Home/Detection rules/VMware Carbon Black
Tool
EDR / XDR

VMware Carbon Black

1,677 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB) Every VMware Carbon Black query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 1,677
high Moderate Medium FP
OpenCanary - SMB File Open Request
Detects instances where an SMB service on an OpenCanary node has had a file open request.
status test author Security Onion Solutions ATT&CK technique id 22777c9e-873a-4b49-855f-6072ab861a52
carbon_black query
logtype:5000
view Sigma YAML 
title: OpenCanary - SMB File Open Request
id: 22777c9e-873a-4b49-855f-6072ab861a52
status: test
description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.lateral-movement
    - attack.collection
    - attack.t1021
    - attack.t1005
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5000
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - SNMP OID Request
Detects instances where an SNMP service on an OpenCanary node has had an OID request.
status test author Security Onion Solutions ATT&CK technique id e9856028-fd4e-46e6-b3d1-10f7ceb95078
carbon_black query
logtype:13001
view Sigma YAML 
title: OpenCanary - SNMP OID Request
id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
status: test
description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.discovery
    - attack.lateral-movement
    - attack.t1016
    - attack.t1021
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 13001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - SSH Login Attempt
Detects instances where an SSH service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions ATT&CK technique id ff7139bc-fdb1-4437-92f2-6afefe8884cb
carbon_black query
logtype:4002
view Sigma YAML 
title: OpenCanary - SSH Login Attempt
id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.stealth
    - attack.t1133
    - attack.t1021
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 4002
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - SSH New Connection Attempt
Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
status test author Security Onion Solutions ATT&CK technique id cd55f721-5623-4663-bd9b-5229cab5237d
carbon_black query
logtype:4000
view Sigma YAML 
title: OpenCanary - SSH New Connection Attempt
id: cd55f721-5623-4663-bd9b-5229cab5237d
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.stealth
    - attack.t1133
    - attack.t1021
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 4000
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - TFTP Request
Detects instances where a TFTP service on an OpenCanary node has had a request.
status test author Security Onion Solutions ATT&CK technique id b4e6b016-a2ac-4759-ad85-8000b300d61e
carbon_black query
logtype:10001
view Sigma YAML 
title: OpenCanary - TFTP Request
id: b4e6b016-a2ac-4759-ad85-8000b300d61e
status: test
description: Detects instances where a TFTP service on an OpenCanary node has had a request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.exfiltration
    - attack.t1041
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 10001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - Telnet Login Attempt
Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions ATT&CK technique id 512cff7a-683a-43ad-afe0-dd398e872f36
carbon_black query
logtype:6001
view Sigma YAML 
title: OpenCanary - Telnet Login Attempt
id: 512cff7a-683a-43ad-afe0-dd398e872f36
status: test
description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.command-and-control
    - attack.stealth
    - attack.t1133
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 6001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenCanary - VNC Connection Attempt
Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
status test author Security Onion Solutions ATT&CK technique id 9db5446c-b44a-4291-8b89-fcab5609c3b3
carbon_black query
logtype:12001
view Sigma YAML 
title: OpenCanary - VNC Connection Attempt
id: 9db5446c-b44a-4291-8b89-fcab5609c3b3
status: test
description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 12001
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
OpenWith.exe Executes Specified Binary
The OpenWith.exe executes other binary
status test author Beyu Denis, oscd.community (rule), @harr0ey (idea) ATT&CK technique id cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
carbon_black query
Image:\\OpenWith.exe CommandLine:\/c*
view Sigma YAML 
title: OpenWith.exe Executes Specified Binary
id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
status: test
description: The OpenWith.exe executes other binary
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml
    - https://twitter.com/harr0ey/status/991670870384021504
author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
date: 2019-10-12
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\OpenWith.exe'
        CommandLine|contains: '/c'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
status test author Florian Roth (Nextron Systems), frack113 ATT&CK sub-technique id 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
carbon_black query
CommandLine:checkadmin.exe\ 127.0.0.1\ \-all* OR CommandLine:netsh\ advfirewall\ firewall\ add\ rule\ name=powershell\ dir=in* OR CommandLine:cmd\ \/c\ powershell.exe\ \-ep\ bypass\ \-file\ c\:\\s.ps1* OR CommandLine:\/tn\ win32times\ \/f* OR CommandLine:create\ win32times\ binPath=* OR CommandLine:\\c$\\windows\\system32\\devmgr.dll* OR CommandLine:\ \-exec\ bypass\ \-enc\ JgAg* OR CommandLine:type\ *keepass\\KeePass.config.xml* OR CommandLine:iie.exe\ iie.txt* OR CommandLine:reg\ query\ HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\*
view Sigma YAML 
title: Operation Wocao Activity
id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
related:
    - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
      type: derived
status: test
description: Detects activity mentioned in Operation Wocao report
references:
    - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
    - https://twitter.com/SBousseaden/status/1207671369963646976
author: Florian Roth (Nextron Systems), frack113
date: 2019-12-20
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.discovery
    - attack.stealth
    - attack.t1012
    - attack.t1036.004
    - attack.t1027
    - attack.execution
    - attack.t1053.005
    - attack.t1059.001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        CommandLine|contains:
            - 'checkadmin.exe 127.0.0.1 -all'
            - 'netsh advfirewall firewall add rule name=powershell dir=in'
            - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1'
            - '/tn win32times /f'
            - 'create win32times binPath='
            - '\c$\windows\system32\devmgr.dll'
            - ' -exec bypass -enc JgAg'
            - 'type *keepass\KeePass.config.xml'
            - 'iie.exe iie.txt'
            - 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\'
    condition: selection
falsepositives:
    - Administrators that use checkadmin.exe tool to enumerate local administrators
level: high
Convert to SIEM query
high Strong Medium FP
Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
status test author Florian Roth (Nextron Systems), frack113 ATT&CK sub-technique id 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
carbon_black query
EventID:4799 TargetUserName:Administr* CallerProcessName:\\checkadmin.exe
view Sigma YAML 
title: Operation Wocao Activity - Security
id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
status: test
description: Detects activity mentioned in Operation Wocao report
references:
    - https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
    - https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf
    - https://twitter.com/SBousseaden/status/1207671369963646976
author: Florian Roth (Nextron Systems), frack113
date: 2019-12-20
modified: 2022-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.discovery
    - attack.stealth
    - attack.t1012
    - attack.t1036.004
    - attack.t1027
    - attack.execution
    - attack.t1053.005
    - attack.t1059.001
    - detection.emerging-threats
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4799
        TargetUserName|startswith: 'Administr'
        CallerProcessName|endswith: '\checkadmin.exe'
    condition: selection
falsepositives:
    - Administrators that use checkadmin.exe tool to enumerate local administrators
level: high
Convert to SIEM query
high Moderate High FP
Operator Bloopers Cobalt Strike Commands
Detects use of Cobalt Strike commands accidentally entered in the CMD shell
status test author _pete_0, TheDFIRReport ATT&CK sub-technique id 647c7b9e-d784-4fda-b9a0-45c565a7b729
carbon_black query
(OriginalFileName:Cmd.Exe OR Image:\\cmd.exe) ((CommandLine:cmd\ * OR CommandLine:cmd.exe* OR CommandLine:c\:\\windows\\system32\\cmd.exe*) (CommandLine:psinject* OR CommandLine:spawnas* OR CommandLine:make_token* OR CommandLine:remote\-exec* OR CommandLine:rev2self* OR CommandLine:dcsync* OR CommandLine:logonpasswords* OR CommandLine:execute\-assembly* OR CommandLine:getsystem*))
view Sigma YAML 
title: Operator Bloopers Cobalt Strike Commands
id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
related:
    - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
      type: similar
status: test
description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
references:
    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
    - attack.execution
    - attack.t1059.003
    - stp.1u
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'Cmd.Exe'
        - Image|endswith: '\cmd.exe'
    selection_cli:
        CommandLine|startswith:
            - 'cmd '
            - 'cmd.exe'
            - 'c:\windows\system32\cmd.exe'
        CommandLine|contains:
            - 'psinject'
            - 'spawnas'
            - 'make_token'
            - 'remote-exec'
            - 'rev2self'
            - 'dcsync'
            - 'logonpasswords'
            - 'execute-assembly'
            - 'getsystem'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Operator Bloopers Cobalt Strike Modules
Detects Cobalt Strike module/commands accidentally entered in CMD shell
status test author _pete_0, TheDFIRReport ATT&CK sub-technique id 4f154fb6-27d1-4813-a759-78b93e0b9c48
carbon_black query
(OriginalFileName:Cmd.Exe OR Image:\\cmd.exe) (CommandLine:Invoke\-UserHunter* OR CommandLine:Invoke\-ShareFinder* OR CommandLine:Invoke\-Kerberoast* OR CommandLine:Invoke\-SMBAutoBrute* OR CommandLine:Invoke\-Nightmare* OR CommandLine:zerologon* OR CommandLine:av_query*)
view Sigma YAML 
title: Operator Bloopers Cobalt Strike Modules
id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
related:
    - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
      type: similar
status: test
description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
references:
    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'Cmd.Exe'
        - Image|endswith: '\cmd.exe'
    selection_cli:
        CommandLine|contains:
            - 'Invoke-UserHunter'
            - 'Invoke-ShareFinder'
            - 'Invoke-Kerberoast'
            - 'Invoke-SMBAutoBrute'
            - 'Invoke-Nightmare'
            - 'zerologon'
            - 'av_query'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers
status test author Florian Roth (Nextron Systems) ATT&CK technique id 85d466b0-d74c-4514-84d3-2bdd3327588b
carbon_black query
"cs-uri-query":\/console\/images\/%252E%252E%252Fconsole.portal* OR "cs-uri-query":\/console\/css\/%2e*
view Sigma YAML 
title: Oracle WebLogic Exploit CVE-2020-14882
id: 85d466b0-d74c-4514-84d3-2bdd3327588b
status: test
description: Detects exploitation attempts on WebLogic servers
references:
    - https://isc.sans.edu/diary/26734
    - https://twitter.com/jas502n/status/1321416053050667009?s=20
    - https://twitter.com/sudo_sudoka/status/1323951871078223874
author: Florian Roth (Nextron Systems)
date: 2020-11-02
modified: 2023-01-02
tags:
    - attack.t1190
    - attack.initial-access
    - cve.2020-14882
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/console/images/%252E%252E%252Fconsole.portal'
            - '/console/css/%2e'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Outbound Network Connection Initiated By Cmstp.EXE
Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id efafe0bf-4238-479e-af8f-797bd3490d2d
carbon_black query
(Image:\\cmstp.exe Initiated:true) (-(DestinationIp:127.* OR DestinationIp:10.* OR DestinationIp:172.16.* OR DestinationIp:172.17.* OR DestinationIp:172.18.* OR DestinationIp:172.19.* OR DestinationIp:172.20.* OR DestinationIp:172.21.* OR DestinationIp:172.22.* OR DestinationIp:172.23.* OR DestinationIp:172.24.* OR DestinationIp:172.25.* OR DestinationIp:172.26.* OR DestinationIp:172.27.* OR DestinationIp:172.28.* OR DestinationIp:172.29.* OR DestinationIp:172.30.* OR DestinationIp:172.31.* OR DestinationIp:192.168.* OR DestinationIp:169.254.* OR DestinationIp:\:\:1 OR DestinationIp:fe8* OR DestinationIp:fe9* OR DestinationIp:fea* OR DestinationIp:feb* OR DestinationIp:fc* OR DestinationIp:fd*))
view Sigma YAML 
title: Outbound Network Connection Initiated By Cmstp.EXE
id: efafe0bf-4238-479e-af8f-797bd3490d2d
status: test
description: |
    Detects a network connection initiated by Cmstp.EXE
    Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
modified: 2024-05-31
tags:
    - attack.stealth
    - attack.t1218.003
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\cmstp.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
# Note: Please report any false positive seen in the wild to help tune the rule.
level: high
Convert to SIEM query
high Strong Medium FP
Outbound Network Connection Initiated By Microsoft Dialer
Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
status test author CertainlyP ATT&CK sub-technique id 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
carbon_black query
(Image:\:\\Windows\\System32\\dialer.exe Initiated:true) (-(DestinationIp:127.* OR DestinationIp:10.* OR DestinationIp:172.16.* OR DestinationIp:172.17.* OR DestinationIp:172.18.* OR DestinationIp:172.19.* OR DestinationIp:172.20.* OR DestinationIp:172.21.* OR DestinationIp:172.22.* OR DestinationIp:172.23.* OR DestinationIp:172.24.* OR DestinationIp:172.25.* OR DestinationIp:172.26.* OR DestinationIp:172.27.* OR DestinationIp:172.28.* OR DestinationIp:172.29.* OR DestinationIp:172.30.* OR DestinationIp:172.31.* OR DestinationIp:192.168.* OR DestinationIp:169.254.* OR DestinationIp:\:\:1 OR DestinationIp:fe8* OR DestinationIp:fe9* OR DestinationIp:fea* OR DestinationIp:feb* OR DestinationIp:fc* OR DestinationIp:fd*))
view Sigma YAML 
title: Outbound Network Connection Initiated By Microsoft Dialer
id: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
status: test
description: |
    Detects outbound network connection initiated by Microsoft Dialer.
    The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
    This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
references:
    - https://tria.ge/240301-rk34sagf5x/behavioral2
    - https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
    - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
    - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
author: CertainlyP
date: 2024-04-26
tags:
    - attack.execution
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: ':\Windows\System32\dialer.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.
