Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

1,677 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB) Every VMware Carbon Black query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 1,677
high Moderate High FP
Invoke-Obfuscation Via Use Clip
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id e1561947-b4e3-4a74-9bdd-83baed21bdb5
carbon_black query
CommandLine:(?i)echo.*clip.*&&.*(?:Clipboard|i`?n`?v`?o`?k`?e`?)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip
id: e1561947-b4e3-4a74-9bdd-83baed21bdb5
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example 1: C:\WINdoWS\sySteM32\CMd /c " ECho\Invoke-Expression (New-Object Net.WebClient).DownloadString|Clip.Exe&&C:\WINdoWS\sySteM32\CMd /c pOWerSheLl -STa . ( \"{2}{0}{1}\"-f'dd-',(\"{0}{1}\" -f 'T','ype' ),'A' ) -Assembly ( \"{4}{1}{3}{0}{2}\"-f (\"{0}{1}\" -f 'nd','ow'),( \"{1}{0}\"-f'.W','stem' ),( \"{2}{1}{0}\" -f 'rms','Fo','s.'),'i','Sy') ; ${exeCUtIOnCONTeXT}.\"INV`oKECOM`m`ANd\".\"INV`ok`ESCriPT\"( ( [sYSteM.wiNDoWS.forMs.ClIPboaRD]::( \"{2}{0}{1}\" -f'Ex','t',(\"{0}{1}\" -f'Get','t' ) ).\"iNvo`Ke\"( )) ) ; [System.Windows.Forms.Clipboard]::(\"{1}{0}\" -f 'ar','Cle' ).\"in`V`oKE\"( )"
        # Example 2: C:\WINDowS\sYsTEM32\CmD.eXE /C" echo\Invoke-Expression (New-Object Net.WebClient).DownloadString| C:\WIndOWs\SYSteM32\CLip &&C:\WINDowS\sYsTEM32\CmD.eXE /C POWERSHeLL -sT -noL [Void][System.Reflection.Assembly]::( \"{0}{3}{4}{1}{2}\" -f( \"{0}{1}\"-f'Lo','adW' ),( \"{0}{1}\"-f 'Par','t'),( \"{0}{1}{2}\"-f 'ial','N','ame'),'it','h' ).\"in`VO`KE\"( ( \"{3}{1}{4}{5}{2}{0}\"-f'rms','ystem.Windo','Fo','S','w','s.' )) ; ( [wIndows.fOrms.cLIPBOArD]::( \"{1}{0}\"-f'T',( \"{1}{0}\" -f'tEX','gET' )).\"i`Nvoke\"( ) ) ^^^| ^^^& ( ( ^^^& ( \"{2}{1}{0}\"-f 'e',( \"{2}{1}{0}\"-f'IABl','aR','v' ),( \"{0}{1}\"-f'Get','-' ) ) ( \"{1}{0}\"-f'*','*MDr' )).\"n`Ame\"[3,11,2]-jOin'') ; [Windows.Forms.Clipboard]::( \"{0}{1}\" -f (\"{1}{0}\"-f'tT','Se' ),'ext').\"in`VoKe\"(' ' )"
        CommandLine|re: '(?i)echo.*clip.*&&.*(?:Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use Clip - PowerShell Module
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
carbon_black query
Payload:(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - PowerShell Module
id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
related:
    - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
      type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use Clip - Powershell
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id db92dd33-a3ad-49cf-8c2c-608c3e30ace0
carbon_black query
ScriptBlockText:(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - Powershell
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-15
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use Clip - Security
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
carbon_black query
EventID:4697 ServiceFileName:\(Clipboard|i*
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - Security
id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
related:
    - id: 63e3365d-4824-42d8-8b82-e56810fefa0c
      type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains: '(Clipboard|i'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use Clip - System
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 63e3365d-4824-42d8-8b82-e56810fefa0c
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 ImagePath:\(Clipboard|i*
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - System
id: 63e3365d-4824-42d8-8b82-e56810fefa0c
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains: '(Clipboard|i'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use MSHTA
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id ac20ae82-8758-4f38-958e-b44a3140ca88
carbon_black query
CommandLine:set* CommandLine:&&* CommandLine:mshta* CommandLine:vbscript\:createobject* CommandLine:.run* CommandLine:\(window.close\)*
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA
id: ac20ae82-8758-4f38-958e-b44a3140ca88
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009   # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-03-08
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use MSHTA - PowerShell
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id e55a5195-4724-480e-a77e-3ebe64bd3759
carbon_black query
ScriptBlockText:set* ScriptBlockText:&&* ScriptBlockText:mshta* ScriptBlockText:vbscript\:createobject* ScriptBlockText:.run* ScriptBlockText:\(window.close\)*
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - PowerShell
id: e55a5195-4724-480e-a77e-3ebe64bd3759
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use MSHTA - PowerShell Module
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
carbon_black query
Payload:set* Payload:&&* Payload:mshta* Payload:vbscript\:createobject* Payload:.run* Payload:\(window.close\)*
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - PowerShell Module
id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
related:
    - id: e55a5195-4724-480e-a77e-3ebe64bd3759
      type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2023-01-04
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        Payload|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use MSHTA - Security
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
carbon_black query
EventID:4697 (ServiceFileName:mshta* ServiceFileName:vbscript\:createobject* ServiceFileName:.run* ServiceFileName:window.close*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - Security
id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
related:
    - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
      type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - 'window.close'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use MSHTA - System
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 (ImagePath:mshta* ImagePath:vbscript\:createobject*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - System
id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'mshta'
            - 'vbscript:createobject'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use Rundll32 - PowerShell
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
carbon_black query
(ScriptBlockText:&&* ScriptBlockText:rundll32* ScriptBlockText:shell32.dll* ScriptBlockText:shellexec_rundll*) (ScriptBlockText:value* OR ScriptBlockText:invoke* OR ScriptBlockText:comspec* OR ScriptBlockText:iex*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell
id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        ScriptBlockText|contains:
            - 'value'
            - 'invoke'
            - 'comspec'
            - 'iex'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
carbon_black query
