Sigma rules for CVE-2023-48795
57 rules · scoped to cve · back to CVE-2023-48795
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Linux Crypto Mining Pool Connections
id: a46c93b7-55ed-4d27-a41b-c259456c4746
status: stable
description: Detects process connections to a Monero crypto mining pool
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
- 'moneroocean.stream'
- 'monerocean.stream'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
title: Linux Crypto Mining Indicators
id: 9069ea3c-b213-4c52-be13-86506a227ab1
status: test
description: Detects command line parameters or strings often used by crypto miners
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2022-12-25
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- ' --cpu-priority='
- '--donate-level=0'
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- 'stratum+tcp://'
- 'stratum+udp://'
# Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
- 'sh -c /sbin/modprobe msr allow_writes=on'
# base64 encoded: --donate-level=
- 'LS1kb25hdGUtbGV2ZWw9'
- '0tZG9uYXRlLWxldmVsP'
- 'tLWRvbmF0ZS1sZXZlbD'
# base64 encoded: stratum+tcp:// and stratum+udp://
- 'c3RyYXR1bSt0Y3A6Ly'
- 'N0cmF0dW0rdGNwOi8v'
- 'zdHJhdHVtK3RjcDovL'
- 'c3RyYXR1bSt1ZHA6Ly'
- 'N0cmF0dW0rdWRwOi8v'
- 'zdHJhdHVtK3VkcDovL'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
title: Cisco Crypto Commands
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
status: test
description: Show when private keys are being exported from the device, or when new certificates are installed
references:
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1553.004
- attack.t1552.004
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'crypto pki export'
- 'crypto pki import'
- 'crypto pki trustpoint'
condition: keywords
falsepositives:
- Not commonly run by administrators. Also whitelist your known good certificates
level: high
title: Monero Crypto Coin Mining Pool Lookup
id: b593fd50-7335-4682-a36c-4edcb68e4641
status: stable
description: Detects suspicious DNS queries to Monero mining pools
references:
- https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
author: Florian Roth (Nextron Systems)
date: 2021-10-24
tags:
- attack.impact
- attack.t1496
- attack.exfiltration
- attack.t1567
logsource:
category: dns
detection:
selection:
query|contains:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
condition: selection
falsepositives:
- Legitimate crypto coin mining
level: high
title: Network Communication With Crypto Mining Pool
id: fa5b1358-b040-4403-9868-15f7d9ab6329
status: stable
description: Detects initiated network connections to crypto mining pools
references:
- https://www.poolwatch.io/coin/monero
- https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt
- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-26
modified: 2024-01-19
tags:
- attack.impact
- attack.t1496
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname:
- 'alimabi.cn'
- 'ap.luckpool.net'
- 'bcn.pool.minergate.com'
- 'bcn.vip.pool.minergate.com'
- 'bohemianpool.com'
- 'ca-aipg.miningocean.org'
- 'ca-dynex.miningocean.org'
- 'ca-neurai.miningocean.org'
- 'ca-qrl.miningocean.org'
- 'ca-upx.miningocean.org'
- 'ca-zephyr.miningocean.org'