level: high
Convert to SIEM query
high Strong Medium FP
Outbound Network Connection Initiated By Script Interpreter
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
status test author frack113, Florian Roth (Nextron Systems) ATT&CK technique id 992a6cae-db6a-43c8-9cec-76d7195c96fc
carbon_black query
(Initiated:true (Image:\\wscript.exe OR Image:\\cscript.exe)) (-((DestinationIp:127.* OR DestinationIp:10.* OR DestinationIp:172.16.* OR DestinationIp:172.17.* OR DestinationIp:172.18.* OR DestinationIp:172.19.* OR DestinationIp:172.20.* OR DestinationIp:172.21.* OR DestinationIp:172.22.* OR DestinationIp:172.23.* OR DestinationIp:172.24.* OR DestinationIp:172.25.* OR DestinationIp:172.26.* OR DestinationIp:172.27.* OR DestinationIp:172.28.* OR DestinationIp:172.29.* OR DestinationIp:172.30.* OR DestinationIp:172.31.* OR DestinationIp:192.168.* OR DestinationIp:169.254.* OR DestinationIp:\:\:1 OR DestinationIp:fe8* OR DestinationIp:fe9* OR DestinationIp:fea* OR DestinationIp:feb* OR DestinationIp:fc* OR DestinationIp:fd*) OR DestinationIp:20.0.* OR DestinationIp:20.1.* OR DestinationIp:20.2.* OR DestinationIp:20.3.* OR DestinationIp:20.4.* OR DestinationIp:20.5.* OR DestinationIp:20.6.* OR DestinationIp:20.7.* OR DestinationIp:20.8.* OR DestinationIp:20.9.* OR DestinationIp:20.10.* OR DestinationIp:20.11.* OR DestinationIp:20.12.* OR DestinationIp:20.13.* OR DestinationIp:20.14.* OR DestinationIp:20.15.* OR DestinationIp:20.16.* OR DestinationIp:20.17.* OR DestinationIp:20.18.* OR DestinationIp:20.19.* OR DestinationIp:20.20.* OR DestinationIp:20.21.* OR DestinationIp:20.22.* OR DestinationIp:20.23.* OR DestinationIp:20.24.* OR DestinationIp:20.25.* OR DestinationIp:20.26.* OR DestinationIp:20.27.* OR DestinationIp:20.28.* OR DestinationIp:20.29.* OR DestinationIp:20.30.* OR DestinationIp:20.31.*))
view Sigma YAML 
title: Outbound Network Connection Initiated By Script Interpreter
id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
related:
    - id: 08249dc0-a28d-4555-8ba5-9255a198e08c
      type: derived
status: test
description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-28
modified: 2024-03-13
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_main_ms_ranges:
        DestinationIp|cidr: '20.0.0.0/11' # Microsoft range, caused some FPs
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate scripts
level: high
Convert to SIEM query
high Strong Medium FP
Outdated Dependency Or Vulnerability Alert Disabled
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
status test author Muhammad Faisal (@faisalusuf) ATT&CK sub-technique id 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d
carbon_black query
action:dependabot_alerts_new_repos.disable OR action:dependabot_alerts.disable OR action:dependabot_security_updates_new_repos.disable OR action:dependabot_security_updates.disable OR action:repository_vulnerability_alerts.disable
view Sigma YAML 
title: Outdated Dependency Or Vulnerability Alert Disabled
id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d
status: test
description: |
    Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
    This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-27
references:
    - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
tags:
    - attack.initial-access
    - attack.t1195.001
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'dependabot_alerts_new_repos.disable'
            - 'dependabot_alerts.disable'
            - 'dependabot_security_updates_new_repos.disable'
            - 'dependabot_security_updates.disable'
            - 'repository_vulnerability_alerts.disable'
    condition: selection
falsepositives:
    - Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes.
level: high
Convert to SIEM query
high Moderate High FP
Outlook EnableUnsafeClientMailRules Setting Enabled
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
status test author Markus Neis, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 55f0a3a1-846e-40eb-8273-677371b8d912
carbon_black query
CommandLine:\\Outlook\\Security\\EnableUnsafeClientMailRules*
view Sigma YAML 
title: Outlook EnableUnsafeClientMailRules Setting Enabled
id: 55f0a3a1-846e-40eb-8273-677371b8d912
related:
    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation
      type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-12-27
modified: 2023-02-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '\Outlook\Security\EnableUnsafeClientMailRules'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
carbon_black query
TargetObject:\\Outlook\\Security\\EnableUnsafeClientMailRules Details:DWORD\ \(0x00000001\)
view Sigma YAML 
title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
related:
    - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
      type: similar
    - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
      type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
status test author @ScoubiMtl ATT&CK technique id e3b50fa5-3c3f-444e-937b-0a99d33731cd
carbon_black query
TargetObject:\\Outlook\\Security\\Level Details:0x00000001*
view Sigma YAML 
title: Outlook Macro Execution Without Warning Setting Enabled
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
status: test
description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\Security\Level'
        Details|contains: '0x00000001' # Enable all Macros
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
PCRE.NET Package Image Load
Detects processes loading modules related to PCRE.NET package
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK technique id 84b0a8f3-680b-4096-a45b-e9a89221727c
carbon_black query
ImageLoaded:\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\*
view Sigma YAML 
title: PCRE.NET Package Image Load
id: 84b0a8f3-680b-4096-a45b-e9a89221727c
status: test
description: Detects processes loading modules related to PCRE.NET package
references:
    - https://twitter.com/rbmaslen/status/1321859647091970051
    - https://twitter.com/tifkin_/status/1321916444557365248
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-29
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
PCRE.NET Package Temp Files
Detects processes creating temp files related to PCRE.NET package
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK technique id 6e90ae7a-7cd3-473f-a035-4ebb72d961da
carbon_black query
TargetFilename:\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\*
view Sigma YAML 
title: PCRE.NET Package Temp Files
id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
status: test
description: Detects processes creating temp files related to PCRE.NET package
references:
    - https://twitter.com/rbmaslen/status/1321859647091970051
    - https://twitter.com/tifkin_/status/1321916444557365248
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-29
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
PDF File Created By RegEdit.EXE
Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 145095eb-e273-443b-83d0-f9b519b7867b
carbon_black query
Image:\\regedit.exe TargetFilename:.pdf
view Sigma YAML 
title: PDF File Created By RegEdit.EXE
id: 145095eb-e273-443b-83d0-f9b519b7867b
status: test
description: |
    Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process.
    This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
references:
    - https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-08
tags:
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\regedit.exe'
        TargetFilename|endswith: '.pdf'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
PIM Alert Setting Changes To Disabled
Detects when PIM alerts are set to disabled.
status test author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' ATT&CK technique id aeaef14c-e5bf-4690-a9c8-835caad458bd
carbon_black query
"properties.message":Disable\ PIM\ Alert
view Sigma YAML 
title: PIM Alert Setting Changes To Disabled
id: aeaef14c-e5bf-4690-a9c8-835caad458bd
status: test
description: Detects when PIM alerts are set to disabled.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Disable PIM Alert
    condition: selection
falsepositives:
    - Administrator disabling PIM alerts as an active choice.
level: high
Convert to SIEM query
high Moderate Medium FP
PIM Approvals And Deny Elevation
Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
status test author Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' ATT&CK sub-technique id 039a7469-0296-4450-84c0-f6966b16dc6d
carbon_black query
"properties.message":Request\ Approved\/Denied
view Sigma YAML 
title: PIM Approvals And Deny Elevation
id: 039a7469-0296-4450-84c0-f6966b16dc6d
status: test
description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
    - attack.persistence
    - attack.initial-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Request Approved/Denied
    condition: selection
falsepositives:
    - Actual admin using PIM.
level: high
Convert to SIEM query
high Moderate High FP
PPL Tampering Via WerFaultSecure
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool: - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
status experimental author Jason (https://github.com/0xbcf) ATT&CK sub-technique id 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
carbon_black query
(Image:\\WerFaultSecure.exe OR OriginalFileName:WerFaultSecure.exe) (CommandLine:\ \/h\ * CommandLine:\ \/pid\ * CommandLine:\ \/tid\ * CommandLine:\ \/encfile\ * CommandLine:\ \/cancel\ * CommandLine:\ \/type\ * CommandLine:\ 268310*)
view Sigma YAML 
title: PPL Tampering Via WerFaultSecure
id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
related:
    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
      type: similar
    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
      type: similar
status: experimental
description: |
    Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).
