title: PUA - AWS TruffleHog Execution
id: a840e606-7c8c-4684-9bc1-eb6b6155127f
status: experimental
description: |
    Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
    It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to…

title: Rare Subscription-level Operations In Azure
id: c1182e02-49a3-481c-b3de-0fadc4091488
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperati…

title: Access To Crypto Currency Wallets By Uncommon Applications
id: f41b0311-44f9-44f0-816d-dd45e39d4bc8
status: test
description: |
    Detects file access requests to crypto currency files by uncommon processes.
    Could indicate potential attempt of crypto currency wallet stealing.
references:
    - Internal Research
author: X__Junior (Nextron Systems)
date: 2024-07-29
tags:
    - attack.t10…

title: Credential Manager Access By Uncommon Applications
id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
status: test
description: |
    Detects suspicious processes based on name and location that access the windows credential manager and vault.
    Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
references:
    - https://hunter2.gitbook.io/dar…

title: Esentutl Gather Credentials
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
status: test
description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
references:
    - https://twitter.com/vxunderground/status/1423336151860002816
    - https://thedfirreport.com/2021/08/01/bazarcall-to-cont…

title: Shadow Copies Creation Using Operating Systems Utilities
id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
status: test
description: Shadow Copies creation using operating systems utilities, possible credential access
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tu…

title: Loaded Module Enumeration Via Tasklist.EXE
id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
status: test
description: |
    Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
    This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
    In order to dump the process memory or perform other ne…

title: Capture Credentials with Rpcping.exe
id: 93671f99-04eb-4ab4-a161-70d446a84003
status: test
description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
    - https://twitter.com/vysecurity/status/974806438316072960
    - https://twi…

title: File Access Of Signal Desktop Sensitive Data
id: 5d6c375a-18ae-4952-b4f6-8b803f6c8555
status: experimental
description: |
    Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
    The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that dat…

title: Potential Credential Dumping Attempt Using New NetworkProvider - REG
id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
related:
    - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
      type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
    - https://learn.microsof…

title: Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
id: 33b3cfb1-574e-44b9-b527-fbf9303b9d7b
status: experimental
description: |
    Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.
    Enabling this feature allows memory dumps (core dumps) of SUID pro…

title: Interesting Service Enumeration Via Sc.EXE
id: e83e8899-c9b2-483b-b355-5decc942b959
status: test
description: |
    Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
    Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
references:
    - https://www.n00py.io/2…

title: Access To Chromium Browsers Sensitive Files By Uncommon Applications
id: c5f37810-a85f-4186-81e9-33f23abb4141
status: test
description: |
    Detects file access requests to chromium based browser sensitive files by uncommon processes.
    Could indicate potential attempt of stealing sensitive information.
references:
    - Internal Research
author: X__Junior (Nextron Systems)
date: 2024-07…

title: Access To Browser Credential Files By Uncommon Applications
id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
related:
    - id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65
      type: similar
status: test
description: |
    Detects file access requests to browser credential stores by uncommon processes.
    Could indicate potential attempt of credential stealing.
    Requires heavy baselining before usage…

title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: test
description: |
    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/think…

title: OpenCanary - MySQL Login Attempt
id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
status: test
description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/ope…

title: OpenCanary - MSSQL Login Attempt Via SQLAuth
id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
status: test
description: |
    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf…

title: OpenCanary - REDIS Action Command Attempt
id: 547dfc53-ebf6-4afe-8d2e-793d9574975d
status: test
description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829f…

title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
status: test
description: Detect attempt to enable auditing of TTY input
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
    - https://linux.die.net/man/8/pam_tty_audit
    - https://access.redhat.com/documentation/en-us/red_hat_e…

title: Potential Invoke-Mimikatz PowerShell Script
id: 189e3b02-82b2-4b90-9662-411eb64486d4
status: test
description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
references:
    - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-in…

title: Live Memory Dump Using Powershell
id: cd185561-4760-45d6-a63e-a51325112cae
status: test
description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
references:
    - https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
author: Max Altgelt (Nextron Systems)
date: 2021-09-21
modified: 2022-12-25
tag…

title: HackTool - Rubeus Execution - ScriptBlock
id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: test
description: Detects the execution of the hacktool Rubeus using specific command line flags
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attac…

title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
status: test
description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
references:
    - https://github.com/Porchetta-Industries/CrackMapExec
    - https://github.com/fortra/impacket/blo…

title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI
id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
related:
    - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
      type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
    - https://learn.microsof…

title: Microsoft IIS Service Account Password Dumped
id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701
status: test
description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
references:
    - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html
    - https://twitter.com/0gtweet/status/15888156610859171…

title: Microsoft IIS Connection Strings Decryption
id: 97dbf6e2-e436-44d8-abee-4261b24d3e41
status: test
description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
referenc…

title: Hacktool Execution - PE Metadata
id: 37c1333a-a0db-48be-b64b-7393b2386e3b
status: test
description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
references:
    - https://github.com/cube0x0
    - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
author: Florian Roth (Nextron Systems)
da…

title: PUA - Memory Dump Mount Via MemProcFS
id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
status: experimental
description: |
    Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
    MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
    Threat actors were seen abusing this utility to mount memo…

title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
    - Internal Research
    - https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modi…

title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
related:
    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
      type: similar
status: experimental
description: |
    Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
    These DLLs contain the MiniDumpWriteDump function, which can be abused…

title: Potentially Suspicious ODBC Driver Registered
id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4
status: test
description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
references:
    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08…

title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a password dumper.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https…

title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.resourc…

title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attac…

title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
    - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
    - https://twitter.com/Hexacorn/status/1420053502554951689
    - https://tw…

title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
    - attack.cre…

title: Transferring Files with Credential Data via Network Shares - Zeek
id: 2e69f167-47b5-4ae7-a390-47764529eff5
related:
    - id: 910ab938-668b-401b-b08c-b596e80fdca5
      type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credential…

title: DumpMinitool Execution
id: dee0a7a3-f200-4112-a99b-952196d81e42
status: test
description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
references:
    - https://twitter.com/mrd0x/status/1511415432888131586
    - https://twitter.com/mrd0x/status/1511489821247684615
    - https://lolbas-project.github.io/lolbas/Othe…

title: Procdump Execution
id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
status: test
description: Detects usage of the SysInternals Procdump utility
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth (Nextron Systems)
date: 2021-08-16
modified: 2023-02-28
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-ac…

title: Dumping Process via Sqldumper.exe
id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
status: test
description: Detects process dump via legitimate sqldumper.exe binary
references:
    - https://twitter.com/countuponsec/status/910977826853068800
    - https://twitter.com/countuponsec/status/910969424215232518
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
author: Kirill Kirya…

title: Potentially Suspicious GrantedAccess Flags On LSASS
id: a18dd26b-6450-46de-8c91-9659150cf088
related:
    - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
      type: similar
status: test
description: Detects process access requests to LSASS process with potentially suspicious access flags
references:
    - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rig…

title: Potential Credential Dumping Activity Via LSASS
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: test
description: |
    Detects process access requests to the LSASS process with specific call trace calls and access masks.
    This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
references:
 …

title: Unsigned Image Loaded Into LSASS Process
id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
status: test
description: Loading unsigned image (DLL, EXE) into LSASS process
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2021-11-27
tags:
    - attack.credential-access
…

title: Potentially Suspicious AccessMask Requested From LSASS
id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
status: test
description: Detects process handle on LSASS process with certain access mask
references:
    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for…

title: Transferring Files with Credential Data via Network Shares
id: 910ab938-668b-401b-b08c-b596e80fdca5
related:
    - id: 2e69f167-47b5-4ae7-a390-47764529eff5
      type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumpi…

title: LSASS Access From Non System Account
id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
status: test
description: Detects potential mimikatz-like tools accessing LSASS from non system account
references:
    - https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2023-12-11
tags:
    - attack.credent…

title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
id: 0e277796-5f23-4e49-a490-483131d4f6e1
related:
    - id: bdc64095-d59a-42a2-8588-71fd9c9d9abc # Unsigned Loading
      type: similar
status: test
description: |
    Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
    The Dbghelp and Dbgcore DLLs export functions that allow for t…

title: Uncommon GrantedAccess Flags On LSASS
id: 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
related:
    - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
      type: obsolete
status: test
description: Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410
references:
    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
    - https://on…

title: LSASS Access From Program In Potentially Suspicious Folder
id: fa34b441-961a-42fa-a100-ecc28c886725
status: test
description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
references:
    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
    - https://onedrive.live.com/view.aspx?resid…

title: Potential Credential Dumping Attempt Via PowerShell
id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5
related:
    - id: 3f07b9d1-2082-4c56-9277-613a621983cc
      type: obsolete
    - id: fb656378-f909-47c1-8747-278bf09f4f4f
      type: similar
status: test
description: Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
re…

title: PowerShell Get-Process LSASS in ScriptBlock
id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
status: test
description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
references:
    - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
author: Florian Roth (Nextron Systems)
date: 2021-04…

title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-2…

title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
status: test
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
author: Swachchhanda Shrawan Poudel
date: 2023-10-19
references:
    - https://github.com/redcanaryco/atomic-red-te…

title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
    - https://github.com/deepi…

title: HackTool - CrackMapExec File Indicators
id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
related:
    - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
      type: obsolete
status: test
description: Detects file creation events with filename patterns used by CrackMapExec.
references:
    - https://github.com/byt3bl33d3r/CrackMapExec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-11
modif…

title: LSASS Process Memory Dump Files
id: a5a2d357-1ab8-4675-a967-ef9990a59391
related:
    - id: db2110f3-479d-42a6-94fb-d35bc1e46492
      type: obsolete
    - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
      type: obsolete
status: test
description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user …

title: HackTool - SafetyKatz Dump Indicator
id: e074832a-eada-4fd7-94a1-10642b130e16
status: test
description: Detects default lsass dump filename generated by SafetyKatz.
references:
    - https://github.com/GhostPack/SafetyKatz
    - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
author: Markus Neis
date: 2018-07-24
modified: 2024-…

title: WerFault LSASS Process Memory Dump
id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
status: test
description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
references:
    - https://github.com/helpsystems/nanodump
author: Florian Roth (Nextron Systems)
date: 2022-06-27
tags:
    - attack.credenti…

title: HackTool - Impacket File Indicators
id: 03f4ca17-de95-428d-a75a-4ee78b047256
related:
    - id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
      type: similar
status: experimental
description: Detects file creation events with filename patterns used by Impacket.
references:
    - https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
    - https:…

title: Password Dumper Remote Thread in LSASS
id: f239b326-2f41-4d6b-9dfa-c846a60ef505
status: stable
description: |
    Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.
    The process in field Process is the malicious program. A single execution can lead to hundreds of events.
references:
    - https://jpcer…

title: Potential Credential Dumping Attempt Via PowerShell Remote Thread
id: fb656378-f909-47c1-8747-278bf09f4f4f
related:
    - id: 3f07b9d1-2082-4c56-9277-613a621983cc
      type: obsolete
    - id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5
      type: similar
status: test
description: Detects remote thread creation by PowerShell processes into "lsass.exe"
references:
    - https://speakerdeck.com/he…

title: HackTool - CrackMapExec Process Patterns
id: f26307d8-14cd-47e3-a26b-4b4769f24af6
status: test
description: Detects suspicious process patterns found in logs when CrackMapExec is used
references:
    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
author: Florian Roth (Nextron Systems)
date: 2022-03-12
modified: 2023-02-13
tags:
    - attack.credential-a…

title: Renamed CreateDump Utility Execution
id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
related:
    - id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
      type: similar
status: test
description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-to…

title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
id: 129966c9-de17-4334-a123-8b58172e664d
status: test
description: |
    Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
    Currently the rule is covering only usage of procdump but other utilities can be added in order to incre…

title: Time Travel Debugging Utility Usage
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
related:
    - id: e76c8240-d68f-4773-8880-5c6f63595aaf
      type: derived
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
    - https://lolbas-project.github.io/lolbas/Binarie…

title: LSASS Dump Keyword In CommandLine
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
related:
    - id: a5a2d357-1ab8-4675-a967-ef9990a59391
      type: derived
status: test
description: |
    Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
references:
    - https://github.com/Hackndo/l…

title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
    - id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
      type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
    - https://twitter.com…

title: Process Memory Dump Via Comsvcs.DLL
id: 646ea171-dded-4578-8a4d-65e9822892e3
related:
    - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
      type: obsolete
status: test
description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
references:
    - https://twitter.com/shantanukhande/status/122934887429838…

title: HackTool - XORDump Execution
id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
status: test
description: Detects suspicious use of XORDump process memory dumping utility
references:
    - https://github.com/audibleblink/xordump
author: Florian Roth (Nextron Systems)
date: 2022-01-28
modified: 2023-02-08
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-acce…

title: Suspicious DumpMinitool Execution
id: eb1c4225-1c23-4241-8dd4-051389fde4ce
status: test
description: Detects suspicious ways to use the "DumpMinitool.exe" binary
references:
    - https://twitter.com/mrd0x/status/1511415432888131586
    - https://twitter.com/mrd0x/status/1511489821247684615
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
author: Florian Roth (Nex…

title: Potential SysInternals ProcDump Evasion
id: 79b06761-465f-4f88-9ef2-150e24d3d737
status: test
description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
references:
    - https://twitter.com/mrd0x/status/1480785527901204481
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: …

title: Potential Credential Dumping Via WER
id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3
status: test
description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentation…

title: HackTool - Doppelanger LSASS Dumper Execution
id: d474c8fe-bb69-4ea0-b7d9-f682b56d52d3
status: experimental
description: Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
references:
    - https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
    - https://githu…

title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywor…

title: Potential Adplus.EXE Abuse
id: 2f869d59-7f6a-4931-992c-cce556ff2d53
status: test
description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
    - https://twitter.com/nas_bench/status/15349…

title: PUA - Memory Dump Mount Via MemProcFS
id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
status: experimental
description: |
    Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
    MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
    Threat actors were seen abusing this utility to mount memo…

title: HackTool - WSASS Execution
id: 589ac73f-8e12-409c-964e-31a2f5775ae2
status: experimental
description: |
    Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
    (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
references:
    - https://github.com/TwoSevenOneT/WSASS
    - https://www.zerosalar…

title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
    Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
    This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
    LSASS (Local Security Authority Subsyst…

title: Process Memory Dump via RdrLeakDiag.EXE
id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
related:
    - id: 6355a919-2e97-4285-a673-74645566340d
      type: obsolete
status: test
description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
references:
    - https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
    - https:/…

title: HackTool - HandleKatz LSASS Dumper Execution
id: ca621ba5-54ab-4035-9942-d378e6fcde3c
status: test
description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
references:
    - https://github.com/codewhitesec/HandleKatz
author: Florian Roth (Nextron Systems)
date: 2022-08-18
modified: 2024…

title: PPL Tampering Via WerFaultSecure
id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
related:
    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
      type: similar
    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
      type: similar
status: experimental
description: |
    Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions…

title: Process Access via TrolleyExpress Exclusion
id: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6
status: test
description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.youtube.com/watch?v=Ie831jF0bb0
author: Florian Ro…

title: HackTool - CreateMiniDump Execution
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
status: test
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
references:
    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-a…

title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
related:
    - id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
      type: similar
status: experimental
description: |
    Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
    These DLLs contain functions…

title: Lsass Memory Dump via Comsvcs DLL
id: a49fa4d5-11db-418c-8473-1e014a8dd462
status: test
description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
references:
    - https://twitter.com/shantanukhande/status/1229348874298388484
    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/…

title: LSASS Memory Access by Tool With Dump Keyword In Name
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: test
description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-crede…

title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
    - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 20…

title: HackTool - Generic Process Access
id: d0d2f720-d14f-448d-8242-51ff396a334e
status: test
description: Detects process access requests from hacktool processes based on their default image name
references:
    - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
aut…

title: LSASS Access From Potentially White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: test
description: |
    Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www…

title: Suspicious LSASS Access Via MalSecLogon
id: 472159c5-31b9-4f56-b794-b766faa8b0a7
status: test
description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
references:
    - https://twitter.com/SBousseaden/status/1541920424635912196
    - https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules…

title: Credential Dumping Activity By Python Based Tool
id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
related:
    - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
      type: obsolete
    - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
      type: obsolete
status: stable
description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
references:
    -…

title: HackTool - HandleKatz Duplicating LSASS Handle
id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
status: test
description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
references:
    - https://github.com/codewhitesec/HandleKatz
author: Bhabesh Raj (rule), @thefLinkk
date: 2022-06-27
modified: 2023-11-28
tags:
    - attack.executio…

title: Credential Dumping Attempt Via WerFault
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
status: test
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
references:
    - https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70…

title: Suspicious Renamed Comsvcs DLL Loaded By Rundll32
id: 8cde342c-ba48-4b74-b615-172c330f2e93
status: test
description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
references:
    - https://twitter.com/sbousseaden/status/1555200155351228419
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2023-02-17
tags:
    - attack.credential-access
    …

title: Time Travel Debugging Utility Usage - Image
id: e76c8240-d68f-4773-8880-5c6f63595aaf
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
    - https://twitter.com/mattifestation/status/11963903…

title: Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
id: bdc64095-d59a-42a2-8588-71fd9c9d9abc
related:
    - id: 0e277796-5f23-4e49-a490-483131d4f6e1 # Suspicious Loading
      type: similar
status: test
description: |
    Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
    Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API…

title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
status: test
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
references:
    - https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
dat…

title: LSASS Process Crashed - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: |
    Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
    This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
references:
    - https://github.com/deepi…

title: Password Dumper Activity on LSASS
id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c
status: test
description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
references:
    - https://twitter.com/jackcr/status/807385668833968128
author: sigma
date: 2017-02-12
modified: 2022-10-09
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    pr…

title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
a…

title: LSASS Access Detected via Attack Surface Reduction
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
status: test
description: Detects Access to LSASS Process
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
author: Markus Neis
date: 2018-08-26
modified: 2022-08-13
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: window…

title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavsk…

title: Lsass Full Dump Request Via DumpType Registry Settings
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719
status: test
description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://learn.m…

title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a password dumper.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https…

title: HackTool - Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
    - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
      type: derived
status: test
description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
references:
    - https://github.com/outflanknl/Dumpert
    - https://u…

title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118…

title: HackTool - Inveigh Execution
id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
status: test
description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
references:
    - https://github.com/Kevin-Robertson/Inveigh
    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 202…

title: HackTool - SafetyKatz Execution
id: b1876533-4ed5-4a83-90f3-b8645840a413
status: test
description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
references:
    - https://github.com/GhostPack/SafetyKatz
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-20
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1003.0…

title: HackTool - Dumpert Process Dumper Execution
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
status: test
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
references:
    - https://github.com/outflanknl/Dumpert
    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-…

title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
    - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
    - https://twitter.com/Hexacorn/status/1420053502554951689
    - https://tw…

title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
    Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
    It is often used by threat actors for credential dumping and lateral movement within comprom…

title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s000…

title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
    - id: 36803969-5421-41ec-b92f-8500f79c23b0
      type: similar
status: test
description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
    - https://www.deepinstinct.com/2021/02/16/lsass-…

title: NotPetya Ransomware Activity
id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
status: test
description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
references:
    - https://securelist.com/schroedingers-petya/78870/
    - https:/…

title: APT31 Judgement Panda Activity
id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
status: test
description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
references:
    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
author: Florian Roth (Nextron Systems)
date: 2019-02-21
modified: 2023-03-10
tags:
    - attack.colle…

title: New Generic Credentials Added Via Cmdkey.EXE
id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
status: test
description: |
    Detects usage of "cmdkey.exe" to add generic credentials.
    As an example, this can be used before connecting to an RDP session via command line interface.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomic…

title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-2…

title: Dumping of Sensitive Hives Via Reg.EXE
id: fd877b94-9bb5-4191-bb25-d79cbd93c167
related:
    - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
      type: obsolete
    - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
      type: obsolete
status: test
description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
references:
    - http…

title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywor…

title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
status: test
description: Detects usage of cmdkey to look for cached credentials on the system
references:
    - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
    - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
    - https:…

title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
a…

title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavsk…

title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118…

title: Suspicious Get-ADReplAccount
id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73
status: test
description: |
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
    These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
  …

title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywor…

title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
status: test
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
references:
    - https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
dat…

title: Mimikatz DC Sync
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
status: test
description: Detects Mimikatz DC sync security events
references:
    - https://twitter.com/gentilkiwi/status/1003236624925413376
    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
    - https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r
    - https://learn.microsoft.com/en-us/previous-ve…

title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
a…

title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavsk…

title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
status: test
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
references:
    - https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
    - https://threathunterplaybook.com…

title: ADFS Database Named Pipe Connection By Uncommon Tool
id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
status: test
description: |
    Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).
    Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
references:
 …

title: Esentutl Steals Browser Information
id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
status: test
description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
references:
    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
    - https://redcanary.com/threat-detection-re…

title: Veeam Backup Database Suspicious Query
id: 696bfb54-227e-4602-ac5b-30d9d2053312
status: test
description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    -…

title: Crash Dump Created By Operating System
id: 882fbe50-d8d7-4e29-ae80-0648a8556866
related:
    - id: 2ff692c2-4594-41ec-8fcb-46587de769e0
      type: similar
status: experimental
description: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
references:
    - https://www.sans.edu/cyber-research/from-crash-compr…

title: AWS EC2 VM Export Failure
id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
status: test
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
references:
    - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
author: Diogo Braz
date: 2020-04-16
modified: 2022-10-05
t…

title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: test
description: Collect pertinent data from the configuration files
references:
    - https://blog.router-switch.com/2013/11/show-running-config/
    - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/c…

title: OpenCanary - SMB File Open Request
id: 22777c9e-873a-4b49-855f-6072ab861a52
status: test
description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138…

title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
    - id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to f…

title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
id: b57ba453-b384-4ab9-9f40-1038086b4e53
status: test
description: Detects dump of credentials in VeeamBackup dbo
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
author: frack113
date: 2021-12-20
modified: 2023-0…

title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
    - id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to…

title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windo…

title: SQLite Firefox Profile Data DB Access
id: 4833155a-4053-4c9c-a997-777fcea0baa7
status: test
description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefo…

title: Shai-Hulud NPM Package Malicious Exfiltration via Curl
id: efd2eb09-b72e-4a61-8dc7-b1382a1e8983
status: experimental
description: Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.
references:
    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
t…

title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd
id: 2f47f1fd-0901-466e-a770-3b7092834a1b
status: test
description: Detects a command used by conti to dump database
references:
    - https://twitter.com/vxunderground/status/1423336151860002816?s=20 # The leak info not the files itself
    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06…

title: Suspicious Network Connection to IP Lookup Service APIs
id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
related:
    - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
      type: derived
status: test
description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
references:
    -…

title: Potential Recon Activity Via Nltest.EXE
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
related:
    - id: 410ad193-a728-4107-bc79-4419789fcbf8
      type: similar
    - id: 903076ff-f442-475a-b667-4f246bcc203b
      type: similar
    - id: 77815820-246c-47b8-9741-e0def3f57308
      type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
referenc…

title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
    - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.discovery
    - attack.t1083
    - attack.t1…

title: Firewall Configuration Discovery Via Netsh.EXE
id: 0e4164da-94bc-450d-a7be-a4b176179f1f
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1…

title: Suspicious Network Command
id: a29c1813-ab1f-4dde-b489-330b952e91ae
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1…

title: Nltest.EXE Execution
id: 903076ff-f442-475a-b667-4f246bcc203b
related:
    - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
      type: similar
    - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
      type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
author…

title: Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
id: ea207a23-b441-4a17-9f76-ad5be47d51d3
status: test
description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
references:
    - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps
    - https://learn.…

title: Userdomain Variable Enumeration
id: 43311e65-84d8-42a5-b3d4-c94d9b67038f
status: test
description: Detects suspicious enumeration of the domain the user is associated with.
references:
    - https://www.arxiv-vanity.com/papers/2008.04676/
    - https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2023-0…

title: System Network Discovery - macOS
id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
status: test
description: Detects enumeration of local network configuration
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: remotephone, oscd.community
date: 2020-10-06
modified: 2024-08-29
tags:
    - attack.discovery
    -…

title: System Network Discovery - Linux
id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
status: test
description: Detects enumeration of local network configuration
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: Ömer Günal and remotephone, oscd.community
date: 2020-10-06
modified: 2022-09-15
tags:
    - attack.…

title: OpenCanary - SNMP OID Request
id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
status: test
description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencan…

title: Potential Pikabot Discovery Activity
id: 698d4431-514f-4c82-af4d-cf573872a9f5
status: test
description: |
    Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
    The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
references:
    - …

title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
status: experimental
description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
references:
    - https://pentestlab.blog/2022/03/21/unconstrained-delegation/
    - https://learn.microsoft.com/…

title: DirectorySearcher Powershell Exploitation
id: 1f6399cf-2c80-4924-ace1-6fcff3393480
status: test
description: Enumerates Active Directory to determine computers that are joined to the domain
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-u…

title: Suspicious Scan Loop Network
id: f8ad2e2c-40b6-4117-84d7-20b89896ab23
status: test
description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/…

title: Linux Remote System Discovery
id: 11063ec2-de63-4153-935e-b1a8b9e616f1
status: test
description: Detects the enumeration of other remote systems.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
    - attack.discovery
    -…

title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
    - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.discovery
    - attack.t1083
    - attack.t1…

title: Active Directory Computers Enumeration With Get-AdComputer
id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
status: test
description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
references:
    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da…

title: Nltest.EXE Execution
id: 903076ff-f442-475a-b667-4f246bcc203b
related:
    - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
      type: similar
    - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
      type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
author…

title: Share And Session Enumeration Using Net.EXE
id: 62510e69-616b-4078-b371-847da438cc03
status: stable
description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f33…

title: PUA - Adidnsdump Execution
id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
status: test
description: |
    This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
    Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
references:
    - https://github.com/redcanaryco/atom…

title: Net.EXE Execution
id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
status: test
description: Detects execution of "Net.EXE".
references:
    - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
    - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
    - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46b…

title: Macos Remote System Discovery
id: 10227522-8429-47e6-a301-f2b2d014e7ad
status: test
description: Detects the enumeration of other remote systems.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
    - attack.discovery
    -…

title: PUA - AdFind Suspicious Execution
id: 9a132afa-654e-11eb-ae93-0242ac130002
related:
    - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
      type: similar
    - id: 75df3b17-8bcc-4565-b89b-c9898acef911
      type: obsolete
status: test
description: Detects AdFind execution with common flags seen used during attacks
references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://…

title: Renamed AdFind Execution
id: df55196f-f105-44d3-a675-e9dfb6cc2f2b
status: test
description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://thedfirreport.com/2020/05/08/adfind-…

title: Webshell Detection With Command Line Keywords
id: bed2a484-9348-4143-8a8a-b801c979301c
status: test
description: Detects certain command line parameters often used during reconnaissance activity via web shells
references:
    - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
    - https://unit42.paloaltonetworks.com/bumblebee-websh…

title: Chopper Webshell Process Pattern
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
status: test
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
author: Florian Roth (Nextron Systems), M…

title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
    Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
    - https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modif…

title: HackTool - NetExec Execution
id: 7638e5fe-600c-4289-a968-f49dd537ec7d
status: experimental
description: |
    Detects execution of the hacktool NetExec.
    NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration
    In enterprise environments, the use of NetExec is considered suspicious or potentially…

title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
related:
    - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
      type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
…

title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
id: a23791fe-8846-485a-b16b-ca691e1b03d4
related:
    - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
      type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: …

title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
   …

title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.exe…

title: PUA - Potential PE Metadata Tamper Using Rcedit
id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
status: test
description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
references:
    - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-e…

title: Certificate Exported Via Certutil.EXE
id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5
status: test
description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
references:
    - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.c…

title: Suspicious XOR Encoded PowerShell Command
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
related:
    - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
      type: obsolete
status: test
description: Detects presence of a potentially xor encoded powershell command
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
    - https://redcanary.com/blog/yellow-cockatoo/
…

title: Suspicious Download Via Certutil.EXE
id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
related:
    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
      type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
    - http…

title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-12-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - …

title: File Encoded To Base64 Via Certutil.EXE
id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
    - https://unit42.…

title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
id: 74403157-20f5-415d-89a7-c505779585cf
status: test
description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
    - https://learn.microsoft.com/…

title: Invoke-Obfuscation RUNDLL LAUNCHER - Security
id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
related:
    - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
      type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-2…

title: Password Protected ZIP File Opened
id: 00ba9da1-b510-4f6b-b258-8d338836180f
status: test
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
    - https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
    - attack.stealt…

title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
related:
    - id: 175997c5-803c-4b08-8bb0-70b099f47595
      type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified:…

title: Invoke-Obfuscation RUNDLL LAUNCHER - System
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - a…

title: Invoke-Obfuscation COMPRESS OBFUSCATION - System
id: 175997c5-803c-4b08-8bb0-70b099f47595
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.executi…

title: Potential CommandLine Obfuscation Using Unicode Characters
id: e0552b19-5a83-4222-b141-b36184bb8d79
related:
    - id: 584bca0f-3608-4402-80fd-4075ff6072e3
      type: similar
    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
      type: similar
    - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
      type: obsolete
status: test
description: |
    Detects potential CommandLine obfuscation u…

title: Decode Base64 Encoded Text -MacOs
id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-26
tags…

title: Decode Base64 Encoded Text
id: e2072cab-8c9a-459b-b63c-40ae79e27031
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
    -…

title: Potential PowerShell Obfuscation Using Character Join
id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
related:
    - id: 96cd126d-f970-49c4-848a-da3a09f55c55
      type: derived
status: test
description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 202…

title: Potential PowerShell Obfuscation Using Alias Cmdlets
id: 96cd126d-f970-49c4-848a-da3a09f55c55
related:
    - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
      type: derived
status: test
description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
references:
    - https://github.com/1337Rin/Swag-PSO
author: frack113
date: 2023-01-08
modif…

title: Potential Encoded PowerShell Patterns In CommandLine
id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
related:
    - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
      type: similar
status: test
description: Detects specific combinations of encoding methods in PowerShell via the commandline
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
author: Teymur Kheirk…

title: Potential Suspicious Execution From GUID Like Folder Names
id: 90b63c33-2b97-4631-a011-ceb0f47b77c3
status: test
description: |
    Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks.
    Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.
references:
   …

title: Potentially Suspicious Long Filename Pattern - Linux
id: 11629c4d-0fe6-465b-be62-b39a1c442aad
status: experimental
description: |
    Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell.
    This is a hunting rule to identify potential threats that use long filenames to evade detection…

title: Suspicious Filename with Embedded Base64 Commands
id: 179b3686-6271-4d87-807d-17d843a8af73
status: experimental
description: |
    Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
    These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware…

title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
related:
    - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
      type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11…

title: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
related:
    - id: 73e67340-0d25-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of Clip.exe to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)
author: Jonathan Cheong, oscd.community
date: 2020-10-13
modifi…