(Payload:&&* Payload:rundll32* Payload:shell32.dll* Payload:shellexec_rundll*) (Payload:value* OR Payload:invoke* OR Payload:comspec* OR Payload:iex*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
related:
    - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
      type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        Payload|contains:
            - 'value'
            - 'invoke'
            - 'comspec'
            - 'iex'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use Rundll32 - Security
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id cd0f7229-d16f-42de-8fe3-fba365fbcb3a
carbon_black query
EventID:4697 (ServiceFileName:&&* ServiceFileName:rundll32* ServiceFileName:shell32.dll* ServiceFileName:shellexec_rundll*) (ServiceFileName:value* OR ServiceFileName:invoke* OR ServiceFileName:comspec* OR ServiceFileName:iex*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - Security
id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
related:
    - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
      type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        ServiceFileName|contains:
            - value
            - invoke
            - comspec
            - iex
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Invoke-Obfuscation Via Use Rundll32 - System
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community ATT&CK sub-technique id 641a4bfb-c017-44f7-800c-2aee0184ce9b
carbon_black query
Provider_Name:Service\ Control\ Manager EventID:7045 (ImagePath:&&* ImagePath:rundll32* ImagePath:shell32.dll* ImagePath:shellexec_rundll*) (ImagePath:value* OR ImagePath:invoke* OR ImagePath:comspec* OR ImagePath:iex*)
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - System
id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        ImagePath|contains:
            - 'value'
            - 'invoke'
            - 'comspec'
            - 'iex'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
JNDIExploit Pattern
Detects exploitation attempt using the JNDI-Exploit-Kit
status test author Florian Roth (Nextron Systems) ATT&CK technique id 412d55bc-7737-4d25-9542-5b396867ce55
carbon_black query
"\/Basic\/Command\/Base64\/" OR "\/Basic\/ReverseShell\/" OR "\/Basic\/TomcatMemshell" OR "\/Basic\/JettyMemshell" OR "\/Basic\/WeblogicMemshell" OR "\/Basic\/JBossMemshell" OR "\/Basic\/WebsphereMemshell" OR "\/Basic\/SpringMemshell" OR "\/Deserialization\/URLDNS\/" OR "\/Deserialization\/CommonsCollections1\/Dnslog\/" OR "\/Deserialization\/CommonsCollections2\/Command\/Base64\/" OR "\/Deserialization\/CommonsBeanutils1\/ReverseShell\/" OR "\/Deserialization\/Jre8u20\/TomcatMemshell" OR "\/TomcatBypass\/Dnslog\/" OR "\/TomcatBypass\/Command\/" OR "\/TomcatBypass\/ReverseShell\/" OR "\/TomcatBypass\/TomcatMemshell" OR "\/TomcatBypass\/SpringMemshell" OR "\/GroovyBypass\/Command\/" OR "\/WebsphereBypass\/Upload\/"
view Sigma YAML 
title: JNDIExploit Pattern
id: 412d55bc-7737-4d25-9542-5b396867ce55
status: test
description: Detects exploitation attempt using the JNDI-Exploit-Kit
references:
    - https://github.com/pimps/JNDI-Exploit-Kit
    - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
author: Florian Roth (Nextron Systems)
date: 2021-12-12
modified: 2022-12-25
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    keywords:
        - '/Basic/Command/Base64/'
        - '/Basic/ReverseShell/'
        - '/Basic/TomcatMemshell'
        - '/Basic/JettyMemshell'
        - '/Basic/WeblogicMemshell'
        - '/Basic/JBossMemshell'
        - '/Basic/WebsphereMemshell'
        - '/Basic/SpringMemshell'
        - '/Deserialization/URLDNS/'
        - '/Deserialization/CommonsCollections1/Dnslog/'
        - '/Deserialization/CommonsCollections2/Command/Base64/'
        - '/Deserialization/CommonsBeanutils1/ReverseShell/'
        - '/Deserialization/Jre8u20/TomcatMemshell'
        - '/TomcatBypass/Dnslog/'
        - '/TomcatBypass/Command/'
        - '/TomcatBypass/ReverseShell/'
        - '/TomcatBypass/TomcatMemshell'
        - '/TomcatBypass/SpringMemshell'
        - '/GroovyBypass/Command/'
        - '/WebsphereBypass/Upload/'
    condition: keywords
falsepositives:
    - Legitimate apps the use these paths
level: high
Convert to SIEM query
high Moderate High FP
JXA In-memory Execution Via OSAScript
Detects possible malicious execution of JXA in-memory via OSAScript
status test author Sohan G (D4rkCiph3r) ATT&CK sub-technique id f1408a58-0e94-4165-b80a-da9f96cf6fc3
carbon_black query
(CommandLine:osascript* CommandLine:\ \-e\ * CommandLine:eval* CommandLine:NSData.dataWithContentsOfURL*) ((CommandLine:\ \-l\ * CommandLine:JavaScript*) OR CommandLine:.js*)
view Sigma YAML 
title: JXA In-memory Execution Via OSAScript
id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
related:
    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
      type: derived
status: test
description: Detects possible malicious execution of JXA in-memory via OSAScript
references:
    - https://redcanary.com/blog/applescript/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
    - attack.t1059.002
    - attack.t1059.007
    - attack.execution
logsource:
    product: macos
    category: process_creation
detection:
    selection_main:
        CommandLine|contains|all:
            - 'osascript'
            - ' -e '
            - 'eval'
            - 'NSData.dataWithContentsOfURL'
    selection_js:
        - CommandLine|contains|all:
              - ' -l '
              - 'JavaScript'
        - CommandLine|contains: '.js'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Java Payload Strings
Detects possible Java payloads in web access logs
status test author frack113, Harjot Singh, "@cyb3rjy0t" (update) ATT&CK technique id 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
carbon_black query
"%24%7B%28%23a%3D%40" OR "$\{\(#a=@" OR "%24%7B%40java" OR "$\{@java" OR "u0022java" OR "%2F%24%7B%23" OR "\/$\{#" OR "new\+java." OR "getRuntime\(\).exec\(" OR "getRuntime%28%29.exec%28"
view Sigma YAML 
title: Java Payload Strings
id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
status: test
description: Detects possible Java payloads in web access logs
references:
    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
    - https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
    - https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
    - https://twitter.com/httpvoid0x2f/status/1532924261035384832
    - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
author: frack113, Harjot Singh, "@cyb3rjy0t" (update)
date: 2022-06-04
modified: 2023-01-19
tags:
    - cve.2022-26134
    - cve.2021-26084
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    keywords:
        - '%24%7B%28%23a%3D%40'
        - '${(#a=@'
        - '%24%7B%40java'
        - '${@java'
        - 'u0022java'
        - '%2F%24%7B%23'
        - '/${#'
        - 'new+java.'
        - 'getRuntime().exec('
        - 'getRuntime%28%29.exec%28'
    condition: keywords
falsepositives:
    - Legitimate apps
level: high
Convert to SIEM query
high Moderate High FP
JexBoss Command Sequence
Detects suspicious command sequence that JexBoss
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
carbon_black query
"bash\ \-c\ \/bin\/bash" "&\/dev\/tcp\/"
view Sigma YAML 
title: JexBoss Command Sequence
id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
status: test
description: Detects suspicious command sequence that JexBoss
references:
    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
author: Florian Roth (Nextron Systems)
date: 2017-08-24
modified: 2025-11-22
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
detection:
    keywords:
        '|all':
            - 'bash -c /bin/bash'
            - '&/dev/tcp/'
    condition: keywords
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Kalambur Backdoor Curl TOR SOCKS Proxy Execution
Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
status experimental author Arda Buyukkaya (EclecticIQ) ATT&CK sub-technique id e99375eb-3ee0-407a-9f90-79569cc6a01c
carbon_black query
Image:\\curl.exe (CommandLine:socks5h\:\/\/* OR CommandLine:socks5\:\/\/* OR CommandLine:socks4a\:\/\/*) CommandLine:.onion*
view Sigma YAML 
title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
id: e99375eb-3ee0-407a-9f90-79569cc6a01c
status: experimental
description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
references:
    - https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns
author: Arda Buyukkaya (EclecticIQ)
date: 2025-02-11
tags:
    - attack.execution
    - attack.command-and-control
    - attack.t1090
    - attack.t1573
    - attack.t1071.001
    - attack.t1059.001
    - attack.s0183
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\curl.exe'
    selection_socks:
        CommandLine|contains:
            - 'socks5h://'
            - 'socks5://'
            - 'socks4a://'
    selection_onion:
        CommandLine|contains: '.onion'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Kapeka Backdoor Autorun Persistence
Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
status test author Swachchhanda Shrawan Poudel ATT&CK sub-technique id c0c67b21-eb8a-4c84-a395-40473ec3b482
carbon_black query
TargetObject:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run* (TargetObject:\\Sens\ Api OR TargetObject:\\OneDrive) (Details:\:\\WINDOWS\\system32\\rundll32.exe* Details:.wll* Details:#1*)
view Sigma YAML 
title: Kapeka Backdoor Autorun Persistence
id: c0c67b21-eb8a-4c84-a395-40473ec3b482
related:
    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
      type: similar
status: test
description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
references:
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
        TargetObject|endswith:
            - '\Sens Api'
            - '\OneDrive'
        Details|contains|all:
            - ':\WINDOWS\system32\rundll32.exe'
            - '.wll'
            - '#1'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Kapeka Backdoor Execution Via RunDLL32.EXE
Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
status test author Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id e98f741c-6a5b-4c83-bc2a-1f4e58d07b12
carbon_black query
(Image:\\rundll32.exe OR OriginalFileName:RUNDLL32.EXE) (CommandLine:\:\\ProgramData* OR CommandLine:\\AppData\\Local*) ((CommandLine:.wll* CommandLine:#1* CommandLine:\ \-d*) OR (CommandLine:.wll* CommandLine:#1))
view Sigma YAML 
title: Kapeka Backdoor Execution Via RunDLL32.EXE
id: e98f741c-6a5b-4c83-bc2a-1f4e58d07b12
status: test
description: |
    Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
references:
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-03
tags:
    - attack.stealth
    - attack.t1218.011
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_backdoor_path:
        CommandLine|contains:
            - ':\ProgramData'
            - '\AppData\Local'
    selection_backdoor_exec_1:
        CommandLine|contains|all:
            - '.wll'
            - '#1'
            - ' -d'
    selection_backdoor_exec_2:
        # This account for the in the wild variant
        CommandLine|contains: '.wll'
        CommandLine|endswith: '#1'
    condition: selection_img and selection_backdoor_path and 1 of selection_backdoor_exec_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Kapeka Backdoor Loaded Via Rundll32.EXE
Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
status test author Swachchhanda Shrawan Poudel ATT&CK sub-technique id a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c
carbon_black query
Image:\\rundll32.exe (ImageLoaded:\:\\ProgramData* OR ImageLoaded:\\AppData\\Local\\*) ImageLoaded:[a-zA-Z]{5,6}\\.wll
view Sigma YAML 
title: Kapeka Backdoor Loaded Via Rundll32.EXE
id: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c
status: test
description: |
    Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
    The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
references:
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1204.002
    - attack.t1218.011
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        ImageLoaded|contains:
            - ':\ProgramData'
            - '\AppData\Local\'
        ImageLoaded|re: '[a-zA-Z]{5,6}\.wll'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Kapeka Backdoor Persistence Activity
Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
status test author Swachchhanda Shrawan Poudel ATT&CK sub-technique id 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
carbon_black query
(((Image:\\schtasks.exe OR OriginalFileName:schtasks.exe) (CommandLine:create* CommandLine:ONSTART*)) OR ((Image:\\reg.exe OR OriginalFileName:reg.exe) (CommandLine:add* CommandLine:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*))) ((CommandLine:rundll32* CommandLine:.wll* CommandLine:#1*) (CommandLine:Sens\ Api* OR CommandLine:OneDrive*))
view Sigma YAML 
title: Kapeka Backdoor Persistence Activity
id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
status: test
description: |
    Detects Kapeka backdoor persistence activity.
    Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
    For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
    To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
    Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
references:
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_schtasks_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_schtasks_flags:
        CommandLine|contains|all:
            - 'create'
            - 'ONSTART'
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_flags:
        CommandLine|contains|all:
            - 'add'
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
    selection_backdoor_command:
        CommandLine|contains|all:
            - 'rundll32'
            - '.wll'
            - '#1'
        CommandLine|contains:
            - 'Sens Api'
            - 'OneDrive' # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases
    condition: (all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Kapeka Backdoor Scheduled Task Creation
Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
status test author Swachchhanda Shrawan Poudel ATT&CK sub-technique id 6c130acd-0adb-4545-bcc4-2e85d0883c9a
carbon_black query
EventID:4698 (TaskContent:\:\\ProgramData\\* OR TaskContent:\\AppData\\Local\\*) (TaskContent:rundll32* TaskContent:.wll* TaskContent:#1*) (TaskContent:OneDrive* OR TaskContent:Sens\ Api*)
view Sigma YAML 
title: Kapeka Backdoor Scheduled Task Creation
id: 6c130acd-0adb-4545-bcc4-2e85d0883c9a
related:
    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
      type: similar
status: test
description: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
references:
    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1053.005
    - detection.emerging-threats
logsource:
    product: windows
    service: security
    definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to trigger this detection.'
detection:
    selection_eid:
        EventID: 4698
    selection_paths:
        TaskContent|contains:
            - ':\ProgramData\'
            - '\AppData\Local\'
    selection_command:
        TaskContent|contains|all:
            - 'rundll32'
            - '.wll'
            - '#1'
    selection_taskname:
        TaskContent|contains:
            - 'OneDrive' # The scheduled task was called “OneDrive” instead of “Sens Api” in some cases
            - 'Sens Api'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Kaspersky Endpoint Security Stopped Via CommandLine - Linux
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
status experimental author Milad Cheraghi ATT&CK technique id 36388120-b3f1-4ce9-b50b-280d9a7f4c04
carbon_black query
(Image:\/systemctl OR Image:\/bash OR Image:\/sh) (CommandLine:stop* CommandLine:kesl*)
view Sigma YAML 
title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
status: experimental
description: |
  Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
  This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
references:
    - https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
author: Milad Cheraghi
date: 2025-10-18
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            # Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
            - '/systemctl'
            - '/bash'
            - '/sh'
        CommandLine|contains|all:
            - 'stop'
            - 'kesl'
    condition: selection
falsepositives:
    - System administrator manually stopping Kaspersky services
level: high
Convert to SIEM query
high Basic High FP
Katz Stealer DLL Loaded
Detects loading of DLLs associated with Katz Stealer malware 2025 variants. Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. The process that loads these DLLs are very likely to be malicious.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK technique id e6c7ab7c-c79d-4b84-b913-b2ec3f8e8a98
carbon_black query
ImageLoaded:\\katz_ontop.dll OR ImageLoaded:\\AppData\\Local\\Temp\\received_dll.dll
view Sigma YAML 
title: Katz Stealer DLL Loaded
id: e6c7ab7c-c79d-4b84-b913-b2ec3f8e8a98
status: experimental
description: |
    Detects loading of DLLs associated with Katz Stealer malware 2025 variants.
    Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
    The process that loads these DLLs are very likely to be malicious.
references:
    - Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
    - attack.execution
    - attack.t1129
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\katz_ontop.dll'
            - '\AppData\Local\Temp\received_dll.dll'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Basic Medium FP
Katz Stealer Suspicious User-Agent
Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 834c6d2f-5e98-4b2a-b453-0c4f234afedd
carbon_black query
user_agent:katz\-ontop*
view Sigma YAML 
title: Katz Stealer Suspicious User-Agent
id: 834c6d2f-5e98-4b2a-b453-0c4f234afedd
status: experimental
description: |
    Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
references:
    - Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
    - attack.command-and-control
    - attack.t1071.001
    - detection.emerging-threats
logsource:
    product: zeek
    service: http
detection:
    selection:
        user_agent|contains: 'katz-ontop'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Kavremover Dropped Binary LOLBIN Usage
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id d047726b-c71c-4048-a99b-2e2f50dc107d
carbon_black query
CommandLine:\ run\ run\-cmd\ * (-(ParentImage:\\cleanapi.exe OR ParentImage:\\kavremover.exe))
view Sigma YAML 
title: Kavremover Dropped Binary LOLBIN Usage
id: d047726b-c71c-4048-a99b-2e2f50dc107d
status: test
description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
references:
    - https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-01
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: ' run run-cmd '
    filter_main_legit_parents:
        ParentImage|endswith:
            - '\cleanapi.exe' # When launched from KES installer
            - '\kavremover.exe' # When launched from kavremover.exe
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Low FP
Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
status test author Florian Roth (Nextron Systems) ATT&CK technique id f7644214-0eb0-4ace-9455-331ec4c09253
carbon_black query
(EventID:675 OR EventID:4768 OR EventID:4769 OR EventID:4771) (Status:0x9 OR Status:0xA OR Status:0xB OR Status:0xF OR Status:0x10 OR Status:0x11 OR Status:0x13 OR Status:0x14 OR Status:0x1A OR Status:0x1F OR Status:0x21 OR Status:0x22 OR Status:0x23 OR Status:0x24 OR Status:0x26 OR Status:0x27 OR Status:0x28 OR Status:0x29 OR Status:0x2C OR Status:0x2D OR Status:0x2E OR Status:0x2F OR Status:0x31 OR Status:0x32 OR Status:0x3E OR Status:0x3F OR Status:0x40 OR Status:0x41 OR Status:0x43 OR Status:0x44)
view Sigma YAML 
title: Kerberos Manipulation
id: f7644214-0eb0-4ace-9455-331ec4c09253
status: test
description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
author: Florian Roth (Nextron Systems)
date: 2017-02-10
modified: 2024-01-16
tags:
    - attack.credential-access
    - attack.t1212
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 675
            - 4768
            - 4769
            - 4771
        Status:
            - '0x9'
            - '0xA'
            - '0xB'
            - '0xF'
            - '0x10'
            - '0x11'
            - '0x13'
            - '0x14'
            - '0x1A'
            - '0x1F'
            - '0x21'
            - '0x22'
            - '0x23'
            - '0x24'
            - '0x26'
            - '0x27'
            - '0x28'
            - '0x29'
            - '0x2C'
            - '0x2D'
            - '0x2E'
            - '0x2F'
            - '0x31'
            - '0x32'
            - '0x3E'
            - '0x3F'
            - '0x40'
            - '0x41'
            - '0x43'
            - '0x44'
    condition: selection
falsepositives:
    - Faulty legacy applications
level: high
Convert to SIEM query
high Strong High FP
Kernel Memory Dump Via LiveKD
Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
carbon_black query
((Image:\\livekd.exe OR Image:\\livekd64.exe) OR OriginalFileName:livekd.exe) (CommandLine:\ \-m* OR CommandLine:\ \/m* OR CommandLine:\ –m* OR CommandLine:\ —m* OR CommandLine:\ ―m*)
view Sigma YAML 
title: Kernel Memory Dump Via LiveKD
id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
status: test
description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
    - https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/
    - https://kb.acronis.com/content/60892
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2024-03-13
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\livekd.exe'
              - '\livekd64.exe'
        - OriginalFileName: 'livekd.exe'
    selection_cli:
        CommandLine|contains|windash: ' -m'
    condition: all of selection_*
falsepositives:
    - Unlikely in production environment
level: high
Convert to SIEM query
high Moderate Low FP
KrbRelayUp Service Installation
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
status test author Sittikorn S, Tim Shelton ATT&CK technique id e97d9903-53b2-41fc-8cb9-889ed4093e80
carbon_black query
EventID:7045 ServiceName:KrbSCM
view Sigma YAML 
title: KrbRelayUp Service Installation
id: e97d9903-53b2-41fc-8cb9-889ed4093e80
status: test
description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
references:
    - https://github.com/Dec0ne/KrbRelayUp
author: Sittikorn S, Tim Shelton
date: 2022-05-11
modified: 2022-10-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 7045
        ServiceName: 'KrbSCM'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
LOL-Binary Copied From System Directory
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id f5d19838-41b5-476c-98d8-ba8af4929ee2
carbon_black query
((Image:\\cmd.exe CommandLine:copy\ *) OR ((Image:\\powershell.exe OR Image:\\pwsh.exe) (CommandLine:copy\-item* OR CommandLine:\ copy\ * OR CommandLine:cpi\ * OR CommandLine:\ cp\ *)) OR ((Image:\\robocopy.exe OR Image:\\xcopy.exe) OR (OriginalFileName:robocopy.exe OR OriginalFileName:XCOPY.EXE))) ((CommandLine:\\System32* OR CommandLine:\\SysWOW64* OR CommandLine:\\WinSxS*) (CommandLine:\\bitsadmin.exe* OR CommandLine:\\calc.exe* OR CommandLine:\\certutil.exe* OR CommandLine:\\cmdl32.exe* OR CommandLine:\\cscript.exe* OR CommandLine:\\mshta.exe* OR CommandLine:\\rundll32.exe* OR CommandLine:\\wscript.exe* OR CommandLine:\\ie4uinit.exe*))
view Sigma YAML 
title: LOL-Binary Copied From System Directory
id: f5d19838-41b5-476c-98d8-ba8af4929ee2
related:
    - id: fff9d2b7-e11c-4a69-93d3-40ef66189767
      type: derived
status: test
description: |
    Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
references:
    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
    - https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-29
modified: 2025-11-27
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'copy '
    selection_tools_pwsh:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'copy-item'
            - ' copy '
            - 'cpi '
            - ' cp '
    selection_tools_other:
        - Image|endswith:
              - '\robocopy.exe'
              - '\xcopy.exe'
        - OriginalFileName:
              - 'robocopy.exe'
              - 'XCOPY.EXE'
    selection_target_path:
        CommandLine|contains:
            - '\System32'
            - '\SysWOW64'
            - '\WinSxS'
    selection_target_lolbin:
        CommandLine|contains:
            # Note: add more binaries to increase coverage
            - '\bitsadmin.exe'
            - '\calc.exe'
            - '\certutil.exe'
            - '\cmdl32.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
            - '\ie4uinit.exe'
    condition: 1 of selection_tools_* and all of selection_target_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
LPE InstallerFileTakeOver PoC CVE-2021-41379
Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
status test author Florian Roth (Nextron Systems) ATT&CK technique id 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
carbon_black query
EventID:1033 Provider_Name:MsiInstaller Data:test\ pkg*
view Sigma YAML 
title: LPE InstallerFileTakeOver PoC CVE-2021-41379
id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
status: test
description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
references:
    - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
author: Florian Roth (Nextron Systems)
date: 2021-11-22
modified: 2022-07-12
tags:
    - attack.initial-access
    - attack.t1190
    - detection.emerging-threats
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        EventID: 1033
        Provider_Name: 'MsiInstaller'
        Data|contains: 'test pkg'
    condition: selection
falsepositives:
    - Other MSI packages for which your admins have used that name
level: high
Convert to SIEM query
high Strong Medium FP
LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
status test author Markus Neis ATT&CK sub-technique id a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
carbon_black query
(EventID:1121 Path:\\lsass.exe) (-((ProcessName:C\:\\Windows\\Temp\\asgard2\-agent\\* (ProcessName:\\thor64.exe OR ProcessName:\\thor.exe)) OR (ProcessName:C\:\\Windows\\System32\\atiesrxx.exe OR ProcessName:C\:\\Windows\\System32\\CompatTelRunner.exe OR ProcessName:C\:\\Windows\\System32\\msiexec.exe OR ProcessName:C\:\\Windows\\System32\\nvwmi64.exe OR ProcessName:C\:\\Windows\\System32\\svchost.exe OR ProcessName:C\:\\Windows\\System32\\Taskmgr.exe OR ProcessName:C\:\\Windows\\System32\\wbem\\WmiPrvSE.exe OR ProcessName:C\:\\Windows\\SysWOW64\\msiexec.exe) OR (ProcessName:C\:\\Windows\\System32\\DriverStore\\* OR ProcessName:C\:\\WINDOWS\\Installer\\* OR ProcessName:C\:\\Program\ Files\\* OR ProcessName:C\:\\Program\ Files\ \(x86\)\\*)))
view Sigma YAML 
title: LSASS Access Detected via Attack Surface Reduction
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
status: test
description: Detects Access to LSASS Process
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
author: Markus Neis
date: 2018-08-26
modified: 2022-08-13
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    service: windefend
    definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
detection:
    selection:
        EventID: 1121
        Path|endswith: '\lsass.exe'
    filter_thor:
        ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
        ProcessName|endswith:
            - '\thor64.exe'
            - '\thor.exe'
    filter_exact:
        ProcessName:
            - 'C:\Windows\System32\atiesrxx.exe'
            - 'C:\Windows\System32\CompatTelRunner.exe'
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\System32\nvwmi64.exe'
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\System32\Taskmgr.exe'
            - 'C:\Windows\System32\wbem\WmiPrvSE.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    filter_begins:
        ProcessName|startswith:
            - 'C:\Windows\System32\DriverStore\'
            - 'C:\WINDOWS\Installer\'
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_*
falsepositives:
    - Google Chrome GoogleUpdate.exe
    - Some Taskmgr.exe related activity
level: high
Convert to SIEM query
high Moderate Medium FP
LSASS Access From Potentially White-Listed Processes
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 4be8b654-0c01-4c9d-a10c-6b28467fc651
carbon_black query
TargetImage:\\lsass.exe (SourceImage:\\TrolleyExpress.exe OR SourceImage:\\ProcessDump.exe OR SourceImage:\\dump64.exe) (GrantedAccess:10 OR GrantedAccess:30 OR GrantedAccess:50 OR GrantedAccess:70 OR GrantedAccess:90 OR GrantedAccess:B0 OR GrantedAccess:D0 OR GrantedAccess:F0 OR GrantedAccess:18 OR GrantedAccess:38 OR GrantedAccess:58 OR GrantedAccess:78 OR GrantedAccess:98 OR GrantedAccess:B8 OR GrantedAccess:D8 OR GrantedAccess:F8 OR GrantedAccess:1A OR GrantedAccess:3A OR GrantedAccess:5A OR GrantedAccess:7A OR GrantedAccess:9A OR GrantedAccess:BA OR GrantedAccess:DA OR GrantedAccess:FA OR GrantedAccess:0x14C2 OR GrantedAccess:FF)
view Sigma YAML 
title: LSASS Access From Potentially White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: test
description: |
    Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
    - https://twitter.com/mrd0x/status/1460597833917251595
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|endswith:
            - '\TrolleyExpress.exe'  # Citrix
            - '\ProcessDump.exe'     # Cisco Jabber
            - '\dump64.exe'          # Visual Studio
        GrantedAccess|endswith:
            - '10'
            - '30'
            - '50'
            - '70'
            - '90'
            - 'B0'
            - 'D0'
            - 'F0'
            - '18'
            - '38'
            - '58'
            - '78'
            - '98'
            - 'B8'
            - 'D8'
            - 'F8'
            - '1A'
            - '3A'
            - '5A'
            - '7A'
            - '9A'
            - 'BA'
            - 'DA'
            - 'FA'
            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
            - 'FF'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Low FP
LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409). This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability, which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service, leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK technique id f8a66a02-4a16-46e5-b7fd-a42c8a93d137
carbon_black query
Provider_Name:Application\ Error EventID:1000 AppName:lsass.exe ModuleName:netlogon.dll ExceptionCode:c0000409
view Sigma YAML 
title: LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
id: f8a66a02-4a16-46e5-b7fd-a42c8a93d137
status: experimental
description: |
    Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409).
    This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability,
    which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service,
    leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
references:
    - https://aretiq.ai/research/vul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce/
    - https://learn.microsoft.com/en-us/shows/inside/c0000409
    - https://github.com/p3Nt3st3r-sTAr/CVE-2026-41089
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-06-02
tags:
    - attack.impact
    - attack.t1499
    - cve.2026-41089
    - detection.emerging-threats
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name: 'Application Error'
        EventID: 1000
        AppName: 'lsass.exe'
        ModuleName: 'netlogon.dll'
        ExceptionCode: 'c0000409' # STATUS_STACK_BUFFER_OVERRUN
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
LSASS Dump Keyword In CommandLine
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
status test author E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id ffa6861c-4461-4f59-8a41-578c39f3f23e
carbon_black query
(CommandLine:lsass.dmp* OR CommandLine:lsass.zip* OR CommandLine:lsass.rar* OR CommandLine:Andrew.dmp* OR CommandLine:Coredump.dmp* OR CommandLine:NotLSASS.zip* OR CommandLine:lsass_2* OR CommandLine:lsassdump* OR CommandLine:lsassdmp*) OR (CommandLine:lsass* CommandLine:.dmp*) OR (CommandLine:SQLDmpr* CommandLine:.mdmp*) OR (CommandLine:nanodump* CommandLine:.dmp*)
view Sigma YAML 
title: LSASS Dump Keyword In CommandLine
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
related:
    - id: a5a2d357-1ab8-4675-a967-ef9990a59391
      type: derived
status: test
description: |
    Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
references:
    - https://github.com/Hackndo/lsassy
    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
    - https://github.com/helpsystems/nanodump
    - https://github.com/CCob/MirrorDump
author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-08-29
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains:
              - 'lsass.dmp'
              - 'lsass.zip'
              - 'lsass.rar'
              - 'Andrew.dmp'
              - 'Coredump.dmp'
              - 'NotLSASS.zip'  # https://github.com/CCob/MirrorDump
              - 'lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
              - 'lsassdump'
              - 'lsassdmp'
        - CommandLine|contains|all:
              - 'lsass'
              - '.dmp'
        - CommandLine|contains|all:
              - 'SQLDmpr'
              - '.mdmp'
        - CommandLine|contains|all:
              - 'nanodump'
              - '.dmp'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
LSASS Memory Access by Tool With Dump Keyword In Name
Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
carbon_black query
TargetImage:\\lsass.exe SourceImage:dump* (GrantedAccess:10 OR GrantedAccess:30 OR GrantedAccess:50 OR GrantedAccess:70 OR GrantedAccess:90 OR GrantedAccess:B0 OR GrantedAccess:D0 OR GrantedAccess:F0 OR GrantedAccess:18 OR GrantedAccess:38 OR GrantedAccess:58 OR GrantedAccess:78 OR GrantedAccess:98 OR GrantedAccess:B8 OR GrantedAccess:D8 OR GrantedAccess:F8 OR GrantedAccess:1A OR GrantedAccess:3A OR GrantedAccess:5A OR GrantedAccess:7A OR GrantedAccess:9A OR GrantedAccess:BA OR GrantedAccess:DA OR GrantedAccess:FA OR GrantedAccess:0x14C2 OR GrantedAccess:FF)
view Sigma YAML 
title: LSASS Memory Access by Tool With Dump Keyword In Name
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: test
description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|contains: 'dump'
        GrantedAccess|endswith:
            - '10'
            - '30'
            - '50'
            - '70'
            - '90'
            - 'B0'
            - 'D0'
            - 'F0'
            - '18'
            - '38'
            - '58'
            - '78'
            - '98'
            - 'B8'
            - 'D8'
            - 'F8'
            - '1A'
            - '3A'
            - '5A'
            - '7A'
            - '9A'
            - 'BA'
            - 'DA'
            - 'FA'
            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
            - 'FF'
    condition: selection
falsepositives:
    - Rare programs that contain the word dump in their name and access lsass
level: high
Convert to SIEM query
high Strong Low FP
LSASS Process Crashed - Application
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
status experimental author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id a18e0862-127b-43ca-be12-1a542c75c7c5
carbon_black query
Provider_Name:Application\ Error EventID:1000 AppName:lsass.exe ExceptionCode:c0000001
view Sigma YAML 
title: LSASS Process Crashed - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: |
    Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
    This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-07
modified: 2025-12-03
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name: 'Application Error'
        EventID: 1000
        AppName: 'lsass.exe'
        ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
    condition: selection
falsepositives:
    - Rare legitimate crashing of the lsass process
level: high
Convert to SIEM query
high Strong High FP
LSASS Process Dump Artefact In CrashDumps Folder
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
status test author @pbssubhash ATT&CK sub-technique id 6902955a-01b7-432c-b32a-6f5f81d8f625
carbon_black query
TargetFilename:C\:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\* TargetFilename:lsass.exe.* TargetFilename:.dmp
view Sigma YAML 
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
        TargetFilename|contains: 'lsass.exe.'