- 'ca.minexmr.com'
- 'ca.monero.herominers.com'
- 'cbd.monerpool.org'
- 'cbdv2.monerpool.org'
- 'cryptmonero.com'
- 'crypto-pool.fr'
- 'crypto-pool.info'
- 'cryptonight-hub.miningpoolhub.com'
- 'd1pool.ddns.net'
- 'd5pool.us'
- 'daili01.monerpool.org'
- 'de-aipg.miningocean.org'
- 'de-dynex.miningocean.org'
- 'de-zephyr.miningocean.org'
- 'de.minexmr.com'
- 'dl.nbminer.com'
- 'donate.graef.in'
- 'donate.ssl.xmrig.com'
- 'donate.v2.xmrig.com'
- 'donate.xmrig.com'
- 'donate2.graef.in'
- 'drill.moneroworld.com'
- 'dwarfpool.com'
- 'emercoin.com'
- 'emercoin.net'
- 'emergate.net'
- 'ethereumpool.co'
- 'eu.luckpool.net'
- 'eu.minerpool.pw'
- 'fcn-xmr.pool.minergate.com'
- 'fee.xmrig.com'
- 'fr-aipg.miningocean.org'
- 'fr-dynex.miningocean.org'
- 'fr-neurai.miningocean.org'
- 'fr-qrl.miningocean.org'
- 'fr-upx.miningocean.org'
- 'fr-zephyr.miningocean.org'
- 'fr.minexmr.com'
- 'hellominer.com'
- 'herominers.com'
- 'hk-aipg.miningocean.org'
- 'hk-dynex.miningocean.org'
- 'hk-neurai.miningocean.org'
- 'hk-qrl.miningocean.org'
- 'hk-upx.miningocean.org'
- 'hk-zephyr.miningocean.org'
- 'huadong1-aeon.ppxxmr.com'
- 'iwanttoearn.money'
- 'jw-js1.ppxxmr.com'
- 'koto-pool.work'
- 'lhr.nbminer.com'
- 'lhr3.nbminer.com'
- 'linux.monerpool.org'
- 'lokiturtle.herominers.com'
- 'luckpool.net'
- 'masari.miner.rocks'
- 'mine.c3pool.com'
- 'mine.moneropool.com'
- 'mine.ppxxmr.com'
- 'mine.zpool.ca'
- 'mine1.ppxxmr.com'
- 'minemonero.gq'
- 'miner.ppxxmr.com'
- 'miner.rocks'
- 'minercircle.com'
- 'minergate.com'
- 'minerpool.pw'
- 'minerrocks.com'
- 'miners.pro'
- 'minerxmr.ru'
- 'minexmr.cn'
- 'minexmr.com'
- 'mining-help.ru'
- 'miningpoolhub.com'
- 'mixpools.org'
- 'moner.monerpool.org'
- 'moner1min.monerpool.org'
- 'monero-master.crypto-pool.fr'
- 'monero.crypto-pool.fr'
- 'monero.hashvault.pro'
- 'monero.herominers.com'
- 'monero.lindon-pool.win'
- 'monero.miners.pro'
- 'monero.riefly.id'
- 'monero.us.to'
- 'monerocean.stream'
- 'monerogb.com'
- 'monerohash.com'
- 'moneroocean.stream'
- 'moneropool.com'
- 'moneropool.nl'
- 'monerorx.com'
- 'monerpool.org'
- 'moriaxmr.com'
- 'mro.pool.minergate.com'
- 'multipool.us'
- 'myxmr.pw'
- 'na.luckpool.net'
- 'nanopool.org'
- 'nbminer.com'
- 'node3.luckpool.net'
- 'noobxmr.com'
- 'pangolinminer.comgandalph3000.com'
- 'pool.4i7i.com'
- 'pool.armornetwork.org'
- 'pool.cortins.tk'
- 'pool.gntl.co.uk'
- 'pool.hashvault.pro'
- 'pool.minergate.com'
- 'pool.minexmr.com'
- 'pool.monero.hashvault.pro'
- 'pool.ppxxmr.com'
- 'pool.somec.cc'
- 'pool.support'
- 'pool.supportxmr.com'
- 'pool.usa-138.com'
- 'pool.xmr.pt'
- 'pool.xmrfast.com'
- 'pool2.armornetwork.org'
- 'poolchange.ppxxmr.com'
- 'pooldd.com'
- 'poolmining.org'
- 'poolto.be'
- 'ppxvip1.ppxxmr.com'
- 'ppxxmr.com'
- 'prohash.net'
- 'r.twotouchauthentication.online'
- 'randomx.xmrig.com'
- 'ratchetmining.com'
- 'seed.emercoin.com'
- 'seed.emercoin.net'
- 'seed.emergate.net'
- 'seed1.joulecoin.org'
- 'seed2.joulecoin.org'
- 'seed3.joulecoin.org'
- 'seed4.joulecoin.org'
- 'seed5.joulecoin.org'
- 'seed6.joulecoin.org'
- 'seed7.joulecoin.org'
- 'seed8.joulecoin.org'
- 'sg-aipg.miningocean.org'
- 'sg-dynex.miningocean.org'
- 'sg-neurai.miningocean.org'
- 'sg-qrl.miningocean.org'