    This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.
    Distinct command line patterns help identify the specific tool:
    - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
    - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine
    Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
references:
    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
    - https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53
    - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
    - https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251
author: Jason (https://github.com/0xbcf)
date: 2025-09-23
modified: 2025-11-23
tags:
    - attack.defense-impairment
    - attack.t1685
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        - Image|endswith: '\WerFaultSecure.exe'
        - OriginalFileName: 'WerFaultSecure.exe'
    selection_args:
        CommandLine|contains|all:
            - ' /h '
            - ' /pid ' # Antimalware or EDR process pid will be after this flag
            - ' /tid '
            - ' /encfile '
            - ' /cancel '
            - ' /type '
            - ' 268310'
    condition: all of selection_*
falsepositives:
    - Legitimate usage of WerFaultSecure for debugging purposes
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml
Convert to SIEM query
high Moderate High FP
PSAsyncShell - Asynchronous TCP Reverse Shell
Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id afd3df04-948d-46f6-ae44-25966c44b97f
carbon_black query
ScriptBlockText:PSAsyncShell*
view Sigma YAML 
title: PSAsyncShell - Asynchronous TCP Reverse Shell
id: afd3df04-948d-46f6-ae44-25966c44b97f
status: test
description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
references:
    - https://github.com/JoelGMSec/PSAsyncShell
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-04
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: 'PSAsyncShell'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
PSEXEC Remote Execution File Artefact
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
carbon_black query
TargetFilename:C\:\\Windows\\PSEXEC\-* TargetFilename:.key
view Sigma YAML 
title: PSEXEC Remote Execution File Artefact
id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
status: test
description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
references:
    - https://aboutdfir.com/the-key-to-identify-psexec/
    - https://twitter.com/davisrichardg/status/1616518800584704028
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-21
modified: 2023-02-23
tags:
    - attack.lateral-movement
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1136.002
    - attack.t1543.003
    - attack.t1570
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\PSEXEC-'
        TargetFilename|endswith: '.key'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
PSExec and WMI Process Creations Block
Detects blocking of process creations originating from PSExec and WMI commands
status test author Bhabesh Raj ATT&CK sub-technique id 97b9ce1e-c5ab-11ea-87d0-0242ac130003
carbon_black query
EventID:1121 (ProcessName:\\wmiprvse.exe OR ProcessName:\\psexesvc.exe)
view Sigma YAML 
title: PSExec and WMI Process Creations Block
id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
status: test
description: Detects blocking of process creations originating from PSExec and WMI commands
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
    - https://twitter.com/duff22b/status/1280166329660497920
author: Bhabesh Raj
date: 2020-07-14
modified: 2022-12-25
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1047
    - attack.t1569.002
logsource:
    product: windows
    service: windefend
    definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
detection:
    selection:
        EventID: 1121
        ProcessName|endswith:
            - '\wmiprvse.exe'
            - '\psexesvc.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
PUA - 3Proxy Execution
Detects the use of 3proxy, a tiny free proxy server
status test author Florian Roth (Nextron Systems) ATT&CK technique id f38a82d2-fba3-4781-b549-525efbec8506
carbon_black query
Image:\\3proxy.exe OR Description:3proxy\ \-\ tiny\ proxy\ server OR CommandLine:.exe\ \-i127.0.0.1\ \-p*
view Sigma YAML 
title: PUA - 3Proxy Execution
id: f38a82d2-fba3-4781-b549-525efbec8506
status: test
description: Detects the use of 3proxy, a tiny free proxy server
references:
    - https://github.com/3proxy/3proxy
    - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Florian Roth (Nextron Systems)
date: 2022-09-13
modified: 2023-02-21
tags:
    - attack.command-and-control
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\3proxy.exe'
    selection_pe:
        Description: '3proxy - tiny proxy server'
    selection_params: # param combos seen in the wild
        CommandLine|contains: '.exe -i127.0.0.1 -p'
    condition: 1 of selection_*
falsepositives:
    - Administrative activity
level: high
Convert to SIEM query
high Strong High FP
PUA - AdFind Suspicious Execution
Detects AdFind execution with common flags seen used during attacks
status test author Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community ATT&CK sub-technique id 9a132afa-654e-11eb-ae93-0242ac130002
carbon_black query
CommandLine:domainlist* OR CommandLine:trustdmp* OR CommandLine:dcmodes* OR CommandLine:adinfo* OR CommandLine:\-sc\ dclist* OR CommandLine:computer_pwdnotreqd* OR CommandLine:objectcategory=* OR CommandLine:\-subnets\ \-f* OR CommandLine:name=\"Domain\ Admins\"* OR CommandLine:\-sc\ u\:* OR CommandLine:domainncs* OR CommandLine:dompol* OR CommandLine:\ oudmp\ * OR CommandLine:subnetdmp* OR CommandLine:gpodmp* OR CommandLine:fspdmp* OR CommandLine:users_noexpire* OR CommandLine:computers_active* OR CommandLine:computers_pwdnotreqd*
view Sigma YAML 
title: PUA - AdFind Suspicious Execution
id: 9a132afa-654e-11eb-ae93-0242ac130002
related:
    - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
      type: similar
    - id: 75df3b17-8bcc-4565-b89b-c9898acef911
      type: obsolete
status: test
description: Detects AdFind execution with common flags seen used during attacks
references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://thedfirreport.com/2020/05/08/adfind-recon/
    - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
    - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects
author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
date: 2021-02-02
modified: 2025-10-24
tags:
    - attack.discovery
    - attack.t1018
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.002
    - stp.1u
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'domainlist'
            - 'trustdmp'
            - 'dcmodes'
            - 'adinfo'
            - '-sc dclist'
            - 'computer_pwdnotreqd'
            - 'objectcategory='
            - '-subnets -f'
            - 'name="Domain Admins"'
            - '-sc u:'
            - 'domainncs'
            - 'dompol'
            - ' oudmp '
            - 'subnetdmp'
            - 'gpodmp'
            - 'fspdmp'
            - 'users_noexpire'
            - 'computers_active'
            - 'computers_pwdnotreqd'
    condition: selection
falsepositives:
    - Legitimate admin activity
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml
simulation:
    - type: atomic-red-team
      name: Adfind - Enumerate Active Directory Computer Objects
      technique: T1018
      atomic_guid: a889f5be-2d54-4050-bd05-884578748bb4
    - type: atomic-red-team
      name: Adfind - Enumerate Active Directory Domain Controller Objects
      technique: T1018
      atomic_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
Convert to SIEM query
high Strong High FP
PUA - AdvancedRun Suspicious Execution
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id fa00b701-44c6-4679-994d-5a18afa8a707
carbon_black query
(CommandLine:\/EXEFilename* OR CommandLine:\/CommandLine*) ((CommandLine:\ \/RunAs\ 8\ * OR CommandLine:\ \/RunAs\ 4\ * OR CommandLine:\ \/RunAs\ 10\ * OR CommandLine:\ \/RunAs\ 11\ *) OR (CommandLine:\/RunAs\ 8 OR CommandLine:\/RunAs\ 4 OR CommandLine:\/RunAs\ 10 OR CommandLine:\/RunAs\ 11))
view Sigma YAML 
title: PUA - AdvancedRun Suspicious Execution
id: fa00b701-44c6-4679-994d-5a18afa8a707
related:
    - id: d2b749ee-4225-417e-b20e-a8d2193cbb84
      type: similar
status: test
description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
references:
    - https://twitter.com/splinter_code/status/1483815103279603714
    - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
    - https://www.elastic.co/security-labs/operation-bleeding-bear
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-20
modified: 2023-02-21
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '/EXEFilename'
            - '/CommandLine'
    selection_runas:
        - CommandLine|contains:
              - ' /RunAs 8 '
              - ' /RunAs 4 '
              - ' /RunAs 10 '
              - ' /RunAs 11 '
        - CommandLine|endswith:
              - '/RunAs 8'
              - '/RunAs 4'
              - '/RunAs 10'
              - '/RunAs 11'
    condition: all of selection*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml
Convert to SIEM query
high Strong Medium FP
PUA - Chisel Tunneling Tool Execution
Detects usage of the Chisel tunneling tool via the commandline arguments
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 8b0e12da-d3c3-49db-bb4f-256703f380e5
carbon_black query
Image:\\chisel.exe OR ((CommandLine:exe\ client\ * OR CommandLine:exe\ server\ *) (CommandLine:\-socks5* OR CommandLine:\-reverse* OR CommandLine:\ r\:* OR CommandLine:\:127.0.0.1\:* OR CommandLine:\-tls\-skip\-verify\ * OR CommandLine:\:socks*))
view Sigma YAML 
title: PUA - Chisel Tunneling Tool Execution
id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
related:
    - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
      type: similar
status: test
description: Detects usage of the Chisel tunneling tool via the commandline arguments
references:
    - https://github.com/jpillora/chisel/
    - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
    - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
author: Florian Roth (Nextron Systems)
date: 2022-09-13
modified: 2023-02-13
tags:
    - attack.command-and-control
    - attack.t1090.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\chisel.exe'
    selection_param1:
        CommandLine|contains:
            - 'exe client '
            - 'exe server '
    selection_param2:
        CommandLine|contains:
            - '-socks5'
            - '-reverse'
            - ' r:'
            - ':127.0.0.1:'
            - '-tls-skip-verify '
            - ':socks'
    condition: selection_img or all of selection_param*
falsepositives:
    - Some false positives may occur with other tools with similar commandlines
level: high
Convert to SIEM query
high Strong Medium FP
PUA - CleanWipe Execution
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id f44800ac-38ec-471f-936e-3fa7d9c53100
carbon_black query
Image:\\SepRemovalToolNative_x64.exe OR (Image:\\CATClean.exe CommandLine:\-\-uninstall*) OR (Image:\\NetInstaller.exe CommandLine:\-r*) OR (Image:\\WFPUnins.exe (CommandLine:\/uninstall* CommandLine:\/enterprise*))
view Sigma YAML 
title: PUA - CleanWipe Execution
id: f44800ac-38ec-471f-936e-3fa7d9c53100
status: test
description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-14
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image|endswith: '\SepRemovalToolNative_x64.exe'
    selection2:
        Image|endswith: '\CATClean.exe'
        CommandLine|contains: '--uninstall'
    selection3:
        Image|endswith: '\NetInstaller.exe'
        CommandLine|contains: '-r'
    selection4:
        Image|endswith: '\WFPUnins.exe'
        CommandLine|contains|all:
            - '/uninstall'
            - '/enterprise'
    condition: 1 of selection*
falsepositives:
    - Legitimate administrative use (Should be investigated either way)
level: high
Convert to SIEM query
high Moderate High FP
PUA - Crassus Execution
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
status test author pH-T (Nextron Systems) ATT&CK sub-technique id 2c32b543-1058-4808-91c6-5b31b8bed6c5
carbon_black query
Image:\\Crassus.exe OR OriginalFileName:Crassus.exe OR Description:Crassus*
view Sigma YAML 
title: PUA - Crassus Execution
id: 2c32b543-1058-4808-91c6-5b31b8bed6c5
status: test
description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
references:
    - https://github.com/vu-ls/Crassus
author: pH-T (Nextron Systems)
date: 2023-04-17
tags:
    - attack.discovery
    - attack.reconnaissance
    - attack.t1590.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Crassus.exe'
        - OriginalFileName: 'Crassus.exe'
        - Description|contains: 'Crassus'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
PUA - CsExec Execution
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id d08a2711-ee8b-4323-bdec-b7d85e892b31
carbon_black query
Image:\\csexec.exe OR Description:csexec
view Sigma YAML 
title: PUA - CsExec Execution
id: d08a2711-ee8b-4323-bdec-b7d85e892b31
status: test
description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
references:
    - https://github.com/malcomvetter/CSExec
    - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
author: Florian Roth (Nextron Systems)
date: 2022-08-22
modified: 2023-02-21
tags:
    - attack.resource-development
    - attack.t1587.001
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\csexec.exe'
    selection_pe:
        Description: 'csexec'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong High FP
PUA - DIT Snapshot Viewer
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
status test author Furkan Caliskan (@caliskanfurkan_) ATT&CK sub-technique id d3b70aad-097e-409c-9df2-450f80dc476b
carbon_black query
Image:\\ditsnap.exe OR CommandLine:ditsnap.exe*
view Sigma YAML 
title: PUA - DIT Snapshot Viewer
id: d3b70aad-097e-409c-9df2-450f80dc476b
status: test
description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
references:
    - https://thedfirreport.com/2020/06/21/snatch-ransomware/
    - https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap
author: Furkan Caliskan (@caliskanfurkan_)
date: 2020-07-04
modified: 2023-02-21
tags:
    - attack.credential-access
    - attack.t1003.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\ditsnap.exe'
        - CommandLine|contains: 'ditsnap.exe'
    condition: selection
falsepositives:
    - Legitimate admin usage
level: high
Convert to SIEM query
high Moderate High FP
PUA - DefenderCheck Execution
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id f0ca6c24-3225-47d5-b1f5-352bf07ecfa7
carbon_black query
Image:\\DefenderCheck.exe OR Description:DefenderCheck
view Sigma YAML 
title: PUA - DefenderCheck Execution
id: f0ca6c24-3225-47d5-b1f5-352bf07ecfa7
status: test
description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
references:
    - https://github.com/matterpreter/DefenderCheck
author: Florian Roth (Nextron Systems)
date: 2022-08-30
modified: 2023-02-04
tags:
    - attack.stealth
    - attack.t1027.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\DefenderCheck.exe'
        - Description: 'DefenderCheck'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
PUA - Fast Reverse Proxy (FRP) Execution
Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
status test author frack113, Florian Roth ATT&CK technique id 32410e29-5f94-4568-b6a3-d91a8adad863
carbon_black query
(Image:\\frpc.exe OR Image:\\frps.exe) OR CommandLine:\\frpc.ini* OR (Hashes:MD5=7D9C233B8C9E3F0EA290D2B84593C842* OR Hashes:SHA1=06DDC9280E1F1810677935A2477012960905942F* OR Hashes:SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C*)
view Sigma YAML 
title: PUA - Fast Reverse Proxy (FRP) Execution
id: 32410e29-5f94-4568-b6a3-d91a8adad863
status: test
description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
references:
    - https://asec.ahnlab.com/en/38156/
    - https://github.com/fatedier/frp
author: frack113, Florian Roth
date: 2022-09-02
modified: 2024-11-23
tags:
    - attack.command-and-control
    - attack.t1090
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\frpc.exe'
            - '\frps.exe'
    selection_cli:
        CommandLine|contains: '\frpc.ini'
    selection_hashes:
        # v0.44.0
        Hashes|contains:
            - "MD5=7D9C233B8C9E3F0EA290D2B84593C842"
            - "SHA1=06DDC9280E1F1810677935A2477012960905942F"
            - "SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C"
    condition: 1 of selection_*
falsepositives:
    - Legitimate use
level: high
Convert to SIEM query
high Moderate High FP
PUA - Kernel Driver Utility (KDU) Execution
Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.
status experimental author Matt Anderson, Dray Agha, Anna Pham (Huntress) ATT&CK sub-technique id e76ca062-4de0-4d79-8d90-160a0d335eca
carbon_black query
((Image:\\kdu.exe OR Image:\\hamakaze.exe) OR OriginalFileName:hamakaze.exe) (CommandLine:\-map\ * OR CommandLine:\-prv\ * OR CommandLine:\-dse\ * OR CommandLine:\-ps\ *)
view Sigma YAML 
title: PUA - Kernel Driver Utility (KDU) Execution
id: e76ca062-4de0-4d79-8d90-160a0d335eca
status: experimental
description: |
    Detects execution of the Kernel Driver Utility (KDU) tool.
    KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
    Potentially allowing for privilege escalation, persistence, or evasion of security controls.
references:
    - https://github.com/h4rmy/KDU
    - https://huntress.com/blog/esxi-vm-escape-exploit
author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
date: 2026-01-02
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\kdu.exe'
              - '\hamakaze.exe'
        - OriginalFileName: 'hamakaze.exe'
    selection_cli_suspicious:
        CommandLine|contains:
            - '-map ' # map driver to the kernel and execute it entry point
            - '-prv ' # optional, select vulnerability driver provider
            - '-dse ' # write user defined value to the system DSE state flags; dse=0(disable),dse=1(enable)
            - '-ps ' #  modify process object of given ProcessID;
    condition: all of selection_*
falsepositives:
    - Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml
Convert to SIEM query
high Moderate High FP
PUA - Memory Dump Mount Via MemProcFS
Detects execution of MemProcFS a memory forensics tool with the '-device' parameter. MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures. Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials. MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 8a1b2c3d-4e5f-6789-abcd-ef1234567890
carbon_black query
(Image:\\MemProcFS.exe OR OriginalFileName:MemProcFS.exe OR Description:MemProcFS) CommandLine:\-device*
view Sigma YAML 
title: PUA - Memory Dump Mount Via MemProcFS
id: 8a1b2c3d-4e5f-6789-abcd-ef1234567890
status: experimental
description: |
    Detects execution of MemProcFS a memory forensics tool with the '-device' parameter.
    MemProcFS mounts physical memory as a virtual file system, allowing direct access to process memory and system structures.
    Threat actors were seen abusing this utility to mount memory dumps and then extract sensitive information from processes like LSASS or extract registry hives to obtain credentials, LSA secrets, SAM data, and cached domain credentials.
    MemProcFS usage that is not part of authorized forensic analysis should be treated as suspicious and warrants further investigation.
references:
    - https://github.com/ufrisk/MemProcFS
    - https://0xdf.gitlab.io/2024/10/05/htb-freelancer.html#
    - https://www.huntress.com/blog/curling-for-data-a-dive-into-a-threat-actors-malicious-ttps
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1003.001
    - attack.t1003.004
    - attack.t1003.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\MemProcFS.exe'
        - OriginalFileName: 'MemProcFS.exe'
        - Description: 'MemProcFS'
    selection_cli:
        CommandLine|contains: '-device'
    condition: all of selection_*
falsepositives:
    - Legitimate use during memory forensics; if not part of authorized analysis, warrants urgent investigation
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_memprocfs/info.yml
Convert to SIEM query
high Strong Medium FP
PUA - NPS Tunneling Tool Execution
Detects the use of NPS, a port forwarding and intranet penetration proxy server
status test author Florian Roth (Nextron Systems) ATT&CK technique id 68d37776-61db-42f5-bf54-27e87072d17e
carbon_black query
Image:\\npc.exe OR (CommandLine:\ \-server=* CommandLine:\ \-vkey=* CommandLine:\ \-password=*) OR CommandLine:\ \-config=npc* OR (Hashes:MD5=AE8ACF66BFE3A44148964048B826D005* OR Hashes:SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181* OR Hashes:SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856*)
view Sigma YAML 
title: PUA - NPS Tunneling Tool Execution
id: 68d37776-61db-42f5-bf54-27e87072d17e
status: test
description: Detects the use of NPS, a port forwarding and intranet penetration proxy server
references:
    - https://github.com/ehang-io/nps
author: Florian Roth (Nextron Systems)
date: 2022-10-08
modified: 2024-11-23
tags:
    - attack.command-and-control
    - attack.t1090
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\npc.exe'
    selection_cli_1:
        CommandLine|contains|all:
            - ' -server='
            - ' -vkey='
            - ' -password='
    selection_cli_2:
        CommandLine|contains: ' -config=npc'
    selection_hashes:
        # v0.26.10
        Hashes|contains:
            - "MD5=AE8ACF66BFE3A44148964048B826D005"
            - "SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181"
            - "SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856"
    condition: 1 of selection_*
falsepositives:
    - Legitimate use
level: high
Convert to SIEM query
high Strong High FP
PUA - NSudo Execution
Detects the use of NSudo tool for command execution
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali ATT&CK sub-technique id 771d1eb5-9587-4568-95fb-9ec44153a012
carbon_black query
((Image:\\NSudo.exe OR Image:\\NSudoLC.exe OR Image:\\NSudoLG.exe) OR (OriginalFileName:NSudo.exe OR OriginalFileName:NSudoLC.exe OR OriginalFileName:NSudoLG.exe)) (CommandLine:\-U\:S\ * OR CommandLine:\-U\:T\ * OR CommandLine:\-U\:E\ * OR CommandLine:\-P\:E\ * OR CommandLine:\-M\:S\ * OR CommandLine:\-M\:H\ * OR CommandLine:\-U=S\ * OR CommandLine:\-U=T\ * OR CommandLine:\-U=E\ * OR CommandLine:\-P=E\ * OR CommandLine:\-M=S\ * OR CommandLine:\-M=H\ * OR CommandLine:\-ShowWindowMode\:Hide*)
view Sigma YAML 
title: PUA - NSudo Execution
id: 771d1eb5-9587-4568-95fb-9ec44153a012
status: test
description: Detects the use of NSudo tool for command execution
references:
    - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2022-01-24
modified: 2023-02-13
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\NSudo.exe'
              - '\NSudoLC.exe'
              - '\NSudoLG.exe'
        - OriginalFileName:
              - 'NSudo.exe'
              - 'NSudoLC.exe'
              - 'NSudoLG.exe'
    selection_cli:
        CommandLine|contains:
            # Covers Single/Double dash "-"/"--" + ":"
            - '-U:S ' # System
            - '-U:T ' # Trusted Installer
            - '-U:E ' # Elevated
            - '-P:E ' # Enable All Privileges
            - '-M:S ' # System Integrity
            - '-M:H ' # High Integrity
            # Covers Single/Double dash "-"/"--" + "="
            - '-U=S '
            - '-U=T '
            - '-U=E '
            - '-P=E '
            - '-M=S '
            - '-M=H '
            - '-ShowWindowMode:Hide'
    condition: all of selection_*
falsepositives:
    - Legitimate use by administrators
level: high
Convert to SIEM query
high Strong High FP
PUA - Netcat Suspicious Execution
Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
status test author frack113, Florian Roth (Nextron Systems) ATT&CK technique id e31033fc-33f0-4020-9a16-faf9b31cbf08
carbon_black query
(Image:\\nc.exe OR Image:\\ncat.exe OR Image:\\netcat.exe) OR (CommandLine:\ \-lvp\ * OR CommandLine:\ \-lvnp* OR CommandLine:\ \-l\ \-v\ \-p\ * OR CommandLine:\ \-lv\ \-p\ * OR CommandLine:\ \-l\ \-\-proxy\-type\ http\ * OR CommandLine:\ \-vnl\ \-\-exec\ * OR CommandLine:\ \-vnl\ \-e\ * OR CommandLine:\ \-\-lua\-exec\ * OR CommandLine:\ \-\-sh\-exec\ *)
view Sigma YAML 
title: PUA - Netcat Suspicious Execution
id: e31033fc-33f0-4020-9a16-faf9b31cbf08
status: test
description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
    - https://nmap.org/ncat/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
    - https://www.revshells.com/
author: frack113, Florian Roth (Nextron Systems)
date: 2021-07-21
modified: 2023-02-08
tags:
    - attack.command-and-control
    - attack.t1095
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        # can not use OriginalFileName as is empty
        Image|endswith:
            - '\nc.exe'
            - '\ncat.exe'
            - '\netcat.exe'
    selection_cmdline:
        # Typical command lines
        CommandLine|contains:
            - ' -lvp '
            - ' -lvnp'
            - ' -l -v -p '
            - ' -lv -p '
            - ' -l --proxy-type http '
            # - ' --exec cmd.exe ' # Not specific enough for netcat
            - ' -vnl --exec '
            - ' -vnl -e '
            - ' --lua-exec '
            - ' --sh-exec '
    condition: 1 of selection_*
falsepositives:
    - Legitimate ncat use
level: high
Convert to SIEM query
high Strong Medium FP
PUA - Ngrok Execution
Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
status test author Florian Roth (Nextron Systems) ATT&CK technique id ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
carbon_black query
(CommandLine:\ tcp\ 139* OR CommandLine:\ tcp\ 445* OR CommandLine:\ tcp\ 3389* OR CommandLine:\ tcp\ 5985* OR CommandLine:\ tcp\ 5986*) OR (CommandLine:\ start\ * CommandLine:\-\-all* CommandLine:\-\-config* CommandLine:.yml*) OR (Image:ngrok.exe (CommandLine:\ tcp\ * OR CommandLine:\ http\ * OR CommandLine:\ authtoken\ *)) OR (CommandLine:.exe\ authtoken\ * OR CommandLine:.exe\ start\ \-\-all*)
view Sigma YAML 
title: PUA - Ngrok Execution
id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31
status: test
description: |
  Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.
  Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
references:
    - https://ngrok.com/docs
    - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
    - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp
    - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection
    - https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/
    - https://twitter.com/xorJosh/status/1598646907802451969
    - https://www.softwaretestinghelp.com/how-to-use-ngrok/
author: Florian Roth (Nextron Systems)
date: 2021-05-14
modified: 2023-02-21
tags:
    - attack.command-and-control
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains:
            - ' tcp 139'
            - ' tcp 445'
            - ' tcp 3389'
            - ' tcp 5985'
            - ' tcp 5986'
    selection2:
        CommandLine|contains|all:
            - ' start '
            - '--all'
            - '--config'
            - '.yml'
    selection3:
        Image|endswith: 'ngrok.exe'
        CommandLine|contains:
            - ' tcp '
            - ' http '
            - ' authtoken '
    selection4:
        CommandLine|contains:
            - '.exe authtoken '
            - '.exe start --all'
    condition: 1 of selection*
falsepositives:
    - Another tool that uses the command line switches of Ngrok
    - Ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
level: high
Convert to SIEM query
high Strong High FP
PUA - Nimgrab Execution
Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
status test author frack113 ATT&CK technique id 74a12f18-505c-4114-8d0b-8448dd5485c6
carbon_black query
Image:\\nimgrab.exe OR (Hashes:MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B* OR Hashes:SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559* OR Hashes:IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45*)
view Sigma YAML 
title: PUA - Nimgrab Execution
id: 74a12f18-505c-4114-8d0b-8448dd5485c6
status: test
description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113
date: 2022-08-28
modified: 2024-11-23
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        Image|endswith: '\nimgrab.exe'
    selection_hashes:
        Hashes|contains:
            - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
            - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
            - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
    condition: 1 of selection_*
falsepositives:
    - Legitimate use of Nim on a developer systems
level: high
Convert to SIEM query
high Strong High FP
PUA - NirCmd Execution As LOCAL SYSTEM
Detects the use of NirCmd tool for command execution as SYSTEM user
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id d9047477-0359-48c9-b8c7-792cedcdc9c4
carbon_black query
CommandLine:\ runassystem\ *
view Sigma YAML 
title: PUA - NirCmd Execution As LOCAL SYSTEM
id: d9047477-0359-48c9-b8c7-792cedcdc9c4
status: test
description: Detects the use of NirCmd tool for command execution as SYSTEM user
references:
    - https://www.nirsoft.net/utils/nircmd.html
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
    - https://www.nirsoft.net/utils/nircmd2.html#using
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-24
modified: 2023-02-13
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: ' runassystem '
    condition: selection
falsepositives:
    - Legitimate use by administrators
level: high
Convert to SIEM query
high Strong Medium FP
PUA - PingCastle Execution From Potentially Suspicious Parent
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
status test author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) ATT&CK technique id b37998de-a70b-4f33-b219-ec36bf433dc0
carbon_black query
((ParentCommandLine:.bat* OR ParentCommandLine:.chm* OR ParentCommandLine:.cmd* OR ParentCommandLine:.hta* OR ParentCommandLine:.htm* OR ParentCommandLine:.html* OR ParentCommandLine:.js* OR ParentCommandLine:.lnk* OR ParentCommandLine:.ps1* OR ParentCommandLine:.vbe* OR ParentCommandLine:.vbs* OR ParentCommandLine:.wsf*) OR (ParentCommandLine:\:\\Perflogs\\* OR ParentCommandLine:\:\\Temp\\* OR ParentCommandLine:\:\\Users\\Public\\* OR ParentCommandLine:\:\\Windows\\Temp\\* OR ParentCommandLine:\\AppData\\Local\\Temp* OR ParentCommandLine:\\AppData\\Roaming\\* OR ParentCommandLine:\\Temporary\ Internet*) OR ((ParentCommandLine:\:\\Users\\* ParentCommandLine:\\Favorites\\*) OR (ParentCommandLine:\:\\Users\\* ParentCommandLine:\\Favourites\\*) OR (ParentCommandLine:\:\\Users\\* ParentCommandLine:\\Contacts\\*))) (ParentCommandLine:.bat* OR ParentCommandLine:.chm* OR ParentCommandLine:.cmd* OR ParentCommandLine:.hta* OR ParentCommandLine:.htm* OR ParentCommandLine:.html* OR ParentCommandLine:.js* OR ParentCommandLine:.lnk* OR ParentCommandLine:.ps1* OR ParentCommandLine:.vbe* OR ParentCommandLine:.vbs* OR ParentCommandLine:.wsf*) (Image:\\PingCastle.exe OR OriginalFileName:PingCastle.exe OR Product:Ping\ Castle OR (CommandLine:\-\-scanner\ aclcheck* OR CommandLine:\-\-scanner\ antivirus* OR CommandLine:\-\-scanner\ computerversion* OR CommandLine:\-\-scanner\ foreignusers* OR CommandLine:\-\-scanner\ laps_bitlocker* OR CommandLine:\-\-scanner\ localadmin* OR CommandLine:\-\-scanner\ nullsession* OR CommandLine:\-\-scanner\ nullsession\-trust* OR CommandLine:\-\-scanner\ oxidbindings* OR CommandLine:\-\-scanner\ remote* OR CommandLine:\-\-scanner\ share* OR CommandLine:\-\-scanner\ smb* OR CommandLine:\-\-scanner\ smb3querynetwork* OR CommandLine:\-\-scanner\ spooler* OR CommandLine:\-\-scanner\ startup* OR CommandLine:\-\-scanner\ zerologon*) OR CommandLine:\-\-no\-enum\-limit* OR (CommandLine:\-\-healthcheck* CommandLine:\-\-level\ Full*) OR (CommandLine:\-\-healthcheck* CommandLine:\-\-server\ *))
view Sigma YAML 
title: PUA - PingCastle Execution From Potentially Suspicious Parent
id: b37998de-a70b-4f33-b219-ec36bf433dc0
related:
    - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
      type: derived
status: test
description: |
    Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
references:
    - https://github.com/vletoux/pingcastle
    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
    - https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
    - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
    - https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
    - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
    - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-01-11
tags:
    - attack.reconnaissance
    - attack.t1595
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent_ext:
        ParentCommandLine|contains:
            - '.bat'
            - '.chm'
            - '.cmd'
            - '.hta'
            - '.htm'
            - '.html'
            - '.js'
            - '.lnk'
            - '.ps1'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    selection_parent_path_1:
        ParentCommandLine|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming\'
            - '\Temporary Internet'
    selection_parent_path_2:
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
    selection_cli:
        - Image|endswith: '\PingCastle.exe'
        - OriginalFileName: PingCastle.exe
        - Product: 'Ping Castle'
        - CommandLine|contains:
              - '--scanner aclcheck'
              - '--scanner antivirus'
              - '--scanner computerversion'
              - '--scanner foreignusers'
              - '--scanner laps_bitlocker'
              - '--scanner localadmin'
              - '--scanner nullsession'
              - '--scanner nullsession-trust'
              - '--scanner oxidbindings'
              - '--scanner remote'
              - '--scanner share'
              - '--scanner smb'
              - '--scanner smb3querynetwork'
              - '--scanner spooler'
              - '--scanner startup'
              - '--scanner zerologon'
        - CommandLine|contains: '--no-enum-limit'
        - CommandLine|contains|all:
              - '--healthcheck'
              - '--level Full'
        - CommandLine|contains|all:
              - '--healthcheck'
              - '--server '
    condition: 1 of selection_parent_* and selection_parent_ext and selection_cli
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
PUA - Process Hacker Driver Load
Detects driver load of the Process Hacker tool
status test author Florian Roth (Nextron Systems) ATT&CK technique id 67add051-9ee7-4ad3-93ba-42935615ae8d
carbon_black query
ImageLoaded:\\kprocesshacker.sys OR (Hashes:IMPHASH=821D74031D3F625BCBD0DF08B70F1E77* OR Hashes:IMPHASH=F86759BB4DE4320918615DC06E998A39* OR Hashes:IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18* OR Hashes:IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0*)
view Sigma YAML 
title: PUA - Process Hacker Driver Load
id: 67add051-9ee7-4ad3-93ba-42935615ae8d
related:
    - id: 10cb6535-b31d-4512-9962-513dcbc42cc1
      type: similar
status: test
description: Detects driver load of the Process Hacker tool
references:
    - https://processhacker.sourceforge.io/
author: Florian Roth (Nextron Systems)
date: 2022-11-16
modified: 2024-11-23
tags:
    - attack.persistence
    - attack.privilege-escalation
    - cve.2021-21551
    - attack.t1543
logsource:
    category: driver_load
    product: windows
detection:
    selection:
        - ImageLoaded|endswith: '\kprocesshacker.sys'
        - Hashes|contains:
              - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
              - 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
              - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
              - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
    condition: selection
falsepositives:
    - Legitimate use of process hacker or system informer by developers or system administrators
level: high
Convert to SIEM query
high Strong Medium FP
PUA - Rclone Execution
Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
status test author Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group ATT&CK sub-technique id e37db05d-d1f9-49c8-b464-cee1a4b11638
carbon_black query
(CommandLine:\-\-config\ * CommandLine:\-\-no\-check\-certificate\ * CommandLine:\ copy\ *) OR ((Image:\\rclone.exe OR Description:Rsync\ for\ cloud\ storage) (CommandLine:pass* OR CommandLine:user* OR CommandLine:copy* OR CommandLine:sync* OR CommandLine:config* OR CommandLine:lsd* OR CommandLine:remote* OR CommandLine:ls* OR CommandLine:mega* OR CommandLine:pcloud* OR CommandLine:ftp* OR CommandLine:ignore\-existing* OR CommandLine:auto\-confirm* OR CommandLine:transfers* OR CommandLine:multi\-thread\-streams* OR CommandLine:no\-check\-certificate\ *))
view Sigma YAML 
title: PUA - Rclone Execution
id: e37db05d-d1f9-49c8-b464-cee1a4b11638
related:
    - id: a0d63692-a531-4912-ad39-4393325b2a9c
      type: obsolete
    - id: cb7286ba-f207-44ab-b9e6-760d82b84253
      type: obsolete
status: test
description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
references:
    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
    - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone
    - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-10
modified: 2023-03-05
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_specific_options:
        CommandLine|contains|all:
            - '--config '
            - '--no-check-certificate '
            - ' copy '
    selection_rclone_img:
        - Image|endswith: '\rclone.exe'
        - Description: 'Rsync for cloud storage'
    selection_rclone_cli:
        CommandLine|contains:
            - 'pass'
            - 'user'
            - 'copy'
            - 'sync'
            - 'config'
            - 'lsd'
            - 'remote'
            - 'ls'
            - 'mega'
            - 'pcloud'
            - 'ftp'
            - 'ignore-existing'
            - 'auto-confirm'
            - 'transfers'
            - 'multi-thread-streams'
            - 'no-check-certificate '
    condition: selection_specific_options or all of selection_rclone_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
Showing 701-750 of 1,677
Prev 15 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh