusr%2fbin%2fpython'
- '%2fusr%2fbin%2fwget'
# Tools Plain
- '/usr/bin/curl'
- '/usr/bin/kubectl'
- '/usr/bin/perl'
- '/usr/bin/python'
- '/usr/bin/wget'
selection_request_user_agent:
userAgent|contains:
- 'access_matrix' # Rakkess
- 'trufflehog' # Secret scanning tool
- 'azurehound' # Azure/Cloud discovery
- 'micro-scanner' # Vulnerability scanning
condition: selection_status and 1 of selection_request_*
falsepositives:
- Authorized administrative maintenance via kubectl
- Automated internal infrastructure monitoring and certificate rotation
- Security-approved vulnerability or secret scanning in DevSecOps pipelines
level: medium
title: Kubernetes Secrets Modified or Deleted
id: 58d31a75-a4f8-4c40-985b-373d58162ca2
related:
- id: 2f0bae2d-bf20-4465-be86-1311addebaa3
type: similar
status: test
description: |
Detects when Kubernetes Secrets are Modified or Deleted.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
author: kelnage
date: 2024-07-11
tags:
- attack.credential-access
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.resource: 'secrets'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
title: Kubernetes Rolebinding Modification
id: 10b97915-ec8d-455f-a815-9a78926585f6
related:
- id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
type: similar
status: test
description: |
Detects when a Kubernetes Rolebinding is created or modified.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
author: kelnage
date: 2024-07-11
tags:
- attack.privilege-escalation
logsource:
product: kubernetes
service: audit
detection:
selection:
objectRef.apiGroup: 'rbac.authorization.k8s.io'
objectRef.resource:
- 'clusterrolebindings'
- 'rolebindings'
verb:
- 'create'
- 'delete'
- 'patch'
- 'replace'
- 'update'
condition: selection
falsepositives:
- Modifying a Kubernetes Rolebinding may need to be done by a system administrator.
- Automated processes may need to take these actions and may need to be filtered.
level: medium
title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
status: test
description: Identifies when ClusterRoles/Roles are being modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION
condition: selection
falsepositives:
- ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Network Policy Change
id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
status: test
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
condition: selection
falsepositives:
- Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
status: test
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
condition: selection
falsepositives:
- Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Pods Deleted
id: b02f9591-12c3-4965-986a-88028629b2e1
status: test
description: Identifies the deletion of Azure Kubernetes Pods.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
condition: selection
falsepositives:
- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes CronJob
id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a
status: test
description: |
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
author: Austin Songer @austinsonger
date: 2021-11-22
modified: 2022-12-18
tags:
- attack.persistence
- attack.t1053.003
- attack.privilege-escalation
- attack.execution
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH'
operationName|endswith:
- '/CRONJOBS/WRITE'
- '/JOBS/WRITE'
condition: selection
falsepositives:
- Azure Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
status: test
description: Identifies when a service account is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1531
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
condition: selection
falsepositives:
- Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Events Deleted
id: 225d8b09-e714-479c-a0e4-55e6f29adf35
status: test
description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-08-23
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
condition: selection
falsepositives:
- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
status: test
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.credential-access
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
condition: selection
falsepositives:
- RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Kubernetes Admission Controller
id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58
status: test
description: |
Identifies when an admission controller is executed in Azure Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.
An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName|startswith:
- 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
- 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
operationName|endswith:
- '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE'
- '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE'
condition: selection
falsepositives:
- Azure Kubernetes Admissions Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Kubernetes RoleBinding
id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
status: test
description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
references:
- https://github.com/elastic/detection-rules/pull/1267
- https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole
- https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.credential-access
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.authorization.rbac.v*.clusterrolebindings.create
- io.k8s.authorization.rbac.v*.rolebindings.create
- io.k8s.authorization.rbac.v*.clusterrolebindings.patch
- io.k8s.authorization.rbac.v*.rolebindings.patch
- io.k8s.authorization.rbac.v*.clusterrolebindings.update
- io.k8s.authorization.rbac.v*.rolebindings.update
- io.k8s.authorization.rbac.v*.clusterrolebindings.delete
- io.k8s.authorization.rbac.v*.rolebindings.delete
condition: selection
falsepositives:
- RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Kubernetes Admission Controller
id: 6ad91e31-53df-4826-bd27-0166171c8040
status: test
description: |
Identifies when an admission controller is executed in GCP Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://cloud.google.com/kubernetes-engine/docs
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
- attack.credential-access
- attack.t1552
- attack.t1552.007
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v'
gcp.audit.method_name|contains:
- '.mutatingwebhookconfigurations.'
- '.validatingwebhookconfigurations.'
gcp.audit.method_name|endswith:
- 'create'
- 'patch'
- 'replace'
condition: selection
falsepositives:
- Google Cloud Kubernetes Admission Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Kubernetes Secrets Modified or Deleted
id: 2f0bae2d-bf20-4465-be86-1311addebaa3
status: test
description: Identifies when the Secrets are Modified or Deleted.
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
author: Austin Songer @austinsonger
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.credential-access
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.core.v*.secrets.create
- io.k8s.core.v*.secrets.update
- io.k8s.core.v*.secrets.patch
- io.k8s.core.v*.secrets.delete
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Google Cloud Kubernetes CronJob
id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
status: test
description: |
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
references:
- https://cloud.google.com/kubernetes-engine/docs
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
author: Austin Songer @austinsonger
date: 2021-11-22
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
logsource:
product: gcp
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.api.batch.v*.Job
- io.k8s.api.batch.v*.CronJob
condition: selection
falsepositives:
- Google Cloud Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Deployment Deleted From Kubernetes Cluster
id: 40967487-139b-4811-81d9-c9767a92aa5a
status: test
description: |
Detects the removal of a deployment from a Kubernetes cluster.
This could indicate disruptive activity aiming to impact business operations.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1498
- attack.impact
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'delete'
objectRef.resource: 'deployments'
condition: selection
falsepositives:
- Unknown
level: low
title: Kubernetes Unauthorized or Unauthenticated Access
id: 0d933542-1f1f-420d-97d4-21b2c3c492d9
status: test
description: |
Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.
This may indicate an attacker attempting to leverage credentials they have obtained.
references:
- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
- https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues
author: kelnage
date: 2024-04-12
tags:
- attack.privilege-escalation
logsource:
product: kubernetes
service: audit
detection:
selection:
responseStatus.code:
- 401 # Unauthorized
- 403 # Forbidden
condition: selection
falsepositives:
- A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.
level: low
title: Kubernetes Secrets Enumeration
id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
related:
- id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
type: derived
status: test
description: Detects enumeration of Kubernetes secrets.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1552.007
- attack.credential-access
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'list'
objectRef.resource: 'secrets'
condition: selection
falsepositives:
- The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
level: low
title: New Kubernetes Service Account Created
id: e31bae15-83ed-473e-bf31-faf4f8a17d36
related:
- id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
type: derived
status: test
description: |
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.persistence
- attack.t1136
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'serviceaccounts'
condition: selection
falsepositives:
- Unknown
level: low
title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
status: test
description: Detects when a Azure Kubernetes Cluster is created or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
condition: selection
falsepositives:
- Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\WCE.exe'
- '\WCE64.exe'
selection_hash:
Hashes|contains:
- 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
- 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
- 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
- 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
- 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
- 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
- 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
- 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
- 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- Unknown
level: critical
title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9002
condition: selection
falsepositives:
- Unlikely
level: high
title: Windows LAPS Credential Dump From Entra ID
id: a4b25073-8947-489c-a8dd-93b41c23f26d
status: test
description: Detects when an account dumps the LAPS password from Entra ID.
references:
- https://twitter.com/NathanMcNulty/status/1785051227568632263
- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/
- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487
author: andrewdanis
date: 2024-06-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.005
logsource:
product: azure
service: auditlogs
detection:
selection:
category: 'Device'
activityType|contains: 'Recover device local administrator password'
additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id'
condition: selection
falsepositives:
- Approved activity performed by an Administrator.