- 'sg-upx.miningocean.org'
- 'sg-zephyr.miningocean.org'
- 'sg.minexmr.com'
- 'sheepman.mine.bz'
- 'siamining.com'
- 'sumokoin.minerrocks.com'
- 'supportxmr.com'
- 'suprnova.cc'
- 'teracycle.net'
- 'trtl.cnpool.cc'
- 'trtl.pool.mine2gether.com'
- 'turtle.miner.rocks'
- 'us-aipg.miningocean.org'
- 'us-dynex.miningocean.org'
- 'us-neurai.miningocean.org'
- 'us-west.minexmr.com'
- 'us-zephyr.miningocean.org'
- 'usxmrpool.com'
- 'viaxmr.com'
- 'webservicepag.webhop.net'
- 'xiazai.monerpool.org'
- 'xiazai1.monerpool.org'
- 'xmc.pool.minergate.com'
- 'xmo.pool.minergate.com'
- 'xmr-asia1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-us.suprnova.cc'
- 'xmr-usa.dwarfpool.com'
- 'xmr.2miners.com'
- 'xmr.5b6b7b.ru'
- 'xmr.alimabi.cn'
- 'xmr.bohemianpool.com'
- 'xmr.crypto-pool.fr'
- 'xmr.crypto-pool.info'
- 'xmr.f2pool.com'
- 'xmr.hashcity.org'
- 'xmr.hex7e4.ru'
- 'xmr.ip28.net'
- 'xmr.monerpool.org'
- 'xmr.mypool.online'
- 'xmr.nanopool.org'
- 'xmr.pool.gntl.co.uk'
- 'xmr.pool.minergate.com'
- 'xmr.poolto.be'
- 'xmr.ppxxmr.com'
- 'xmr.prohash.net'
- 'xmr.simka.pw'
- 'xmr.somec.cc'
- 'xmr.suprnova.cc'
- 'xmr.usa-138.com'
- 'xmr.vip.pool.minergate.com'
- 'xmr1min.monerpool.org'
- 'xmrf.520fjh.org'
- 'xmrf.fjhan.club'
- 'xmrfast.com'
- 'xmrigcc.graef.in'
- 'xmrminer.cc'
- 'xmrpool.de'
- 'xmrpool.eu'
- 'xmrpool.me'
- 'xmrpool.net'
- 'xmrpool.xyz'
- 'xx11m.monerpool.org'
- 'xx11mv2.monerpool.org'
- 'xxx.hex7e4.ru'
- 'zarabotaibitok.ru'
- 'zer0day.ru'
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential Crypto Mining Activity
id: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
status: stable
description: Detects command line parameters or strings often used by crypto miners
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2023-02-13
tags:
- attack.impact
- attack.t1496
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- ' --cpu-priority='
- '--donate-level=0'
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- 'stratum+tcp://'
- 'stratum+udp://'
# base64 encoded: --donate-level=
- 'LS1kb25hdGUtbGV2ZWw9'
- '0tZG9uYXRlLWxldmVsP'
- 'tLWRvbmF0ZS1sZXZlbD'
# base64 encoded: stratum+tcp:// and stratum+udp://
- 'c3RyYXR1bSt0Y3A6Ly'
- 'N0cmF0dW0rdGNwOi8v'
- 'zdHJhdHVtK3RjcDovL'
- 'c3RyYXR1bSt1ZHA6Ly'
- 'N0cmF0dW0rdWRwOi8v'
- 'zdHJhdHVtK3VkcDovL'
filter:
CommandLine|contains:
- ' pool.c '
- ' pool.o '
- 'gcc -'
condition: selection and not filter
falsepositives:
- Legitimate use of crypto miners
- Some build frameworks
level: high
title: Crypto Miner User Agent
id: fa935401-513b-467b-81f4-f9e77aa0dd78
status: test
description: Detects suspicious user agent strings used by crypto miners in proxy logs
references:
- https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
- https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
author: Florian Roth (Nextron Systems)
date: 2019-10-21
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith:
# XMRig
- 'XMRig '
# CCMiner
- 'ccminer'
condition: selection
falsepositives:
- Unknown
level: high
title: Access To Crypto Currency Wallets By Uncommon Applications
id: f41b0311-44f9-44f0-816d-dd45e39d4bc8
status: test
description: |
Detects file access requests to crypto currency files by uncommon processes.
Could indicate potential attempt of crypto currency wallet stealing.
references:
- Internal Research
author: X__Junior (Nextron Systems)
date: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
- FileName|contains:
- '\AppData\Roaming\Ethereum\keystore\'
- '\AppData\Roaming\EthereumClassic\keystore\'
- '\AppData\Roaming\monero\wallets\'
- FileName|endswith:
- '\AppData\Roaming\Bitcoin\wallet.dat'
- '\AppData\Roaming\BitcoinABC\wallet.dat'
- '\AppData\Roaming\BitcoinSV\wallet.dat'
- '\AppData\Roaming\DashCore\wallet.dat'
- '\AppData\Roaming\DogeCoin\wallet.dat'
- '\AppData\Roaming\Litecoin\wallet.dat'
- '\AppData\Roaming\Ripple\wallet.dat'
- '\AppData\Roaming\Zcash\wallet.dat'
filter_main_system:
Image: System
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Backup software
- Legitimate software installed on partitions other than "C:\"
- Searching software such as "everything.exe"
level: medium
title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
status: experimental
description: |
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
references:
- https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
author: Milad Cheraghi
date: 2025-10-18
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
# Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
- '/systemctl'
- '/bash'
- '/sh'
CommandLine|contains|all:
- 'stop'
- 'kesl'
condition: selection
falsepositives:
- System administrator manually stopping Kaspersky services
level: high
title: Potential Persistence Via Security Descriptors - ScriptBlock
id: 2f77047c-e6e9-4c11-b088-a3de399524cd
status: test
description: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
references:
- https://github.com/HarmJ0y/DAMP
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'win32_Trustee'
- 'win32_Ace'
- '.AccessMask'
- '.AceType'
- '.SetSecurityDescriptor'
ScriptBlockText|contains:
- '\Lsa\JD'
- '\Lsa\Skew1'
- '\Lsa\Data'
- '\Lsa\GBG'
condition: selection
falsepositives:
- Unknown
level: high
title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47
related:
- id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering
type: similar
status: test
description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
references:
- https://twitter.com/0gtweet/status/1628720819537936386
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
- https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_sc:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sdset:
CommandLine|contains|all:
- 'sdset'
- 'A;' # Allow Access
selection_trustee:
CommandLine|contains:
- ';IU' # Interactively logged-on user
- ';SU' # Service logon user
- ';BA' # Built-in administrators
- ';SY' # Local system
- ';WD' # Everyone
filter_optional_hexnode:
ParentImage: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
related:
- id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
type: similar
- id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
type: similar
status: test
description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
references:
- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
- https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
author: Jonhnathan Ribeiro, oscd.community
date: 2020-10-16
modified: 2023-02-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_sc:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sdset:
CommandLine|contains|all:
- 'sdset'
- 'D;' # Deny Access
selection_trustee:
CommandLine|contains:
- ';IU' # Interactively logged-on user
- ';SU' # Service logon user
- ';BA' # Built-in administrators
- ';SY' # Local system
- ';WD' # Everyone
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Python Function Execution Security Warning Disabled In Excel
id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
related:
- id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
type: similar
status: test
description: |
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: '@Kostastsale'
date: 2023-08-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\Microsoft\Office\'
- '\Excel\Security'
- 'PythonFunctionWarnings'
CommandLine|contains: ' 0'
condition: selection
falsepositives:
- Unknown
level: high
title: Security Service Disabled Via Reg.EXE
id: 5e95028c-5229-4214-afae-d653d573d0ec
status: test
description: Detects execution of "reg.exe" to disable security services such as Windows Defender.
references:
- https://twitter.com/JohnLaTwC/status/1415295021041979392
- https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1
- https://vms.drweb.fr/virus/?i=24144899
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim
date: 2021-07-14
modified: 2023-06-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_reg_add:
CommandLine|contains|all:
- 'reg'
- 'add'
selection_cli_reg_start:
CommandLine|contains|all:
- 'd 4'
- 'v Start'
CommandLine|contains:
- '\AppIDSvc'
- '\MsMpSvc'
- '\NisSrv'
- '\SecurityHealthService'
- '\Sense'
- '\UsoSvc'
- '\WdBoot'
- '\WdFilter'
- '\WdNisDrv'
- '\WdNisSvc'
- '\WinDefend'
- '\wscsvc'
- '\wuauserv'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Potential Tampering With Security Products Via WMIC
id: 847d5ff3-8a31-4737-a970-aeae8fe21765
related:
- id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall
type: derived
status: test
description: Detects uninstallation or termination of security products using the WMIC utility
references:
- https://twitter.com/cglyer/status/1355171195654709249
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-01-30
modified: 2023-02-14
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_cli_1:
CommandLine|contains|all:
- 'wmic'
- 'product where '
- 'call'
- 'uninstall'
- '/nointeractive'
selection_cli_2:
CommandLine|contains|all:
- 'wmic'
- 'caption like '
CommandLine|contains:
- 'call delete'
- 'call terminate'
selection_cli_3:
CommandLine|contains|all:
- 'process '
- 'where '
- 'delete'
selection_product:
CommandLine|contains:
- '%carbon%'
- '%cylance%'
- '%endpoint%'
- '%eset%'
- '%malware%'
- '%Sophos%'
- '%symantec%'
- 'Antivirus'
- 'AVG '
- 'Carbon Black'
- 'CarbonBlack'
- 'Cb Defense Sensor 64-bit'
- 'Crowdstrike Sensor'
- 'Cylance '
- 'Dell Threat Defense'
- 'DLP Endpoint'
- 'Endpoint Detection'
- 'Endpoint Protection'
- 'Endpoint Security'
- 'Endpoint Sensor'
- 'ESET File Security'
- 'LogRhythm System Monitor Service'
- 'Malwarebytes'
- 'McAfee Agent'
- 'Microsoft Security Client'
- 'Sophos Anti-Virus'
- 'Sophos AutoUpdate'
- 'Sophos Credential Store'
- 'Sophos Management Console'
- 'Sophos Management Database'
- 'Sophos Management Server'
- 'Sophos Remote Management System'
- 'Sophos Update Manager'
- 'Threat Protection'
- 'VirusScan'
- 'Webroot SecureAnywhere'
- 'Windows Defender'
condition: 1 of selection_cli_* and selection_product
falsepositives:
- Legitimate administration
level: high
title: Disable Windows Defender AV Security Monitoring
id: a7ee1722-c3c5-aeff-3212-c777e4733217
status: test
description: Detects attackers attempting to disable Windows Defender using Powershell
references:
- https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
- https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: 'ok @securonix invrep-de, oscd.community, frack113'
date: 2020-10-12
modified: 2022-11-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pwsh_binary:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- '-DisableBehaviorMonitoring $true'
- '-DisableRuntimeMonitoring $true'
selection_sc_binary:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sc_tamper_cmd_stop:
CommandLine|contains|all:
- 'stop'
- 'WinDefend'
selection_sc_tamper_cmd_delete:
CommandLine|contains|all:
- 'delete'
- 'WinDefend'
selection_sc_tamper_cmd_disabled:
CommandLine|contains|all:
- 'config'
- 'WinDefend'
- 'start=disabled'
condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)
falsepositives:
- 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
level: high
title: Security Privileges Enumeration Via Whoami.EXE
id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
status: test
description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
author: Florian Roth (Nextron Systems)
date: 2021-05-05
modified: 2023-02-28
tags:
- attack.privilege-escalation
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_cli:
CommandLine|contains:
- ' /priv'
- ' -priv'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Disabled IE Security Features
id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
status: test
description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
references:
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
author: Florian Roth (Nextron Systems)
date: 2020-06-19
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- ' -name IEHarden '
- ' -value 0 '
selection2:
CommandLine|contains|all:
- ' -name DEPOff '
- ' -value 1 '
selection3:
CommandLine|contains|all:
- ' -name DisableFirstRunCustomize '
- ' -value 2 '
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: Security Event Logging Disabled via MiniNt Registry Key - Process
id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462
related:
- id: 8839e550-52d7-4958-9f2f-e13c1e736838 # Disable Security Events Logging Adding Reg Key MiniNt - Registry Set
type: similar
status: experimental
description: |
Detects attempts to disable security event logging by adding the `MiniNt` registry key.
This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.
Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
references:
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: process_creation
product: windows
detection:
selection_reg_img:
# Example: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cmd:
CommandLine|contains|all:
- ' add '
- '\SYSTEM\CurrentControlSet\Control\MiniNt'
selection_powershell_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_powershell_cmd1:
CommandLine|contains:
- 'New-Item '
- 'ni '
selection_powershell_cmd2:
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: all of selection_reg_* or all of selection_powershell_*
falsepositives:
- Highly Unlikely
level: high
title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection_eid:
EventID: 4697
selection_cli_cmd:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
ServiceFileName|contains|all:
- '/c'
- 'echo'
- '\pipe\'
ServiceFileName|contains:
- 'cmd'
- '%COMSPEC%'
selection_cli_rundll:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
ServiceFileName|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
selection_cli_share:
ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
condition: selection_eid and 1 of selection_cli_*
falsepositives:
- Unlikely
level: high
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
related:
- id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
# ServiceFileName|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
# Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
# Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
ServiceFileName|contains|all:
- '&&set'
- 'cmd'
- '/c'
- '-f'
ServiceFileName|contains:
- '{0}'
- '{1}'
- '{2}'
- '{3}'
- '{4}'
- '{5}'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Clip - Security
id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
related:
- id: 63e3365d-4824-42d8-8b82-e56810fefa0c
type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains: '(Clipboard|i'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Stdin - Security
id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
related:
- id: 487c7524-f892-4054-b263-8a0ace63fc25
type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'set'
- '&&'
ServiceFileName|contains:
- 'environment'
- 'invoke'
- '${input)'
condition: selection
falsepositives:
- Unknown
level: high
title: Service Installed By Unusual Client - Security
id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
related:
- id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
type: similar
status: test
description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
references:
- https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
- https://www.x86matthew.com/view_post?id=create_svc_rpc
- https://twitter.com/SBousseaden/status/1490608838701166596
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-15
modified: 2023-01-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
service: security
product: windows
definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
detection:
selection_eid:
EventID: 4697
selection_pid:
- ClientProcessId: 0
- ParentProcessId: 0
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Obfuscated IEX Invocation - Security
id: fd0f5778-d3cb-4c9a-9695-66759d04702a
related:
- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
type: derived
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-11-27
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection_eid:
EventID: 4697
selection_servicefilename:
- ServiceFileName|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ServiceFileName|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ServiceFileName|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ServiceFileName|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ServiceFileName|re: '\\*mdr\*\W\s*\)\.Name'
- ServiceFileName|re: '\$VerbosePreference\.ToString\('
- ServiceFileName|re: '\String\]\s*\$VerbosePreference'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use Rundll32 - Security
id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
related:
- id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- '&&'
- 'rundll32'
- 'shell32.dll'
- 'shellexec_rundll'
ServiceFileName|contains:
- value
- invoke
- comspec
- iex
condition: selection
falsepositives:
- Unknown
level: high
title: Security Eventlog Cleared
id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
related:
- id: f2f01843-e7b8-4f95-a35a-d23584476423
type: obsolete
- id: a122ac13-daf8-4175-83a2-72c387be339d
type: obsolete
status: test
description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
author: Florian Roth (Nextron Systems)
date: 2017-01-10
modified: 2022-02-24
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: security
detection:
selection_517:
EventID: 517
Provider_Name: Security
selection_1102:
EventID: 1102
Provider_Name: Microsoft-Windows-Eventlog
condition: 1 of selection_*
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: high
title: CobaltStrike Service Installations - Security
id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
related:
- id: 5a105d34-05fc-401e-8553-272b45c1522d
type: derived
status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
references:
- https://www.sans.org/webcasts/119395
- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-26
modified: 2022-11-27
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
event_id:
EventID: 4697
selection1:
ServiceFileName|contains|all:
- 'ADMIN$'
- '.exe'
selection2:
ServiceFileName|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
selection3:
ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
selection4:
ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
condition: event_id and 1 of selection*
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation STDIN+ Launcher - Security
id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974
related:
- id: 72862bf2-0eb1-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'cmd'
- 'powershell'
selection2:
ServiceFileName|contains:
- '${input}'
- 'noexit'
selection3:
ServiceFileName|contains:
- ' /c '
- ' /r '
condition: all of selection*
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation VAR+ Launcher - Security
id: dcf2db1f-f091-425b-a821-c05875b8925a
related:
- id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
# ServiceFileName|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
# Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
# Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
ServiceFileName|contains|all:
- 'cmd'
- '"set'
- '-f'
ServiceFileName|contains:
- '/c'
- '/r'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation CLIP+ Launcher - Security
id: 4edf51e1-cb83-4e1a-bc39-800e396068e3
related:
- id: f7385ee2-0e0c-11eb-adc1-0242ac120002
type: derived
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modified: 2022-11-27
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'cmd'
- '&&'
- 'clipboard]::'
condition: selection
falsepositives:
- Unknown
level: high
title: Invoke-Obfuscation Via Use MSHTA - Security
id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
related:
- id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains|all:
- 'mshta'
- 'vbscript:createobject'
- '.run'
- 'window.close'
condition: selection
falsepositives:
- Unknown
level: high
title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
title: PowerShell Scripts Installed as Services - Security
id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
related:
- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
type: derived
status: test
description: Detects powershell script installed as a Service
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2022-11-29
tags:
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'powershell'
- 'pwsh'
condition: selection
falsepositives:
- Unknown
level: high
title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
id: c39f0c81-7348-4965-ab27-2fde35a1b641
status: test
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-11-26
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set
id: 8839e550-52d7-4958-9f2f-e13c1e736838
related:
- id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key
type: similar
status: experimental
description: |
Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.
Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
references:
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)'
condition: selection
falsepositives:
- Highly Unlikely
level: high
title: Python Function Execution Security Warning Disabled In Excel - Registry
id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
related:
- id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
type: similar
status: test
description: |
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2024-08-23
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Office\'
TargetObject|endswith: '\Excel\Security\PythonFunctionWarnings'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
title: Security Support Provider (SSP) Added to LSA Configuration
id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
status: test
description: |
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
references:
- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157
author: iwillkeepwatch
date: 2019-01-18
modified: 2026-03-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith:
- '\Control\Lsa\Security Packages'
- '\Control\Lsa\OSConfig\Security Packages'
filter_main_msiexec:
Image:
- 'C:\Windows\system32\msiexec.exe'
- 'C:\Windows\syswow64\MsiExec.exe'
filter_main_image_null:
Image: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Disable Security Events Logging Adding Reg Key MiniNt
id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
status: test
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
references:
- https://twitter.com/0gtweet/status/1182516740955226112
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: registry_event
product: windows
detection:
selection:
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
EventType: 'CreateKey' # we don't want deletekey
# key rename
- NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: selection
falsepositives:
- Unknown
level: high
title: Okta Security Threat Detected
id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0
status: test
description: Detects when an security threat is detected in Okta.
references:
- https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.command-and-control
logsource:
product: okta
service: okta
detection:
selection:
eventType: security.threat.detected
condition: selection
falsepositives:
- Unknown
level: medium
title: Disable Security Tools
id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: macos
detection:
launchctl_unload:
Image: '/bin/launchctl'
CommandLine|contains: 'unload'
security_plists:
CommandLine|contains:
- 'com.objective-see.lulu.plist' # Objective-See firewall management utility
- 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker
- 'com.google.santad.plist' # google santa
- 'com.carbonblack.defense.daemon.plist' # carbon black
- 'com.carbonblack.daemon.plist' # carbon black
- 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility
- 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus
- 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
- 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon
- 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon
- 'osquery' # facebook osquery
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'packetbeat' # elastic network logger/shipper
- 'td-agent' # fluentd log shipper
disable_gatekeeper:
Image: '/usr/sbin/spctl'
CommandLine|contains: 'disable'
condition: (launchctl_unload and security_plists) or disable_gatekeeper
falsepositives:
- Legitimate activities
level: medium
title: Security Software Discovery - MacOs
id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
status: test
description: Detects usage of system utilities (only grep for now) to discover security software discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: macos
detection:
image:
Image: '/usr/bin/grep'
selection_cli_1:
CommandLine|contains:
- 'nessusd' # nessus vulnerability scanner
- 'santad' # google santa
- 'CbDefense' # carbon black
- 'falcond' # crowdstrike falcon
- 'td-agent' # fluentd log shipper
- 'packetbeat' # elastic network logger/shipper
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'osqueryd' # facebook osquery
- 'BlockBlock' # Objective-See persistence locations watcher/blocker
- 'LuLu' # Objective-See firewall management utility
selection_cli_2: # Objective Development Software firewall management utility
CommandLine|contains|all:
- 'Little'
- 'Snitch'
condition: image and 1 of selection_cli_*
falsepositives:
- Legitimate activities
level: medium
title: RDS Database Security Group Modification
id: 14f3f1c8-02d5-43a2-a191-91ffb52d3015
status: test
description: |
Detects changes to the security group entries for RDS databases.
