Sigma rules for CVE-2023-41745
109 rules · scoped to cve · back to CVE-2023-41745
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Uninstall of Windows Defender Feature via PowerShell
id: c443012c-7928-43bf-ac20-7eda5efe61ad
status: experimental
description: |
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.windows.servermanager.migration/uninstall-windowsfeature
- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware
author: yxinmiracle
date: 2025-08-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_uninstall:
CommandLine|contains:
- 'Uninstall-WindowsFeature'
- 'Remove-WindowsFeature' # Only supported in Windows Server 2008 R2 and Windows 2012 R2
selection_cli_defender_feature:
CommandLine|contains: 'Windows-Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Windows Defender Context Menu Removed
id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
related:
- id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
type: similar
status: experimental
description: |
Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
references:
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'powershell_ise.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_action:
CommandLine|contains:
- 'del'
- 'Remove-Item'
- 'ri '
selection_reg_path:
CommandLine|contains: '\shellex\ContextMenuHandlers\EPP'
condition: all of selection_*
falsepositives:
- May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment.
level: high
title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
id: 452bce90-6fb0-43cc-97a5-affc283139b3
status: test
description: |
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
references:
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
- https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
- https://tria.ge/241231-j9yatstqbm/behavioral1
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-22
modified: 2025-06-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_root_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_root_path:
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\'
- 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center'
- 'SOFTWARE\Policies\Microsoft\Windows Defender\'
selection_dword_0:
CommandLine|contains|all:
- ' add '
- 'd 0'
CommandLine|contains:
- 'DisallowExploitProtectionOverride'
- 'EnableControlledFolderAccess'
- 'MpEnablePus'
- 'PUAProtection'
- 'SpynetReporting'
- 'SubmitSamplesConsent'
- 'TamperProtection'
selection_dword_1:
CommandLine|contains|all:
- ' add '
- 'd 1'
CommandLine|contains:
- 'DisableAccess'
- 'DisableAntiSpyware'
- 'DisableAntiSpywareRealtimeProtection'
- 'DisableAntiVirus'
- 'DisableAntiVirusSignatures'
- 'DisableArchiveScanning'
- 'DisableBehaviorMonitoring'
- 'DisableBlockAtFirstSeen'
- 'DisableCloudProtection'
- 'DisableConfig'
- 'DisableEnhancedNotifications'
- 'DisableIntrusionPreventionSystem'
- 'DisableIOAVProtection'
- 'DisableNetworkProtection'
- 'DisableOnAccessProtection'
- 'DisablePrivacyMode'
- 'DisableRealtimeMonitoring'
- 'DisableRoutinelyTakingAction'
- 'DisableScanOnRealtimeEnable'
- 'DisableScriptScanning'
- 'DisableSecurityCenter'
- 'Notification_Suppress'
- 'SignatureDisableUpdateOnStartupWithoutEngine'
condition: all of selection_root_* and 1 of selection_dword_*
falsepositives:
- Rare legitimate use by administrators to test software (should always be investigated)
level: high
title: Disabling Windows Defender WMI Autologger Session via Reg.exe
id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
related:
- id: f37b4bce-49d0-4087-9f5b-58bffda77316
type: similar
status: experimental
description: |
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
references:
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
author: Matt Anderson (Huntress)
date: 2025-07-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_path:
CommandLine|contains:
- '\Control\WMI\Autologger\DefenderApiLogger\Start'
- '\Control\WMI\Autologger\DefenderAuditLogger\Start'
selection_reg_add:
CommandLine|contains|all:
- 'add'
- '0'
filter_main_enable:
CommandLine|contains: '0x00000001'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Highly unlikely
level: high
title: Windows Internet Hosted WebDav Share Mount Via Net.EXE
id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0
status: test
description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-21
modified: 2023-07-25
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ' http'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Windows EventLog Autologger Session Registry Modification Via CommandLine
id: d7b81144-b866-48a4-9bcc-275dc69d870e
related:
- id: f37b4bce-49d0-4087-9f5b-58bffda77316
type: similar
status: experimental
description: |
Detects attempts to disable Windows EventLog autologger sessions via registry modification.
The AutoLogger event tracing session records events that occur early in the operating system boot process.
Applications and device drivers can use the AutoLogger session to capture traces before the user logs in.
Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
- https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://ptylu.github.io/content/report/report.html?report=25
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\reg.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'reg.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_action:
CommandLine|contains:
- 'add '
- 'Set-ItemProperty'
- 'New-ItemProperty'
- 'si ' # Set-ItemProperty alias
selection_cli_base:
CommandLine|contains: '\Control\WMI\Autologger\'
selection_cli_key:
CommandLine|contains:
- 'Start' # Key used to disable specific autologger session like EventLog-Application, EventLog-System etc.
- 'Enabled' # Key used to disable specific provider of autologger session
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification/info.yml
simulation:
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
technique: T1562.001
atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
technique: T1562.001
atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - Cmd
technique: T1562.001
atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
technique: T1562.001
atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
- id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.collection
- attack.execution
- attack.t1005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '\node.exe'
- '\bun.exe'
selection_child:
- Image|endswith:
- 'trufflehog.exe'
- 'gitleaks.exe'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml
title: Windows AMSI Related Registry Tampering Via CommandLine
id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981
related:
- id: aa37cbb0-da36-42cb-a90f-fdf216fc7467 # AMSI Disabled via Registry Modification
type: similar
status: experimental
description: |
Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell.
AMSI provides a generic interface for applications and services to integrate with antimalware products.
Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
references:
- https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md
- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_key:
CommandLine|contains|all:
- '\Software\Microsoft\Windows Script\Settings'
- 'AmsiEnable'
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cmd:
CommandLine|contains: 'add'
selection_powershell_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_powershell_cmd:
CommandLine|contains:
- 'Set-ItemProperty'
- 'New-ItemProperty'
- 'sp '
condition: selection_key and (all of selection_powershell_* or all of selection_reg_*)
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/info.yml
simulation:
- type: atomic-red-team
name: AMSI Bypass - Create AMSIEnable Reg Key
technique: T1562.001
atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
title: File Download Via Windows Defender MpCmpRun.EXE
id: 46123129-1024-423e-9fae-43af4a0fa9a5
status: test
description: Detects the use of Windows Defender MpCmdRun.EXE to download files
references:
- https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
author: Matthew Matchen
date: 2020-09-04
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'MpCmdRun.exe'
- Image|endswith: '\MpCmdRun.exe'
- CommandLine|contains: 'MpCmdRun.exe'
- Description: 'Microsoft Malware Protection Command Line Utility'
selection_cli:
CommandLine|contains|all:
- 'DownloadFile'
- 'url'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Potential Signing Bypass Via Windows Developer Features
id: a383dec4-deec-4e6e-913b-ed9249670848
related:
- id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
type: similar
status: test
description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SystemSettingsAdminFlows.exe'
- OriginalFileName: 'SystemSettingsAdminFlows.EXE'
selection_flag:
CommandLine|contains: 'TurnOnDeveloperFeatures'
selection_options:
CommandLine|contains:
- 'DeveloperUnlock'
- 'EnableSideloading'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: test
description: Detects a Windows command line executable started from MMC
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Karneades, Swisscom CSIRT
date: 2019-08-05
modified: 2022-07-14
tags:
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage|endswith: '\mmc.exe'
selection2:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\reg.exe'
- '\regsvr32.exe'
- Image|contains: '\BITSADMIN'
condition: all of selection*
level: high
title: Tamper Windows Defender Remove-MpPreference
id: 07e3cb2c-0608-410d-be4b-1511cb1a0448
related:
- id: ae2bdd58-0681-48ac-be7f-58ab4e593458
type: similar
status: test
description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection_remove:
CommandLine|contains: 'Remove-MpPreference'
selection_tamper:
CommandLine|contains:
- '-ControlledFolderAccessProtectedFolders '
- '-AttackSurfaceReductionRules_Ids '
- '-AttackSurfaceReductionRules_Actions '
- '-CheckForSignaturesBeforeRunningScan '
condition: all of selection_*
falsepositives:
- Legitimate PowerShell scripts
level: high
title: Remote Access Tool - Renamed MeshAgent Execution - Windows
id: b471f462-eb0d-4832-be35-28d94bdb4780
related:
- id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
type: similar
- id: 2fbbe9ff-0afc-470b-bdc0-592198339968
type: derived
status: experimental
description: |
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
- attack.command-and-control
- attack.stealth
- attack.t1219.002
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_meshagent:
- CommandLine|contains: '--meshServiceName'
- OriginalFileName|contains: 'meshagent'
filter_main_legitimate:
Image|endswith: '\meshagent.exe'
condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Suspicious Windows Update Agent Empty Cmdline
id: 52d097e2-063e-4c9c-8fbb-855c8948d135
status: test
description: |
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-26
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Wuauclt.exe'
- OriginalFileName: 'Wuauclt.exe'
selection_cli:
CommandLine|endswith:
- 'Wuauclt'
- 'Wuauclt.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
title: Potential Windows Defender Tampering Via Wmic.EXE
id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
status: test
description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
- https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
author: frack113
date: 2022-12-11
modified: 2023-02-14
tags:
- attack.execution
- attack.defense-impairment
- attack.t1047
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Windows Defender Definition Files Removed
id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
author: frack113
date: 2021-07-07
modified: 2023-07-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\MpCmdRun.exe'
- OriginalFileName: MpCmdRun.exe
selection_cli:
CommandLine|contains|all:
- ' -RemoveDefinitions'
- ' -All'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Disable Windows Defender AV Security Monitoring
id: a7ee1722-c3c5-aeff-3212-c777e4733217
status: test
description: Detects attackers attempting to disable Windows Defender using Powershell
references:
- https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
- https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: 'ok @securonix invrep-de, oscd.community, frack113'
date: 2020-10-12
modified: 2022-11-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pwsh_binary:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- '-DisableBehaviorMonitoring $true'
- '-DisableRuntimeMonitoring $true'
selection_sc_binary:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sc_tamper_cmd_stop:
CommandLine|contains|all:
- 'stop'
- 'WinDefend'
selection_sc_tamper_cmd_delete:
CommandLine|contains|all:
- 'delete'
- 'WinDefend'
selection_sc_tamper_cmd_disabled:
CommandLine|contains|all:
- 'config'
- 'WinDefend'
- 'start=disabled'
condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)
falsepositives:
- 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
level: high
title: PowerShell Set-Acl On Windows Folder
id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
related:
- id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
type: derived
- id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
type: derived
- id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
type: derived
status: test
description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-18
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cmdlet:
CommandLine|contains|all:
- 'Set-Acl '
- '-AclObject '
selection_paths:
# Note: Add more suspicious paths
CommandLine|contains:
- '-Path "C:\Windows'
- "-Path 'C:\\Windows"
- '-Path %windir%'
- '-Path $env:windir'
selection_permissions:
# Note: Add more suspicious permissions
CommandLine|contains:
- 'FullControl'
- 'Allow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Disable Windows IIS HTTP Logging
id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
status: test
description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
author: frack113
date: 2022-01-09
modified: 2023-01-22
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_cli:
CommandLine|contains|all:
- 'set'
- 'config'
- 'section:httplogging'
- 'dontLog:true'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
id: cd1f961e-0b96-436b-b7c6-38da4583ec00
status: test
description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
references:
- https://twitter.com/0gtweet/status/1359039665232306183?s=21
- https://ss64.com/nt/logman.html
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2023-02-21
tags:
- attack.defense-impairment
- attack.t1685
- attack.t1685.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\logman.exe'
- OriginalFileName: 'Logman.exe'
selection_action:
CommandLine|contains:
- 'stop '
- 'delete '
selection_service:
CommandLine|contains:
- 'Circular Kernel Context Logger'
- 'EventLog-' # Cover multiple traces starting with EventLog-*
- 'SYSMON TRACE'
- 'SysmonDnsEtwSession'
condition: all of selection*
falsepositives:
- Legitimate deactivation by administrative staff
- Installer tools that disable services, e.g. before log collection agent installation
level: high
title: Python Spawning Pretty TTY on Windows
id: 480e7e51-e797-47e3-8d72-ebfce65b6d8d
related:
- id: 899133d5-4d7c-4a7f-94ee-27355c879d90
type: derived
status: test
description: Detects python spawning a pretty tty
references:
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- 'python.exe' # no \ bc of e.g. ipython.exe
- 'python3.exe'
- 'python2.exe'
selection_cli_1:
CommandLine|contains|all:
- 'import pty'
- '.spawn('
selection_cli_2:
CommandLine|contains: 'from pty import spawn'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
title: Windows Credential Guard Registry Tampering Via CommandLine
id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
related:
- id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
type: similar
- id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
type: similar
status: experimental
description: |
Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.
Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
references:
- https://woshub.com/disable-credential-guard-windows/
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_cli:
CommandLine|contains:
# add/modify
- 'add '
- 'New-ItemProperty '
- 'Set-ItemProperty '
- 'si ' # SetItem Alias
# delete
- 'delete '
- 'del '
- 'Remove-ItemProperty '
- 'rp '
selection_key_base:
CommandLine|contains:
- '\Control\DeviceGuard'
- '\Control\LSA'
- 'Software\Policies\Microsoft\Windows\DeviceGuard'
selection_key_specific:
CommandLine|contains:
- 'EnableVirtualizationBasedSecurity'
- 'RequirePlatformSecurityFeatures'
- 'LsaCfgFlags'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml
title: Windows Shell/Scripting Processes Spawning Suspicious Programs
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2018-04-06
modified: 2023-05-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1059.001
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
# - '\cmd.exe' # too many false positives
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\wmiprvse.exe'
- '\regsvr32.exe'
Image|endswith:
- '\schtasks.exe'
- '\nslookup.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\mshta.exe'
filter_ccmcache:
CurrentDirectory|contains: '\ccmcache\'
filter_amazon:
ParentCommandLine|contains:
# FP - Amazon Workspaces
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
- '\nessus_' # Tenable/Nessus VA Scanner
filter_nessus:
CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
filter_sccm_install:
ParentImage|endswith: '\mshta.exe'
Image|endswith: '\mshta.exe'
ParentCommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\splash.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
CommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\SMSSETUP\BIN\'
- '\autorun.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
condition: selection and not 1 of filter_*
falsepositives:
- Administrative scripts
- Microsoft SCCM
level: high
title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 2023-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
filter_main_access:
GrantedAccess: '0x80000000'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
title: Trusted Path Bypass via Windows Directory Spoofing
id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
related:
- id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
type: similar
status: experimental
description: |
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
references:
- https://x.com/Wietze/status/1933495426952421843
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.007
- attack.t1548.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains:
- ':\Windows \System32\' # Note the space between "Windows" and "System32"
- ':\Windows \SysWOW64\' # Note the space between "Windows" and "SysWOW64"
condition: selection
falsepositives:
- Unlikely
level: high
title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
related:
- id: cde0a575-7d3d-4a49-9817-b8004a7bf105
type: derived
status: test
description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
- https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
author: frack113
date: 2023-02-26
modified: 2024-05-10
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
ApplicationPath|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
filter_main_block:
Action: 2 # Block
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: All Rules Have Been Deleted From The Windows Firewall Configuration
id: 79609c82-a488-426e-abcf-9f341a39365d
status: test
description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-17
modified: 2024-01-22
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
- 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
filter_main_svchost:
ModifyingApplication|endswith: ':\Windows\System32\svchost.exe'
filter_optional_msmpeng:
ModifyingApplication|contains|all:
- ':\ProgramData\Microsoft\Windows Defender\Platform\'
- '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: high
title: Suspicious Windows ANONYMOUS LOGON Local Account Created
id: 1bbf25b9-8038-4154-a50b-118f2a32be27
status: test
description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
references:
- https://twitter.com/SBousseaden/status/1189469425482829824
author: James Pemberton / @4A616D6573
date: 2019-10-31
modified: 2022-10-09
tags:
- attack.persistence
- attack.t1136.001
- attack.t1136.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
SamAccountName|contains|all:
- 'ANONYMOUS'
- 'LOGON'
condition: selection
falsepositives:
- Unknown
level: high
title: Important Windows Event Auditing Disabled
id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
related:
- id: 69aeb277-f15f-4d2d-b32a-55e883609563
type: derived
status: test
description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
references:
- https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
- https://github.com/SigmaHQ/sigma/blob/ad1bfd3d28aa0ccc9656240f845022518ef65a2e/documentation/logsource-guides/windows/service/security.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-20
modified: 2023-11-17
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
product: windows
service: security
definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
selection_state_success_and_failure:
EventID: 4719
SubcategoryGuid:
# Note: Add or remove GUID as you see fit in your env
- '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
- '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
- '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
- '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
- '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
- '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
- '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
- '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
- '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
- '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
- '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
- '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
- '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
- '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service
AuditPolicyChanges|contains:
- '%%8448' # This is "Success removed"
- '%%8450' # This is "Failure removed"
selection_state_success_only:
EventID: 4719
SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
AuditPolicyChanges|contains: '%%8448'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
title: Windows Filtering Platform Blocked Connection From EDR Agent Binary
id: bacf58c6-e199-4040-a94f-95dea0f1e45a
status: test
description: |
Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.
Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
references:
- https://github.com/netero1010/EDRSilencer
- https://github.com/amjcyber/EDRNoiseMaker
- https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
author: '@gott_cyber'
date: 2024-01-08
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: security
definition: 'Requirements: Audit Filtering Platform Connection needs to be enabled'
detection:
selection:
EventID: 5157
Application|endswith:
- '\AmSvc.exe' # Cybereason
- '\cb.exe' # Carbon Black EDR
- '\CETASvc.exe' # TrendMicro Apex One
- '\CNTAoSMgr.exe' # TrendMicro Apex One
- '\CrAmTray.exe' # Cybereason
- '\CrsSvc.exe' # Cybereason
- '\CSFalconContainer.exe' # CrowdStrike Falcon
- '\CSFalconService.exe' # CrowdStrike Falcon
- '\CybereasonAV.exe' # Cybereason
- '\CylanceSvc.exe' # Cylance
- '\cyserver.exe' # Palo Alto Networks Traps/Cortex XDR
- '\CyveraService.exe' # Palo Alto Networks Traps/Cortex XDR
- '\CyvrFsFlt.exe' # Palo Alto Networks Traps/Cortex XDR
- '\EIConnector.exe' # ESET Inspect
- '\elastic-agent.exe' # Elastic EDR
- '\elastic-endpoint.exe' # Elastic EDR
- '\EndpointBasecamp.exe' # TrendMicro Apex One
- '\ExecutionPreventionSvc.exe' # Cybereason
- '\filebeat.exe' # Elastic EDR
- '\fortiedr.exe' # FortiEDR
- '\hmpalert.exe' # Sophos EDR
- '\hurukai.exe' # Harfanglab EDR
- '\LogProcessorService.exe' # SentinelOne
- '\mcsagent.exe' # Sophos EDR
- '\mcsclient.exe' # Sophos EDR
- '\MsMpEng.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
- '\MsSense.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
- '\Ntrtscan.exe' # TrendMicro Apex One
- '\PccNTMon.exe' # TrendMicro Apex One
- '\QualysAgent.exe' # Qualys EDR
- '\RepMgr.exe' # Carbon Black Cloud
- '\RepUtils.exe' # Carbon Black Cloud
- '\RepUx.exe' # Carbon Black Cloud
- '\RepWAV.exe' # Carbon Black Cloud
- '\RepWSC.exe' # Carbon Black Cloud
- '\sedservice.exe' # Sophos EDR
- '\SenseCncProxy.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
- '\SenseIR.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
- '\SenseNdr.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
- '\SenseSampleUploader.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
- '\SentinelAgent.exe' # SentinelOne
- '\SentinelAgentWorker.exe' # SentinelOne
- '\SentinelBrowserNativeHost.exe' # SentinelOne
- '\SentinelHelperService.exe' # SentinelOne
- '\SentinelServiceHost.exe' # SentinelOne
- '\SentinelStaticEngine.exe' # SentinelOne
- '\SentinelStaticEngineScanner.exe' # SentinelOne
- '\sfc.exe' # Cisco Secure Endpoint (Formerly Cisco AMP)
- '\sophos ui.exe' # Sophos EDR
- '\sophosfilescanner.exe' # Sophos EDR
- '\sophosfs.exe' # Sophos EDR
- '\sophoshealth.exe' # Sophos EDR
- '\sophosips.exe' # Sophos EDR
- '\sophosLivequeryservice.exe' # Sophos EDR
- '\sophosnetfilter.exe' # Sophos EDR
- '\sophosntpservice.exe' # Sophos EDR
- '\sophososquery.exe' # Sophos EDR
- '\sspservice.exe' # Sophos EDR
- '\TaniumClient.exe' # Tanium
- '\TaniumCX.exe' # Tanium
- '\TaniumDetectEngine.exe' # Tanium
- '\TMBMSRV.exe' # TrendMicro Apex One
- '\TmCCSF.exe' # TrendMicro Apex One
- '\TmListen.exe' # TrendMicro Apex One
- '\TmWSCSvc.exe' # TrendMicro Apex One
- '\Traps.exe' # Palo Alto Networks Traps/Cortex XDR
- '\winlogbeat.exe' # Elastic EDR
- '\WSCommunicator.exe' # TrendMicro Apex One
- '\xagt.exe' # Trellix EDR
condition: selection
falsepositives:
- Unlikely
level: high
title: Windows Defender Threat Detected
id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
status: stable
description: Detects actions taken by Windows Defender malware detection engines
references:
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
author: Ján Trenčanský
date: 2020-07-28
tags:
- attack.execution
- attack.t1059
logsource:
product: windows
service: windefend
detection:
selection:
EventID:
- 1006 # The antimalware engine found malware or other potentially unwanted software.
- 1015 # The antimalware platform detected suspicious behavior.
- 1116 # The antimalware platform detected malware or other potentially unwanted software.
- 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
condition: selection
falsepositives:
- Unlikely
level: high
title: Windows Defender Configuration Changes
id: 801bd44f-ceed-4eb6-887c-11544633c0aa
related:
- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
type: similar
- id: a3ab73f1-bd46-4319-8f06-4b20d0617886
type: similar
- id: 91903aba-1088-42ee-b680-d6d94fe002b0
type: similar
status: stable
description: Detects suspicious changes to the Windows Defender configuration
references:
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-06
modified: 2023-11-24
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains:
# TODO: Add more suspicious values
- '\Windows Defender\DisableAntiSpyware '
# - '\Windows Defender\Features\TamperProtection ' # Might produce FP
- '\Windows Defender\Scan\DisableRemovableDriveScanning '
- '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan '
- '\Windows Defender\SpyNet\DisableBlockAtFirstSeen '
- '\Real-Time Protection\SpyNetReporting '
# Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
# Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886
condition: selection
falsepositives:
- Administrator activity (must be investigated)
level: high
title: Windows Defender Grace Period Expired
id: 360a1340-398a-46b6-8d06-99b905dc69d2
related:
- id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
type: obsolete
status: stable
description: |
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
references:
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2023-11-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5101 # The antimalware platform is expired.
condition: selection
falsepositives:
- Unknown
level: high
title: WMI Backdoor Exchange Transport Agent
id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
status: test
description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
references:
- https://twitter.com/cglyer/status/1182389676876980224
- https://twitter.com/cglyer/status/1182391019633029120
author: Florian Roth (Nextron Systems)
date: 2019-10-11
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\EdgeTransport.exe'
filter_conhost:
Image: 'C:\Windows\System32\conhost.exe'
filter_oleconverter: # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
Image|endswith: '\Bin\OleConverter.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: critical
title: HackTool - BabyShark Agent Default URL Pattern
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
status: test
description: Detects Baby Shark C2 Framework default communication patterns
references:
- https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
author: Florian Roth (Nextron Systems)
date: 2021-06-09
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-uri|contains: 'momyshark\?key='
condition: selection
falsepositives:
- Unlikely
level: critical
title: Suspicious BitLocker Access Agent Update Utility Execution
id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512
related:
- id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984 # BaaUpdate.exe Suspicious DLL Load
type: similar
status: experimental
description: |
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.
Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
references:
- https://github.com/rtecCyberSec/BitlockMove
author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\baaupdate.exe'
Image|endswith:
- '\bitsadmin.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Atera Agent Installation
id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
status: test
description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
references:
- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
author: Bhabesh Raj
date: 2021-09-01
modified: 2022-12-25
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
service: application
product: windows
detection:
selection:
EventID: 1033
Provider_Name: MsiInstaller
Message|contains: AteraAgent
condition: selection
falsepositives:
- Legitimate Atera agent installation
level: high
title: Failed MSExchange Transport Agent Installation
id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
status: test
description: Detects a failed installation of a Exchange Transport Agent
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-07-12
tags:
- attack.persistence
- attack.t1505.002
logsource:
service: msexchange-management
product: windows
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
EventID: 6
Data|contains: 'Install-TransportAgent'
condition: selection
falsepositives:
- Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: high
title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
references:
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
- http://www.botopedia.org/search?searchword=scan&searchphrase=all
- https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
- https://perishablepress.com/blacklist/ua-2013.txt
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
- https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
- https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
- https://twitter.com/crep1x/status/1635034100213112833
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-07-08
modified: 2024-04-14
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# RATs
- 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
- 'HttpBrowser/1.0' # HTTPBrowser RAT
- '*<|>*' # Houdini / Iniduoh / njRAT
- 'nsis_inetc (mozilla)' # ZeroAccess
- 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
# Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
# Malware
- '*zeroup*' # W32/Renos.Downloader
- 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
- '* adlib/*'
- '* tiny' # Trojan Downloader
- '* BGroom *' # Trojan Downloader
- '* changhuatong'
- '* CholTBAgent'
- 'Mozilla/5.0 WinInet'
- 'RookIE/1.0'
- 'M' # HkMain
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
- 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
- 'backdoorbot'
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
- 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
- 'Opera' # Trojan Keragany
- 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
- 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
- 'MSIE' # Toby web shell
- '*(Charon; Inferno)' # Loki Bot
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection
- 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
# Ursnif
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
# Emotet
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
# Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
- 'Mozilla/5.0 (Windows NT 6.1)'
- 'AppleWebkit/587.38 (KHTML, like Gecko)'
- 'Chrome/91.0.4472.77'
- 'Safari/537.36'
- 'Edge/91.0.864.37'
- 'Firefox/89.0'
- 'Gecko/20100101'
# Others
- '* pxyscand*'
- '* asd'
- '* mdms'
- 'sample'
- 'nocase'
- 'Moxilla'
- 'Win32 *'
- '*Microsoft Internet Explorer*'
- 'agent *'
- 'AutoIt' # Suspicious - base-lining recommended
- 'IczelionDownLoad'
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
- 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
- 'antSword/v2.1' # AntSword Webshell UA
- 'rqwrwqrqwrqw' # Racoon Stealer
- 'qwrqrwrqwrqwr' # Racoon Stealer
- 'rc2.0/client' # Racoon Stealer
- 'TakeMyPainBack' # Racoon Stealer
- 'xxx' # Racoon Stealer
- '20112211' # Racoon Stealer
- '23591' # Racoon Stealer
- '901785252112' # Racoon Stealer
- '1235125521512' # Racoon Stealer
- '125122112551' # Racoon Stealer
- 'B1D3N_RIM_MY_ASS' # Racoon Stealer
- 'AYAYAYAY1337' # Racoon Stealer
- 'iMightJustPayMySelfForAFeature' # Racoon Stealer
- 'ForAFeature' # Racoon Stealer
- 'Ares_ldr_v_*' # AresLoader
# - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
- 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
- 'CLCTR' # https://github.com/silence-is-best/c2db
- 'uploader' # https://github.com/silence-is-best/c2db
- 'agent' # https://github.com/silence-is-best/c2db
- 'License' # https://github.com/silence-is-best/c2db
- 'vb wininet' # https://github.com/silence-is-best/c2db
- 'Client' # https://github.com/silence-is-best/c2db
- 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
- 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
- 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
- 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
- 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
- 'DuckTales' # Racoon Stealer
- 'Zadanie' # Racoon Stealer
- 'GunnaWunnaBlueTips' # Racoon Stealer
- 'Xlmst' # Racoon Stealer
- 'GeekingToTheMoon' # Racoon Stealer
- 'SunShineMoonLight' # Racoon Stealer
- 'BunnyRequester' # BunnyStealer
- 'BunnyTasks' # BunnyStealer
- 'BunnyStealer' # BunnyStealer
- 'BunnyLoader_Dropper' # BunnyStealer
- 'BunnyLoader' # BunnyStealer
- 'BunnyShell' # BunnyStealer
- 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
- '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
- 'SouthSide' # Racoon Stealer
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader
condition: selection
falsepositives:
- Unknown
level: high
title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-07-07
tags:
- attack.initial-access
- attack.t1190
- attack.credential-access
- attack.t1110
logsource:
category: proxy
detection:
selection:
c-useragent|contains:
# Vulnerability scanner and brute force tools
- '(hydra)'
- ' arachni/'
- ' BFAC '
- ' brutus '
- ' cgichk '
- 'core-project/1.0'
- ' crimscanner/'
- 'datacha0s'
- 'dirbuster'
- 'domino hunter'
- 'dotdotpwn'
- 'FHScan Core'
- 'floodgate'
- 'get-minimal'
- 'gootkit auto-rooter scanner'
- 'grendel-scan'
- ' inspath '
- 'internet ninja'
- 'jaascois'
- ' zmeu '
- 'masscan'
- ' metis '
- 'morfeus fucking scanner'
- 'n-stealth'
- 'nsauditor'
- 'pmafind'
- 'security scan'
- 'springenwerk'
- 'teh forest lobster'
- 'toata dragostea'
- ' vega/'
- 'voideye'
- 'webshag'
- 'webvulnscan'
- ' whcc/'
# SQL Injection
- ' Havij'
- 'absinthe'
- 'bsqlbf'
- 'mysqloit'
- 'pangolin'
- 'sql power injector'
- 'sqlmap'
- 'sqlninja'
- 'uil2pn'
# Hack tool
- 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper
condition: selection
falsepositives:
- Unknown
level: high
title: APT User Agent
id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
status: test
description: Detects suspicious user agent strings used in APT malware in proxy logs
references:
- Internal Research
author: Florian Roth (Nextron Systems), Markus Neis
date: 2019-11-12
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# APT Related
- 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://www.cisa.gov/news-events/alerts/2017/02/10/enhanced-analysis-grizzly-steppe
- 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp
- 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp
- 'webclient' # Naikon APT
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT
- 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel
- 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
- 'Netscape' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
- 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
- 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla v5.1 *' # Sofacy Zebrocy samples
- 'MSIE 8.0' # Sofacy Azzy Backdoor from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
- 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA
- 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
- 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
- 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware
- 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
- 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
- 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001' # RedCurl Downloader APT https://www.facct.ru/blog/redcurl-2024
condition: selection
falsepositives:
- Old browsers
level: high
title: Windows WebDAV User Agent
id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
status: test
description: Detects WebDav DownloadCradle
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems)
date: 2018-04-06
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
condition: selection
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
- Legitimate WebDAV administration
level: high
title: Exploit Framework User Agent
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
status: test
description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2025-01-18
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
- 'Internet Explorer *'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/
# Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
- 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
- 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
# Metasploit Update by Florian Roth 08.07.2017
- 'Mozilla/5.0'
- 'Mozilla/4.0 (compatible; SPIPE/1.0'
# - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected
# - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected
- 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
- 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
- 'X-FORWARDED-FOR'
- 'DotDotPwn v2.1'
- 'SIPDROID'
- 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
# Empire
- 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0'
# Exploits
- '*wordpress hash grabber*'
- '*exploit*'
# Havoc
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36' # https://github.com/HavocFramework/Havoc/issues/519
condition: selection
falsepositives:
- Unknown
level: high
title: Crypto Miner User Agent
id: fa935401-513b-467b-81f4-f9e77aa0dd78
status: test
description: Detects suspicious user agent strings used by crypto miners in proxy logs
references:
- https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
- https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
author: Florian Roth (Nextron Systems)
date: 2019-10-21
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith:
# XMRig
- 'XMRig '
# CCMiner
- 'ccminer'
condition: selection
falsepositives:
- Unknown
level: high
title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: test
description: Detects suspicious malformed user agent strings in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-10-31
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection1:
c-useragent|startswith:
- 'user-agent' # User-Agent: User-Agent:
- 'Mozilla/3.0 '
- 'Mozilla/2.0 '
- 'Mozilla/1.0 '
- 'Mozilla ' # missing slash
- ' Mozilla/' # leading space
- 'Mozila/' # single 'l'
- 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol' # https://twitter.com/NtSetDefault/status/1303643299509567488
selection2:
c-useragent|contains:
- ' (compatible;MSIE ' # typical typo - missing space
- '.0;Windows NT ' # typical typo - missing space
- 'loader' # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg
selection3:
c-useragent:
- '_'
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
- 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a' # https://www.cyfirma.com/outofband/erbium-stealer-malware-report
- 'x' # Use by Racoon Stealer but could be something else
- 'xxx' # Use by Racoon Stealer but could be something else
falsepositives:
- c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
- cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
- '.acrobat.com'
- '.adobe.com'
- '.adobe.io'
condition: 1 of selection* and not falsepositives
falsepositives:
- Unknown
level: high
title: Launch Agent/Daemon Execution Via Launchctl
id: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
status: test
description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
- https://www.loobins.io/binaries/launchctl/
author: Pratinav Chandra
date: 2024-05-13
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1569.001
- attack.t1543.001
- attack.t1543.004
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/launchctl'
CommandLine|contains:
- 'submit'
- 'load'
- 'start'
condition: selection
falsepositives:
- Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.
level: medium
title: Potential Linux Amazon SSM Agent Hijacking
id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
- https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-03
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219.002
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/amazon-ssm-agent'
CommandLine|contains|all:
- '-register '
- '-code '
- '-id '
- '-region '
condition: selection
falsepositives:
- Legitimate activity of system administrators
level: medium
title: Curl Web Request With Potential Custom User-Agent
id: 85de1f22-d189-44e4-8239-dc276b45379b
status: test
description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
modified: 2025-12-11
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
# Example: This command line would trigger the rule
# curl.exe -H "User-Agent: EvilAgent" http://malicious.example.com
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_header_flag_1:
CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive
selection_header_flag_2:
CommandLine|contains: '--header'
selection_user_agent:
CommandLine|contains: 'User-Agent:'
condition: selection_img and 1 of selection_header_* and selection_user_agent
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml
title: Potential Amazon SSM Agent Hijacking
id: d20ee2f4-822c-4827-9e15-41500b1fff10
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
- https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-02
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\amazon-ssm-agent.exe'
CommandLine|contains|all:
- '-register '
- '-code '
- '-id '
- '-region '
condition: selection
falsepositives:
- Legitimate activity of system administrators
level: medium
title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
id: 2db93a3f-3249-4f73-9e68-0e77a0f8ae7e
status: experimental
description: |
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.
This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
references:
- https://github.com/amidaware/tacticalrmm
- https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3
author: Ahmed Nosir (@egycondor)
date: 2025-05-29
tags:
- attack.command-and-control
- attack.t1219
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '\TacticalAgent\tacticalrmm.exe'
CommandLine|contains|all:
- '--api'
- '--auth'
- '--client-id'
- '--site-id'
- '--agent-type'
condition: selection
falsepositives:
- Legitimate system administrator deploying TacticalRMM
level: medium