level: high
title: Tamper Windows Defender - PSClassic
id: ec19ebab-72dc-40e1-9728-4c0b805d722c
related:
- id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
type: similar
status: test
description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-06-07
modified: 2024-01-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_classic_provider_start
detection:
selection_set_mppreference:
Data|contains: 'Set-MpPreference'
selection_options_bool_allow:
Data|contains:
- '-dbaf $true'
- '-dbaf 1'
- '-dbm $true'
- '-dbm 1'
- '-dips $true'
- '-dips 1'
- '-DisableArchiveScanning $true'
- '-DisableArchiveScanning 1'
- '-DisableBehaviorMonitoring $true'
- '-DisableBehaviorMonitoring 1'
- '-DisableBlockAtFirstSeen $true'
- '-DisableBlockAtFirstSeen 1'
- '-DisableCatchupFullScan $true'
- '-DisableCatchupFullScan 1'
- '-DisableCatchupQuickScan $true'
- '-DisableCatchupQuickScan 1'
- '-DisableIntrusionPreventionSystem $true'
- '-DisableIntrusionPreventionSystem 1'
- '-DisableIOAVProtection $true'
- '-DisableIOAVProtection 1'
- '-DisableRealtimeMonitoring $true'
- '-DisableRealtimeMonitoring 1'
- '-DisableRemovableDriveScanning $true'
- '-DisableRemovableDriveScanning 1'
- '-DisableScanningMappedNetworkDrivesForFullScan $true'
- '-DisableScanningMappedNetworkDrivesForFullScan 1'
- '-DisableScanningNetworkFiles $true'
- '-DisableScanningNetworkFiles 1'
- '-DisableScriptScanning $true'
- '-DisableScriptScanning 1'
- '-MAPSReporting $false'
- '-MAPSReporting 0'
- '-drdsc $true'
- '-drdsc 1'
- '-drtm $true'
- '-drtm 1'
- '-dscrptsc $true'
- '-dscrptsc 1'
- '-dsmndf $true'
- '-dsmndf 1'
- '-dsnf $true'
- '-dsnf 1'
- '-dss $true'
- '-dss 1'
selection_options_actions_func:
Data|contains:
- 'HighThreatDefaultAction Allow'
- 'htdefac Allow'
- 'LowThreatDefaultAction Allow'
- 'ltdefac Allow'
- 'ModerateThreatDefaultAction Allow'
- 'mtdefac Allow'
- 'SevereThreatDefaultAction Allow'
- 'stdefac Allow'
condition: selection_set_mppreference and 1 of selection_options_*
falsepositives:
- Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
level: high
title: Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
id: ae2bdd58-0681-48ac-be7f-58ab4e593458
related:
- id: 07e3cb2c-0608-410d-be4b-1511cb1a0448
type: similar
status: test
description: Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_remove:
ScriptBlockText|contains: 'Remove-MpPreference'
selection_tamper:
ScriptBlockText|contains:
- '-ControlledFolderAccessProtectedFolders '
- '-AttackSurfaceReductionRules_Ids '
- '-AttackSurfaceReductionRules_Actions '
- '-CheckForSignaturesBeforeRunningScan '
condition: all of selection_*
falsepositives:
- Legitimate PowerShell scripts
level: high
title: Tamper Windows Defender - ScriptBlockLogging
id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
related:
- id: ec19ebab-72dc-40e1-9728-4c0b805d722c
type: derived
status: test
description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-16
modified: 2024-01-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_options_disabling_preference:
ScriptBlockText|contains: 'Set-MpPreference'
selection_options_disabling_function:
ScriptBlockText|contains:
- '-dbaf $true'
- '-dbaf 1'
- '-dbm $true'
- '-dbm 1'
- '-dips $true'
- '-dips 1'
- '-DisableArchiveScanning $true'
- '-DisableArchiveScanning 1'
- '-DisableBehaviorMonitoring $true'
- '-DisableBehaviorMonitoring 1'
- '-DisableBlockAtFirstSeen $true'
- '-DisableBlockAtFirstSeen 1'
- '-DisableCatchupFullScan $true'
- '-DisableCatchupFullScan 1'
- '-DisableCatchupQuickScan $true'
- '-DisableCatchupQuickScan 1'
- '-DisableIntrusionPreventionSystem $true'
- '-DisableIntrusionPreventionSystem 1'
- '-DisableIOAVProtection $true'
- '-DisableIOAVProtection 1'
- '-DisableRealtimeMonitoring $true'
- '-DisableRealtimeMonitoring 1'
- '-DisableRemovableDriveScanning $true'
- '-DisableRemovableDriveScanning 1'
- '-DisableScanningMappedNetworkDrivesForFullScan $true'
- '-DisableScanningMappedNetworkDrivesForFullScan 1'
- '-DisableScanningNetworkFiles $true'
- '-DisableScanningNetworkFiles 1'
- '-DisableScriptScanning $true'
- '-DisableScriptScanning 1'
- '-MAPSReporting $false'
- '-MAPSReporting 0'
- '-drdsc $true'
- '-drdsc 1'
- '-drtm $true'
- '-drtm 1'
- '-dscrptsc $true'
- '-dscrptsc 1'
- '-dsmndf $true'
- '-dsmndf 1'
- '-dsnf $true'
- '-dsnf 1'
- '-dss $true'
- '-dss 1'
selection_other_default_actions_allow:
ScriptBlockText|contains: 'Set-MpPreference'
selection_other_default_actions_func:
ScriptBlockText|contains:
- 'HighThreatDefaultAction Allow'
- 'htdefac Allow'
- 'LowThreatDefaultAction Allow'
- 'ltdefac Allow'
- 'ModerateThreatDefaultAction Allow'
- 'mtdefac Allow'
- 'SevereThreatDefaultAction Allow'
- 'stdefac Allow'
condition: all of selection_options_disabling_* or all of selection_other_default_actions_*
falsepositives:
- Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
level: high
title: Clearing Windows Console History
id: bde47d4b-9987-405c-94c7-b080410e8ea7
status: test
description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
references:
- https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
- https://www.shellhacks.com/clear-history-powershell/
- https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1070
- attack.t1070.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection1:
ScriptBlockText|contains: Clear-History
selection2a:
ScriptBlockText|contains:
- Remove-Item
- rm
selection2b:
ScriptBlockText|contains:
- ConsoleHost_history.txt
- (Get-PSReadlineOption).HistorySavePath
condition: selection1 or selection2a and selection2b
falsepositives:
- Unknown
level: high
title: PowerShell Set-Acl On Windows Folder - PsScript
id: 3bf1d859-3a7e-44cb-8809-a99e066d3478
related:
- id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
type: derived
- id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
type: derived
- id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
type: derived
status: test
description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
- attack.defense-impairment
- attack.t1222
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection_cmdlet:
ScriptBlockText|contains|all:
- 'Set-Acl '
- '-AclObject '
selection_paths:
# Note: Add more suspicious paths
ScriptBlockText|contains:
- '-Path "C:\Windows'
- '-Path "C:/Windows'
- "-Path 'C:\\Windows"
- "-Path 'C:/Windows"
- '-Path C:\\Windows'
- '-Path C:/Windows'
- '-Path $env:windir'
- '-Path "$env:windir'
- "-Path '$env:windir"
selection_permissions:
# Note: Add more suspicious permissions
ScriptBlockText|contains:
- 'FullControl'
- 'Allow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Windows Binaries Write Suspicious Extensions
id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
related:
- id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
type: derived
status: test
description: Detects Windows executables that write files with suspicious extensions
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1036
logsource:
category: file_event
product: windows
detection:
selection_generic:
Image|endswith:
- '\csrss.exe'
- '\lsass.exe'
- '\RuntimeBroker.exe'
- '\sihost.exe'
- '\smss.exe'
- '\wininit.exe'
- '\winlogon.exe'
TargetFilename|endswith:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.iso'
- '.ps1'
- '.txt'
- '.vbe'
- '.vbs'
selection_special:
Image|endswith:
- '\dllhost.exe'
- '\rundll32.exe'
- '\svchost.exe'
TargetFilename|endswith:
- '.bat'
- '.hta'
- '.iso'
- '.ps1'
- '.vbe'
- '.vbs'
filter_main_AppLockerPolicyTest:
Image: 'C:\Windows\System32\dllhost.exe'
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\__PSScriptPolicyTest_'
TargetFilename|endswith: '.ps1'
filter_main_script_gpo_machine:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Windows\System32\GroupPolicy\DataStore\'
- '\sysvol\'
- '\Policies\'
- '\Machine\Scripts\Startup\'
TargetFilename|endswith:
- '.ps1'
- '.bat'
filter_main_clipchamp:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Program Files\WindowsApps\Clipchamp'
- '.ps1'
filter_main_powershell_preview:
Image:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|startswith:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
TargetFilename|endswith: '.ps1'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Windows Shell/Scripting Application File Write to Suspicious Folder
id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
status: test
description: Detects Windows shells and scripting applications that write files to suspicious folders
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-20
modified: 2023-03-29
tags:
- attack.execution
- attack.t1059
logsource:
category: file_event
product: windows
detection:
selection_1:
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- '\powershell.exe'
- '\pwsh.exe'
- '\sh.exe'
- '\wscript.exe'
TargetFilename|startswith:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
selection_2:
Image|endswith:
- '\certutil.exe'
- '\forfiles.exe'
- '\mshta.exe'
# - '\rundll32.exe' # Potential FP
- '\schtasks.exe'
- '\scriptrunner.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
TargetFilename|contains:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
- 'C:\Windows\Temp\'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: UAC Bypass Using Windows Media Player - File
id: 68578b43-65df-4f81-9a9b-92f32711a951
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection1:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll'
selection2:
Image: 'C:\Windows\system32\DllHost.exe'
TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
id: 129966c9-de17-4334-a123-8b58172e664d
status: test
description: |
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
references:
- https://twitter.com/mrd0x/status/1460597833917251595
author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-26
modified: 2024-06-21
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_dump:
Image|startswith: ':\Program Files'
Image|contains: '\Microsoft Visual Studio\'
Image|endswith: '\dump64.exe'
selection_tools_procdump:
- OriginalFileName: 'procdump'
- CommandLine|contains:
- ' -ma ' # Full Dump
- ' -mp ' # Mini Plus
condition: selection_dump and 1 of selection_tools_*
falsepositives:
- Unknown
level: high
title: Suspicious Windows Service Tampering
id: ce72ef99-22f1-43d4-8695-419dcb5d9330
related:
- id: eb87818d-db5d-49cc-a987-d5da331fbd90
type: obsolete
- id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
type: obsolete
- id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
type: obsolete
status: test
description: |
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
references:
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
- https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
- https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/delete-method-in-class-win32-service
author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
date: 2022-09-01
modified: 2025-08-27
tags:
- attack.impact
- attack.defense-impairment
- attack.t1489
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_tools_img:
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'psservice.exe'
- 'pwsh.dll'
- 'sc.exe'
- 'wmic.exe'
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- '\PowerShell_ISE.EXE'
- '\powershell.exe'
- '\PsService.exe'
- '\PsService64.exe'
- '\pwsh.exe'
- '\sc.exe'
- '\wmic.exe' # wmic process call win32_service where name='servicename' delete
selection_tools_cli:
- CommandLine|contains:
- ' delete '
- '.delete()' # Get-WmiObject win32_service -Filter "name='$serviceName'" ).delete()
- ' pause ' # Covers flags from: PsService and Sc.EXE
- ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE
- 'Stop-Service '
- 'Remove-Service '
- CommandLine|contains|all:
- 'config'
- 'start=disabled'
selection_services:
CommandLine|contains:
- '143Svc'
- 'Acronis VSS Provider'
- 'AcronisAgent'
- 'AcrSch2Svc'
- 'AdobeARMservice'
- 'AHS Service'
- 'Antivirus'
- 'Apache4'
- 'ARSM'
- 'aswBcc'
- 'AteraAgent'
- 'Avast Business Console Client Antivirus Service'
- 'avast! Antivirus'
- 'AVG Antivirus'
- 'avgAdminClient'
- 'AvgAdminServer'
- 'AVP1'
- 'BackupExec'
- 'bedbg'
- 'BITS'
- 'BrokerInfrastructure'
- 'CASLicenceServer'
- 'CASWebServer'
- 'Client Agent 7.60'
- 'Core Browsing Protection'
- 'Core Mail Protection'
- 'Core Scanning Server'
- 'DCAgent'
- 'dwmrcs'
- 'EhttpSr'
- 'ekrn'
- 'Enterprise Client Service'
- 'epag'
- 'EPIntegrationService'
- 'EPProtectedService'
- 'EPRedline'
- 'EPSecurityService'
- 'EPUpdateService'
- 'EraserSvc11710'
- 'EsgShKernel'
- 'ESHASRV'
- 'FA_Scheduler'
- 'FirebirdGuardianDefaultInstance'
- 'FirebirdServerDefaultInstance'
- 'FontCache3.0.0.0'
- 'HealthTLService'
- 'hmpalertsvc'
- 'HMS'
- 'HostControllerService'
- 'hvdsvc'
- 'IAStorDataMgrSvc'
- 'IBMHPS'
- 'ibmspsvc'
- 'IISAdmin'
- 'IMANSVC'
- 'IMAP4Svc'
- 'instance2'
- 'KAVFS'
- 'KAVFSGT'
- 'kavfsslp'
- 'KeyIso'
- 'klbackupdisk'
- 'klbackupflt'
- 'klflt'
- 'klhk'
- 'KLIF'
- 'klim6'
- 'klkbdflt'
- 'klmouflt'
- 'klnagent'
- 'klpd'
- 'kltap'
- 'KSDE1.0.0'
- 'LogProcessorService'
- 'M8EndpointAgent'
- 'macmnsvc'
- 'masvc'
- 'MBAMService'
- 'MBCloudEA'
- 'MBEndpointAgent'
- 'McAfeeDLPAgentService'
- 'McAfeeEngineService'
- 'MCAFEEEVENTPARSERSRV'
- 'McAfeeFramework'
- 'MCAFEETOMCATSRV530'
- 'McShield'
- 'McTaskManager'
- 'mfefire'
- 'mfemms'
- 'mfevto'
- 'mfevtp'
- 'mfewc'
- 'MMS'
- 'mozyprobackup'
- 'mpssvc'
- 'MSComplianceAudit'
- 'MSDTC'
- 'MsDtsServer'
- 'MSExchange'
- 'msftesq1SPROO'
- 'msftesql$PROD'
- 'msftesql$SQLEXPRESS'
- 'MSOLAP$SQL_2008'
- 'MSOLAP$SYSTEM_BGC'
- 'MSOLAP$TPS'
- 'MSOLAP$TPSAMA'
- 'MSOLAPSTPS'
- 'MSOLAPSTPSAMA'
- 'mssecflt'
- 'MSSQ!I.SPROFXENGAGEMEHT'
- 'MSSQ0SHAREPOINT'
- 'MSSQ0SOPHOS'
- 'MSSQL'
- 'MSSQLFDLauncher$'
- 'MySQL'
- 'NanoServiceMain'
- 'NetMsmqActivator'
- 'NetPipeActivator'
- 'netprofm'
- 'NetTcpActivator'
- 'NetTcpPortSharing'
- 'ntrtscan'
- 'nvspwmi'
- 'ofcservice'
- 'Online Protection System'
- 'OracleClientCache80'
- 'OracleDBConsole'
- 'OracleMTSRecoveryService'
- 'OracleOraDb11g_home1'
- 'OracleService'
- 'OracleVssWriter'
- 'osppsvc'
- 'PandaAetherAgent'
- 'PccNTUpd'
- 'PDVFSService'
- 'POP3Svc'
- 'postgresql-x64-9.4'
- 'POVFSService'
- 'PSUAService'
- 'Quick Update Service'
- 'RepairService'
- 'ReportServer'
- 'ReportServer$'
- 'RESvc'
- 'RpcEptMapper'
- 'sacsvr'
- 'SamSs'
- 'SAVAdminService'
- 'SAVService'
- 'ScSecSvc'
- 'SDRSVC'
- 'SearchExchangeTracing'
- 'sense'
- 'SentinelAgent'
- 'SentinelHelperService'
- 'SepMasterService'
- 'ShMonitor'
- 'Smcinst'
- 'SmcService'
- 'SMTPSvc'
- 'SNAC'
- 'SntpService'
- 'Sophos'
- 'SQ1SafeOLRService'
- 'SQL Backups'
- 'SQL Server'
- 'SQLAgent'
- 'SQLANYs_Sage_FAS_Fixed_Assets'
- 'SQLBrowser'
- 'SQLsafe'
- 'SQLSERVERAGENT'
- 'SQLTELEMETRY'
- 'SQLWriter'
- 'SSISTELEMETRY130'
- 'SstpSvc'
- 'storflt'
- 'svcGenericHost'
- 'swc_service'
- 'swi_filter'
- 'swi_service'
- 'swi_update'
- 'Symantec'
- 'sysmon'
- 'TeamViewer'
- 'Telemetryserver'
- 'ThreatLockerService'
- 'TMBMServer'
- 'TmCCSF'
- 'TmFilter'
- 'TMiCRCScanService'
- 'tmlisten'
- 'TMLWCSService'
- 'TmPfw'
- 'TmPreFilter'
- 'TmProxy'
- 'TMSmartRelayService'
- 'tmusa'
- 'Tomcat'
- 'Trend Micro Deep Security Manager'
- 'TrueKey'
- 'UFNet'
- 'UI0Detect'
- 'UniFi'
- 'UTODetect'
- 'vds'
- 'Veeam'
- 'VeeamDeploySvc'
- 'Veritas System Recovery'
- 'vmic'
- 'VMTools'
- 'vmvss'
- 'VSApiNt'
- 'VSS'
- 'W3Svc'
- 'wbengine'
- 'WdNisSvc'
- 'WeanClOudSve'
- 'Weems JY'
- 'WinDefend'
- 'wmms'
- 'wozyprobackup'
- 'WPFFontCache_v0400'
- 'WRSVC'
- 'wsbexchange'
- 'WSearch'
- 'wscsvc'
- 'Zoolz 2 Service'
condition: all of selection_*
falsepositives:
- Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
level: high
title: UAC Bypass Using Windows Media Player - Process
id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection_img_1:
Image: 'C:\Program Files\Windows Media Player\osk.exe'
selection_img_2:
Image: 'C:\Windows\System32\cmd.exe'
ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
selection_integrity:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: 1 of selection_img_* and selection_integrity
falsepositives:
- Unknown
level: high
title: Suspicious Uninstall of Windows Defender Feature via PowerShell
id: c443012c-7928-43bf-ac20-7eda5efe61ad
status: experimental
description: |
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.windows.servermanager.migration/uninstall-windowsfeature
- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware
author: yxinmiracle
date: 2025-08-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_uninstall:
CommandLine|contains:
- 'Uninstall-WindowsFeature'
- 'Remove-WindowsFeature' # Only supported in Windows Server 2008 R2 and Windows 2012 R2
selection_cli_defender_feature:
CommandLine|contains: 'Windows-Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Windows Defender Context Menu Removed
id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
related:
- id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
type: similar
status: experimental
description: |
Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
references:
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'powershell_ise.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_action:
CommandLine|contains:
- 'del'
- 'Remove-Item'
- 'ri '
selection_reg_path:
CommandLine|contains: '\shellex\ContextMenuHandlers\EPP'
condition: all of selection_*
falsepositives:
- May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment.
level: high
title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
id: 452bce90-6fb0-43cc-97a5-affc283139b3
status: test
description: |
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
references:
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
- https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
- https://tria.ge/241231-j9yatstqbm/behavioral1
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-22
modified: 2025-06-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_root_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_root_path:
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\'
- 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center'
- 'SOFTWARE\Policies\Microsoft\Windows Defender\'
selection_dword_0:
CommandLine|contains|all:
- ' add '
- 'd 0'
CommandLine|contains:
- 'DisallowExploitProtectionOverride'
- 'EnableControlledFolderAccess'
- 'MpEnablePus'
- 'PUAProtection'
- 'SpynetReporting'
- 'SubmitSamplesConsent'
- 'TamperProtection'
selection_dword_1:
CommandLine|contains|all:
- ' add '
- 'd 1'
CommandLine|contains:
- 'DisableAccess'
- 'DisableAntiSpyware'
- 'DisableAntiSpywareRealtimeProtection'
- 'DisableAntiVirus'
- 'DisableAntiVirusSignatures'
- 'DisableArchiveScanning'
- 'DisableBehaviorMonitoring'
- 'DisableBlockAtFirstSeen'
- 'DisableCloudProtection'
- 'DisableConfig'
- 'DisableEnhancedNotifications'
- 'DisableIntrusionPreventionSystem'
- 'DisableIOAVProtection'
- 'DisableNetworkProtection'
- 'DisableOnAccessProtection'
- 'DisablePrivacyMode'
- 'DisableRealtimeMonitoring'
- 'DisableRoutinelyTakingAction'
- 'DisableScanOnRealtimeEnable'
- 'DisableScriptScanning'
- 'DisableSecurityCenter'
- 'Notification_Suppress'
- 'SignatureDisableUpdateOnStartupWithoutEngine'
condition: all of selection_root_* and 1 of selection_dword_*
falsepositives:
- Rare legitimate use by administrators to test software (should always be investigated)
level: high
title: Disabling Windows Defender WMI Autologger Session via Reg.exe
id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
related:
- id: f37b4bce-49d0-4087-9f5b-58bffda77316
type: similar
status: experimental
description: |
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
references:
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
author: Matt Anderson (Huntress)
date: 2025-07-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_path:
CommandLine|contains:
- '\Control\WMI\Autologger\DefenderApiLogger\Start'
- '\Control\WMI\Autologger\DefenderAuditLogger\Start'
selection_reg_add:
CommandLine|contains|all:
- 'add'
- '0'
filter_main_enable:
CommandLine|contains: '0x00000001'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Highly unlikely
level: high
title: Windows Internet Hosted WebDav Share Mount Via Net.EXE
id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0
status: test
description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-21
modified: 2023-07-25
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ' http'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Windows EventLog Autologger Session Registry Modification Via CommandLine
id: d7b81144-b866-48a4-9bcc-275dc69d870e
related:
- id: f37b4bce-49d0-4087-9f5b-58bffda77316
type: similar
status: experimental
description: |
Detects attempts to disable Windows EventLog autologger sessions via registry modification.
The AutoLogger event tracing session records events that occur early in the operating system boot process.
Applications and device drivers can use the AutoLogger session to capture traces before the user logs in.
Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
- https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://ptylu.github.io/content/report/report.html?report=25
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\reg.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'reg.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_action:
CommandLine|contains:
- 'add '
- 'Set-ItemProperty'
- 'New-ItemProperty'
- 'si ' # Set-ItemProperty alias
selection_cli_base:
CommandLine|contains: '\Control\WMI\Autologger\'
selection_cli_key:
CommandLine|contains:
- 'Start' # Key used to disable specific autologger session like EventLog-Application, EventLog-System etc.
- 'Enabled' # Key used to disable specific provider of autologger session
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification/info.yml
simulation:
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
technique: T1562.001
atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
technique: T1562.001
atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - Cmd
technique: T1562.001
atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
technique: T1562.001
atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
- id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.collection
- attack.execution
- attack.t1005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '\node.exe'
- '\bun.exe'
selection_child:
- Image|endswith:
- 'trufflehog.exe'
- 'gitleaks.exe'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml
title: Windows AMSI Related Registry Tampering Via CommandLine
id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981
related:
- id: aa37cbb0-da36-42cb-a90f-fdf216fc7467 # AMSI Disabled via Registry Modification
type: similar
status: experimental
description: |
Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell.
AMSI provides a generic interface for applications and services to integrate with antimalware products.
Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
references:
- https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md
- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_key:
CommandLine|contains|all:
- '\Software\Microsoft\Windows Script\Settings'
- 'AmsiEnable'
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cmd:
CommandLine|contains: 'add'
selection_powershell_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_powershell_cmd:
CommandLine|contains:
- 'Set-ItemProperty'
- 'New-ItemProperty'
- 'sp '
condition: selection_key and (all of selection_powershell_* or all of selection_reg_*)
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/info.yml
simulation:
- type: atomic-red-team
name: AMSI Bypass - Create AMSIEnable Reg Key
technique: T1562.001
atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
title: File Download Via Windows Defender MpCmpRun.EXE
id: 46123129-1024-423e-9fae-43af4a0fa9a5
status: test
description: Detects the use of Windows Defender MpCmdRun.EXE to download files
references:
- https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
author: Matthew Matchen
date: 2020-09-04
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'MpCmdRun.exe'
- Image|endswith: '\MpCmdRun.exe'
- CommandLine|contains: 'MpCmdRun.exe'
- Description: 'Microsoft Malware Protection Command Line Utility'
selection_cli:
CommandLine|contains|all:
- 'DownloadFile'
- 'url'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Potential Signing Bypass Via Windows Developer Features
id: a383dec4-deec-4e6e-913b-ed9249670848
related:
- id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
type: similar
status: test
description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SystemSettingsAdminFlows.exe'
- OriginalFileName: 'SystemSettingsAdminFlows.EXE'
selection_flag:
CommandLine|contains: 'TurnOnDeveloperFeatures'
selection_options:
CommandLine|contains:
- 'DeveloperUnlock'
- 'EnableSideloading'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: test
description: Detects a Windows command line executable started from MMC
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Karneades, Swisscom CSIRT
date: 2019-08-05
modified: 2022-07-14
tags:
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage|endswith: '\mmc.exe'
selection2:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\reg.exe'
- '\regsvr32.exe'
- Image|contains: '\BITSADMIN'
condition: all of selection*
level: high