This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.initial-access
- attack.t1190
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'rds.amazonaws.com'
eventName:
- 'AuthorizeDBSecurityGroupIngress'
- 'CreateDBSecurityGroup'
- 'DeleteDBSecurityGroup'
- 'RevokeDBSecurityGroupIngress'
condition: selection
falsepositives:
- Creation of a new Database that needs new security group rules
level: medium
title: LoadBalancer Security Group Modification
id: 7a4409fc-f8ca-45f6-8006-127d779eaad9
status: test
description: |
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).
This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.initial-access
- attack.t1190
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'elasticloadbalancing.amazonaws.com'
eventName:
- 'ApplySecurityGroupsToLoadBalancer'
- 'SetSecurityGroups'
condition: selection
falsepositives:
- Repurposing of an ELB or ALB to serve a different or additional application
- Changes to security groups to allow for new services to be deployed
level: medium
title: Ingress/Egress Security Group Modification
id: 6fb77778-040f-4015-9440-572aa9b6b580
status: test
description: |
Detects when an account makes changes to the ingress or egress rules of a security group.
This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.initial-access
- attack.t1190
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName:
- 'AuthorizeSecurityGroupEgress'
- 'AuthorizeSecurityGroupIngress'
- 'RevokeSecurityGroupEgress'
- 'RevokeSecurityGroupIngress'
condition: selection
falsepositives:
- New VPCs and Subnets being setup requiring a different security profile to those already defined
- A single port being opened for a new service that is known to be deploying
- Administrators closing unused ports to reduce the attack surface
level: medium
title: Azure Network Security Configuration Modified or Deleted
id: d22b4df4-5a67-4859-a578-8c9a0b5af9df
status: test
description: Identifies when a network security configuration is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-08
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE
condition: selection
falsepositives:
- Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Azure Application Security Group Modified or Deleted
id: 835747f1-9329-40b5-9cc3-97d465754ce6
status: test
description: Identifies when a application security group is modified or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-08-16
modified: 2022-08-23
tags:
- attack.impact
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE
condition: selection
falsepositives:
- Application security group being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-06-17
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1686
logsource:
category: process_creation
product: linux
detection:
selection_iptables_1:
Image|endswith: '/service'
CommandLine|contains|all:
- 'iptables'
- 'stop'
selection_iptables_2:
Image|endswith: '/service'
CommandLine|contains|all:
- 'ip6tables'
- 'stop'
selection_iptables_3:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'iptables'
- 'stop'
selection_iptables_4:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'ip6tables'
- 'stop'
selection_firewall_1:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'firewalld'
- 'stop'
selection_firewall_2:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'firewalld'
- 'disable'
selection_carbonblack_1:
Image|endswith: '/service'
CommandLine|contains|all:
- 'cbdaemon'
- 'stop'
selection_carbonblack_2:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'cbdaemon'
- 'off'
selection_carbonblack_3:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'cbdaemon'
- 'stop'
selection_carbonblack_4:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'cbdaemon'
- 'disable'
selection_selinux:
Image|endswith: '/setenforce'
CommandLine|contains: '0'
selection_crowdstrike_1:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'stop'
- 'falcon-sensor'
selection_crowdstrike_2:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'disable'
- 'falcon-sensor'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: medium
title: Disabling Security Tools - Builtin
id: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36
related:
- id: e3a8a052-111f-4606-9aee-f28ebeb76776
type: derived
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-06-17
modified: 2022-11-26
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
service: syslog
detection:
keywords:
- 'stopping iptables'
- 'stopping ip6tables'
- 'stopping firewalld'
- 'stopping cbdaemon'
- 'stopping falcon-sensor'
condition: keywords
falsepositives:
- Legitimate administration activities
level: medium
title: Manipulation of User Computer or Group Security Principals Across AD
id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
status: test
description: |
Adversaries may create a domain account to maintain access to victim systems.
Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell
- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
author: frack113
date: 2021-12-28
tags:
- attack.persistence
- attack.t1136.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: System.DirectoryServices.AccountManagement
condition: selection
falsepositives:
- Legitimate administrative script
level: medium