        TargetFilename|endswith: '.dmp'
    condition: selection
falsepositives:
    - Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high
Convert to SIEM query
high Strong High FP
LSASS Process Memory Dump Creation Via Taskmgr.EXE
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
status test author Swachchhanda Shrawan Poudel ATT&CK sub-technique id 69ca12af-119d-44ed-b50f-a47af0ebc364
carbon_black query
(Image:\:\\Windows\\system32\\taskmgr.exe OR Image:\:\\Windows\\SysWOW64\\taskmgr.exe) (TargetFilename:\\AppData\\Local\\Temp\\* TargetFilename:\\lsass* TargetFilename:.DMP*)
view Sigma YAML 
title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
status: test
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
author: Swachchhanda Shrawan Poudel
date: 2023-10-19
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - ':\Windows\system32\taskmgr.exe'
            - ':\Windows\SysWOW64\taskmgr.exe'
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - '\lsass'
            - '.DMP'
    condition: selection
falsepositives:
    - Rare case of troubleshooting by an administrator or support that has to be investigated regardless
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml
Convert to SIEM query
high Strong Medium FP
LSASS Process Memory Dump Files
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id a5a2d357-1ab8-4675-a967-ef9990a59391
carbon_black query
(TargetFilename:\\Andrew.dmp OR TargetFilename:\\Coredump.dmp OR TargetFilename:\\lsass.dmp OR TargetFilename:\\lsass.rar OR TargetFilename:\\lsass.zip OR TargetFilename:\\NotLSASS.zip OR TargetFilename:\\PPLBlade.dmp OR TargetFilename:\\rustive.dmp) OR (TargetFilename:\\lsass_2* OR TargetFilename:\\lsassdmp* OR TargetFilename:\\lsassdump*) OR (TargetFilename:\\lsass* TargetFilename:.dmp*) OR (TargetFilename:SQLDmpr* TargetFilename:.mdmp) OR ((TargetFilename:\\nanodump* OR TargetFilename:\\proc_*) TargetFilename:.dmp)
view Sigma YAML 
title: LSASS Process Memory Dump Files
id: a5a2d357-1ab8-4675-a967-ef9990a59391
related:
    - id: db2110f3-479d-42a6-94fb-d35bc1e46492
      type: obsolete
    - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
      type: obsolete
status: test
description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
references:
    - https://www.google.com/search?q=procdump+lsass
    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
    - https://github.com/helpsystems/nanodump
    - https://github.com/CCob/MirrorDump
    - https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35
    - https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
author: Florian Roth (Nextron Systems)
date: 2021-11-15
modified: 2024-10-08
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection_1:
        TargetFilename|endswith:
            - '\Andrew.dmp'
            - '\Coredump.dmp'
            - '\lsass.dmp'
            - '\lsass.rar'
            - '\lsass.zip'
            - '\NotLSASS.zip'  # https://github.com/CCob/MirrorDump
            - '\PPLBlade.dmp'  # https://github.com/tastypepperoni/PPLBlade
            - '\rustive.dmp' # https://github.com/safedv/RustiveDump/blob/main/src/main.rs#L35
    selection_2:
        TargetFilename|contains:
            - '\lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
            - '\lsassdmp'
            - '\lsassdump'
    selection_3:
        TargetFilename|contains|all:
            - '\lsass'
            - '.dmp'
    selection_4:
        TargetFilename|contains: 'SQLDmpr'
        TargetFilename|endswith: '.mdmp'
    selection_5:
        TargetFilename|contains:
            - '\nanodump'
            - '\proc_' # NativeDump pattern https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
        TargetFilename|endswith: '.dmp'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
LSASS Process Reconnaissance Via Findstr.EXE
Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id fe63010f-8823-4864-a96b-a7b4a0f7b929
carbon_black query
(((Image:\\find.exe OR Image:\\findstr.exe) OR (OriginalFileName:FIND.EXE OR OriginalFileName:FINDSTR.EXE)) CommandLine:lsass*) OR (CommandLine:\ \-i\ \"lsass* OR CommandLine:\ \/i\ \"lsass* OR CommandLine:\ –i\ \"lsass* OR CommandLine:\ —i\ \"lsass* OR CommandLine:\ ―i\ \"lsass* OR CommandLine:\ \-i\ lsass.exe* OR CommandLine:\ \/i\ lsass.exe* OR CommandLine:\ –i\ lsass.exe* OR CommandLine:\ —i\ lsass.exe* OR CommandLine:\ ―i\ lsass.exe* OR CommandLine:findstr\ \"lsass* OR CommandLine:findstr\ lsass* OR CommandLine:findstr.exe\ \"lsass* OR CommandLine:findstr.exe\ lsass*)
view Sigma YAML 
title: LSASS Process Reconnaissance Via Findstr.EXE
id: fe63010f-8823-4864-a96b-a7b4a0f7b929
status: test
description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
references:
    - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-08-12
modified: 2024-06-04
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_findstr_cli:
        CommandLine|contains: 'lsass'
    selection_special:
        CommandLine|contains|windash:
            - ' /i "lsass'
            - ' /i lsass.exe'
            - 'findstr "lsass'
            - 'findstr lsass'
            - 'findstr.exe "lsass'
            - 'findstr.exe lsass'
    condition: all of selection_findstr_* or selection_special
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/info.yml
Convert to SIEM query
high Moderate High FP
Lace Tempest Cobalt Strike Download
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
carbon_black query
CommandLine:\-nop\ \-w\ hidden\ \-c\ IEX\ \(\(new\-object\ net.webclient\).downloadstring\(* CommandLine:\/a'\)*
view Sigma YAML 
title: Lace Tempest Cobalt Strike Download
id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
status: test
description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
references:
    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(
            - /a')
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Lace Tempest File Indicators
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id e94486ea-2650-4548-bf25-88cbd0bb32d7
carbon_black query
(TargetFilename:\:\\Program\ Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe OR TargetFilename:\:\\Program\ Files\\SysAidServer\\tomcat\\webapps\\usersfiles.war OR TargetFilename:\:\\Program\ Files\\SysAidServer\\tomcat\\webapps\\leave) OR TargetFilename:\:\\Program\ Files\\SysAidServer\\tomcat\\webapps\\user.*
view Sigma YAML 
title: Lace Tempest File Indicators
id: e94486ea-2650-4548-bf25-88cbd0bb32d7
status: test
description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
references:
    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|endswith:
              - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
              - ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war'
              - ':\Program Files\SysAidServer\tomcat\webapps\leave'
        - TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Lace Tempest Malware Loader Execution
Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 745ea50b-9673-4ba7-9426-cb45cf4a8e6d
carbon_black query
Image:\:\\Program\ Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe OR Hashes:SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D*
view Sigma YAML 
title: Lace Tempest Malware Loader Execution
id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d
status: test
description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
references:
    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
    selection_hash:
        Hashes|contains: 'SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Lace Tempest PowerShell Evidence Eraser
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id b377ddab-502d-4519-9e8c-5590033d2d70
carbon_black query
ScriptBlockText:cleanLL* ScriptBlockText:usersfiles.war* ScriptBlockText:Remove\-Item\ \-Path\ \"$tomcat_dir* ScriptBlockText:SysAidServer* ScriptBlockText:sleep\ * ScriptBlockText:while\(1\)*
view Sigma YAML 
title: Lace Tempest PowerShell Evidence Eraser
id: b377ddab-502d-4519-9e8c-5590033d2d70
status: test
description: |
    Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
references:
    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
    - attack.execution
    - attack.t1059.001
    - detection.emerging-threats
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'cleanLL'
            - 'usersfiles.war'
            - 'Remove-Item -Path "$tomcat_dir'
            - 'SysAidServer'
            - 'sleep '
            - 'while(1)'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Lace Tempest PowerShell Launcher
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 37dc5463-f7e3-4f61-ad76-ba59cd02a651
carbon_black query
ScriptBlockText:\\SysAidServer\\tomcat\\webapps* ScriptBlockText:Starting\ user.exe* ScriptBlockText:\\usersfiles\\user.exe* ScriptBlockText:Remove\-Item\ \-Force\ \"$wapps* ScriptBlockText:\(Sophos\).*
view Sigma YAML 
title: Lace Tempest PowerShell Launcher
id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651
status: test
description: |
    Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
references:
    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
    - attack.execution
    - attack.t1059.001
    - detection.emerging-threats
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - '\SysAidServer\tomcat\webapps'
            - 'Starting user.exe'
            - '\usersfiles\user.exe'
            - 'Remove-Item -Force "$wapps'
            - '(Sophos).'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Lazarus APT DLL Sideloading Activity
Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
status test author Thurein Oo, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 24007168-a26b-4049-90d0-ce138e13a5cf
carbon_black query
(Image:C\:\\ProgramShared\\PresentationHost.exe ImageLoaded:\:\\ProgramShared\\mscoree.dll) OR (Image:C\:\\ProgramData\\Adobe\\colorcpl.exe ImageLoaded:C\:\\ProgramData\\Adobe\\colorui.dll) OR (Image:C\:\\ProgramData\\Oracle\\Java\\fixmapi.exe ImageLoaded:C\:\\ProgramData\\Oracle\\Java\\mapistub.dll) OR (Image:C\:\\ProgramData\\Adobe\\ARM\\tabcal.exe ImageLoaded:C\:\\ProgramData\\Adobe\\ARM\\HID.dll)
view Sigma YAML 
title: Lazarus APT DLL Sideloading Activity
id: 24007168-a26b-4049-90d0-ce138e13a5cf
status: test
description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
references:
    - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
    - https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
    - attack.g0032
    - detection.emerging-threats
logsource:
    product: windows
    category: image_load
detection:
    selection_mscoree:
        Image: 'C:\ProgramShared\PresentationHost.exe'
        ImageLoaded: ':\ProgramShared\mscoree.dll'
    selection_colorui:
        Image: 'C:\ProgramData\Adobe\colorcpl.exe'
        ImageLoaded: 'C:\ProgramData\Adobe\colorui.dll'
    selection_mapistub:
        Image: 'C:\ProgramData\Oracle\Java\fixmapi.exe'
        ImageLoaded: 'C:\ProgramData\Oracle\Java\mapistub.dll'
    selection_hid:
        Image: 'C:\ProgramData\Adobe\ARM\tabcal.exe'
        ImageLoaded: 'C:\ProgramData\Adobe\ARM\HID.dll'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Lazarus System Binary Masquerading
Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
status test author Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) ATT&CK sub-technique id 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
carbon_black query
(Image:\\msdtc.exe OR Image:\\gpsvc.exe) (-(Image:C\:\\Windows\\System32\\* OR Image:C\:\\Windows\\SysWOW64\\*))
view Sigma YAML 
title: Lazarus System Binary Masquerading
id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
status: test
description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
references:
    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
date: 2020-06-03
modified: 2023-03-10
tags:
    - attack.stealth
    - attack.t1036.005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\msdtc.exe'
            - '\gpsvc.exe'
    filter:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
Showing 501-550 of 1,677
Prev 11 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh