title: Recon Command Output Piped To Findstr.EXE
id: ccb5742c-c248-4982-8c5c-5571b9275ad3
related:
    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
      type: derived
status: test
description: |
    Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example.
    Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
    - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-07-06
modified: 2025-10-08
tags:
    - attack.discovery
    - attack.t1057
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # Note: Add additional CLI to increase and enhance coverage
            # Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend.
            - 'ipconfig*|*find'
            - 'net*|*find'
            - 'netstat*|*find'
            - 'ping*|*find'
            - 'systeminfo*|*find'
            - 'tasklist*|*find'
            - 'whoami*|*find'
    filter_optional_xampp:
        CommandLine|contains|all:
            - 'cmd.exe /c TASKLIST /V |'
            - 'FIND /I'
            - '\xampp\'
            - '\catalina_start.bat'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml

title: Recon Information for Export with Command Prompt
id: aa2efee7-34dd-446e-8a37-40790a66efd7
related:
    - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
      type: similar
status: test
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
author: frack113
date: 2021-07-30
modified: 2022-09-13
tags:
    - attack.collection
    - attack.t1119
logsource:
    product: windows
    category: process_creation
detection:
    selection_image:
        - Image|endswith:
              - '\tree.com'
              - '\WMIC.exe'
              - '\doskey.exe'
              - '\sc.exe'
        - OriginalFileName:
              - 'wmic.exe'
              - 'DOSKEY.EXE'
              - 'sc.exe'
    selection_redirect:
        ParentCommandLine|contains:
            - ' > %TEMP%\'
            - ' > %TMP%\'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Recon Information for Export with PowerShell
id: a9723fcc-881c-424c-8709-fd61442ab3c3
status: test
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
author: frack113
date: 2021-07-30
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1119
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_action:
        ScriptBlockText|contains:
            - 'Get-Service '
            - 'Get-ChildItem '
            - 'Get-Process '
    selection_redirect:
        ScriptBlockText|contains: '> $env:TEMP\'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: RegAsm.EXE Initiating Network Connection To Public IP
id: 0531e43a-d77d-47c2-b89f-5fe50321c805
status: test
description: Detects "RegAsm.exe" initiating a network connection to public IP adresses
references:
    - https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/
    - https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/
    - https://lolbas-project.github.io/lolbas/Binaries/Regasm/
author: frack113
date: 2024-04-25
tags:
    - attack.stealth
    - attack.t1218.009
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\regasm.exe'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Register New IFiltre For Persistence
id: b23818c7-e575-4d13-8012-332075ec0a2b
status: test
description: |
    Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.
    You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.
references:
    - https://persistence-info.github.io/Data/ifilters.html
    - https://twitter.com/0gtweet/status/1468548924600459267
    - https://github.com/gtworek/PSBits/tree/master/IFilter
    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2024-03-26
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection_ext:
        TargetObject|contains|all:
            - '\SOFTWARE\Classes\.'
            - '\PersistentHandler'
    selection_clsid:
        TargetObject|contains|all:
            - '\SOFTWARE\Classes\CLSID'
            - '\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}'
    filter_default_targets:
        TargetObject|contains:
            # TODO: Add the default extension PersistentHandler.
            # Note this could also offer blindspot as the attacker could use on of these and hijack them
            - '\CLSID\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\' # Office Open XML Format PowerPoint Persistent Handler
            - '\CLSID\{4887767F-7ADC-4983-B576-88FB643D6F79}\' # Office Open XML Format Excel Persistent Handler
            - '\CLSID\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\' # Office Open XML Format Word Persistent Handler
            - '\CLSID\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\' # Microsoft OneNote Windows Desktop Search IFilter Persistent handler
            - '\CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\' # Null persistent handler
            - '\CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\' # PDF Persistent Handler
            - '\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\' # rtf persistent handler
            - '\CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\' # Open Document Format ODT Persistent Handler
            - '\CLSID\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\' # Zip Persistent Handler
            - '\CLSID\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\' # Open Document Format ODS Persistent Handler
            - '\CLSID\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\' # Related to MIME Filter
            - '\CLSID\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\' # Related to MIME Filter
            - '\CLSID\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\' # Setting Content File Persistent Handler
            - '\CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}\' # Plain Text persistent handler
            - '\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\' # Wordpad OOXML Document Filter
            - '\CLSID\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\' # XML File Persistent Handler
            - '\CLSID\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\' # .url File Persistent Handler
            - '\CLSID\{9694E38A-E081-46ac-99A0-8743C909ACB6}\' # html persistent handler for mapi email
            - '\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\' # Microsoft Office Persistent Handler
            - '\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\' # Wordpad ODT Document Filter
            - '\CLSID\{B4132098-7A03-423D-9463-163CB07C151F}\' # Office Open XML Format Excel Persistent Handler
            - '\CLSID\{d044309b-5da6-4633-b085-4ed02522e5a5}\' # App Content File Persistent Handler
            - '\CLSID\{D169C14A-5148-4322-92C8-754FC9D018D8}\' # rtf persistent handler for mapi email
            - '\CLSID\{DD75716E-B42E-4978-BB60-1497B92E30C4}\' # text persistent handler for mapi email
            - '\CLSID\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\' # Open Document Format ODP Persistent Handler
            - '\CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8}\' # Microsoft OneNote Section persistent handler
            - '\CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}' # HTML File persistent handler
            # - '\CLSID\{F6F00E65-9CAF-43BB-809A-38AA4621BCF2}' # XMind Persistent Handler (not present by default)
            - '\CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\' # Office Outlook MSG Persistent Handler
    filter_generic_paths:
        Image|startswith:
            # Note: We assume if an attacker has access to one of these directories. Then he already has admin.
            - 'C:\Windows\System32\'
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
    condition: 1 of selection_* and not 1 of filter_*
falsepositives:
    - Legitimate registration of IFilters by the OS or software
level: medium

title: Registry Explorer Policy Modification
id: 1c3121ed-041b-4d97-a075-07f54f20fb4a
status: test
description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
author: frack113
date: 2022-03-18
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_set_1:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyDocuments'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu'
        Details: 'DWORD (0x00000001)'
    condition: selection_set_1
falsepositives:
    - Legitimate admin script
level: medium

title: Registry Hide Function from User
id: 5a93eb65-dffa-4543-b761-94aa60098fb6
status: test
description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: frack113
date: 2022-03-18
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_set_1:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume'
        Details: 'DWORD (0x00000001)'
    selection_set_0:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor'
        Details: 'DWORD (0x00000000)'
    condition: 1 of selection_set_*
falsepositives:
    - Legitimate admin script
level: medium

title: Registry Manipulation via WMI Stdregprov
id: c453ab7a-1f5c-4716-a3b4-dea8135fb43a
status: experimental
description: |
    Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.
    This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.
    Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
references:
    - https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
    - https://trustedsec.com/blog/command-line-underdog-wmic-in-action
    - https://trustedsec.com/blog/wmi-for-script-kiddies
author: Daniel Koifman (KoifSec)
date: 2025-07-30
tags:
    - attack.persistence
    - attack.execution
    - attack.discovery
    - attack.defense-impairment
    - attack.t1047
    - attack.t1112
    - attack.t1012
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:   # Example command simulated:  WMIC  /NameSpace:\\root\default Class StdRegProv Call CreateKey sSubKeyName=""SOFTWARE\Policies\DeleteMe""
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'call'
            - 'stdregprov'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activity
level: medium

title: Registry Modification Attempt Via VBScript
id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
related:
    - id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
      type: similar
    - id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
      type: similar
status: experimental
description: |
    Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs.
    It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell.
    Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.
references:
    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
date: 2025-08-13
author: Swachchhanda Shrawan Poudel (Nextron Systems)
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
    - attack.t1059.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'CreateObject'
            - 'Wscript.shell'
            - '.RegWrite'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Registry Modification Attempt Via VBScript - PowerShell
id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
related:
    - id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
      type: similar
    - id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
      type: similar
status: experimental
description: |
    Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands.
    Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools.
    This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.
references:
    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
    - https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad
date: 2025-08-13
author: Swachchhanda Shrawan Poudel (Nextron Systems)
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
    - attack.t1059.005
logsource:
    category: ps_script
    product: windows
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'CreateObject'
            - 'Wscript.shell'
            - '.RegWrite'
    condition: selection
falsepositives:
    - Some legitimate admin or install scripts may use these processes for registry modifications.
level: medium

title: Registry Modification of MS-settings Protocol Handler
id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
related:
    - id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
      type: similar
status: test
description: |
    Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.
    Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-12-20
modified: 2026-01-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548.002
    - attack.t1546.001
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_pwsh_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
    selection_reg_cli:
        CommandLine|contains: 'add'
    selection_pwsh_cli:
        CommandLine|contains:
            - 'New-ItemProperty'
            - 'Set-ItemProperty'
            - 'ni '
            - 'sp '
    selection_cli_key:
        CommandLine|contains: '\ms-settings\shell\open\command'
    condition: (all of selection_reg_* or all of selection_pwsh_*) and selection_cli_key
falsepositives:
    - Unknown
level: medium

title: Registry Modification to Hidden File Extension
id: 5df86130-4e95-4a54-90f7-26541b40aec2
status: test
description: Hides the file extension through modification of the registry
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd
    - https://unit42.paloaltonetworks.com/ransomware-families/
    - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A
author: frack113
date: 2022-01-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.t1137
logsource:
    category: registry_set
    product: windows
detection:
    selection_HideFileExt:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt'
        Details: 'DWORD (0x00000001)'
    selection_Hidden:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
        Details: 'DWORD (0x00000002)'
    condition: 1 of selection_*
falsepositives:
    - Administrative scripts
level: medium

title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
id: 1c2a3268-3881-414a-80af-a5b313b14c0e
status: test
description: |
    Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace.
    The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
    These can be used for example in decrypting malicious payload for defense evasion.
references:
    - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
    - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/
author: Andreas Braathen (mnemonic.io)
date: 2023-12-01
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1059.001
    - attack.t1027.010
    - attack.t1547.001
    - detection.threat-hunting
logsource:
    product: windows
    category: registry_set
detection:
    selection_key:
        TargetObject|contains: '\Shell\Open\Command'
    selection_value_img:
        Details|contains:
            - 'powershell'
            - 'pwsh'
    selection_value_namespace:
        Details|contains: 'System.Security.Cryptography.'
    selection_value_classes:
        Details|contains:
            - '.AesCryptoServiceProvider'
            - '.DESCryptoServiceProvider'
            - '.DSACryptoServiceProvider'
            - '.RC2CryptoServiceProvider'
            - '.Rijndael'
            - '.RSACryptoServiceProvider'
            - '.TripleDESCryptoServiceProvider'
    condition: all of selection_*
falsepositives:
    - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders.
level: medium

title: Registry-Free Process Scope COR_PROFILER
id: 23590215-4702-4a70-8805-8dc9e58314a2
status: test
description: |
    Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.
    The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).
    These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.
    (Citation: Microsoft Profiling Mar 2017)
    (Citation: Microsoft COR_PROFILER Feb 2013)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler
author: frack113
date: 2021-12-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.012
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - '$env:COR_ENABLE_PROFILING'
            - '$env:COR_PROFILER'
            - '$env:COR_PROFILER_PATH'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium

title: Regsvr32 Execution From Potential Suspicious Location
id: 9525dc73-0327-438c-8c04-13c0e037e9da
related:
    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
      type: obsolete
status: test
description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
references:
    - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
    - attack.stealth
    - attack.t1218.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\regsvr32.exe'
        - OriginalFileName: 'REGSVR32.EXE'
    selection_cli:
        CommandLine|contains:
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
    condition: all of selection_*
falsepositives:
    - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary.
level: medium

title: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
id: ce2c44b5-a6ac-412a-afba-9e89326fa972
related:
    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
      type: similar
status: test
description: |
    Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location.
    When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'.
references:
    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
    - https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection
    - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
    - https://ss64.com/nt/regsvr32.html
author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-17
tags:
    - attack.stealth
    - attack.t1218
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        - Image|endswith: '\regsvr32.exe'
        - OriginalFileName: 'REGSVR32.EXE'
    selection_cmdline:
        CommandLine|contains:
            - ' /s '
            - ' /e '
    filter_main_paths:
        - CommandLine|contains:
              - ':\Program Files (x86)'
              - ':\Program Files\'
              - ':\Windows\System32\'
              - ':\Windows\SysWOW64\'
        - CurrentDirectory|contains:
              - ':\Program Files (x86)'
              - ':\Program Files\'
              - ':\Windows\System32\'
              - ':\Windows\SysWOW64\'
    filter_main_other_flags:
        # Note: We filter other flags to keep the logic of the rule
        CommandLine|contains:
            - ' /i:'
            - '/U '
    filter_main_rpcproxy:
        ParentCommandLine|endswith: ':\Windows\System32\RpcProxy\RpcProxy.dll'
        CommandLine: 'regsvr32 /s rpcproxy.dll'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Legitimate usage as part of application installation, but less likely from e.g. temporary paths.
level: medium

title: RemCom Service File Creation
id: 7eff1a7f-dd45-4c20-877a-f21e342a7611
status: test
description: Detects default RemCom service filename which indicates RemCom service installation and execution
references:
    - https://github.com/kavika13/RemCom/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-04
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\RemComSvc.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: RemCom Service Installation
id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf
status: test
description: Detects RemCom service installation and execution events
references:
    - https://github.com/kavika13/RemCom/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ServiceName: 'RemComSvc'
        - ImagePath|endswith: '\RemComSvc.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
id: aa3168fb-d594-4f93-a92d-7a9ba675b766
status: test
description: |
    Detects the execution of Action1 in order to execute arbitrary code or establish a remote session.

    Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries.
    Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.

    Hunting Opportunity 1- Weed Out The Noise

    When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through  a policy with name "test_app_1":

    ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0"

    After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences.

    Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours

    If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.
references:
    - https://twitter.com/Kostastsale/status/1646256901506605063?s=20
    - https://www.action1.com/documentation/
author: '@kostastsale'
date: 2023-04-13
tags:
    - attack.command-and-control
    - attack.t1219.002
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_app_deployment_exec:
        ParentImage|endswith: '\action1_agent.exe'
        Image|contains: '\Windows\Action1\package_downloads\'
    selection_command_exec:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        ParentCommandLine|contains:
            - '\Action1\scripts\Run_Command_'
            - '\Action1\scripts\Run_PowerShell_'
    selection_remote_session_init:
        Image|endswith: '\agent1_remote.exe'
    condition: 1 of selection_*
falsepositives:
    - If Action1 is among the approved software in your environment, you might find that this is a noisy query. See description for ideas on how to alter this query and start looking for suspicious activities.
level: medium

title: Remote Access Tool - Ammy Admin Agent Execution
id: 7da7809e-f3d5-47a3-9d5d-fc9d019caf14
status: test
description: Detects the execution of the Ammy Admin RMM agent for remote management.
references:
    - https://www.ammyy.com/en/admin_features.html
author: '@kostastsale'
date: 2024-08-05
tags:
    - attack.execution
    - attack.persistence
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: 'AMMYY\aa_nts.dll",run'
    condition: selection
falsepositives:
    - Legitimate use of Ammy Admin RMM agent for remote management by admins.
level: medium

title: Remote Access Tool - AnyDesk Execution
id: b52e84a3-029e-4529-b09b-71d19dd27e94
status: test
related:
    - id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86
      type: similar
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: frack113
date: 2022-02-11
modified: 2025-02-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\AnyDesk.exe'
              - '\AnyDeskMSI.exe'
        - Description: AnyDesk
        - Product: AnyDesk
        - Company: AnyDesk Software GmbH
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
id: 41f407b5-3096-44ea-a74f-96d04fbc41be
status: test
description: |
    Detects the execution of an AnyDesk binary with a version prior to 8.0.8.
    Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.
    Use this rule to detect instances of older versions of Anydesk using the compromised certificate
    This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
references:
    - https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
    - https://anydesk.com/en/changelog/windows
author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-08
tags:
    - attack.execution
    - attack.initial-access
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\AnyDesk.exe'
        - Description: 'AnyDesk'
        - Product: 'AnyDesk'
        - Company: 'AnyDesk Software GmbH'
    selection_version:
        FileVersion|startswith:
            - '7.0.'
            - '7.1.'
            - '8.0.1'
            - '8.0.2'
            - '8.0.3'
            - '8.0.4'
            - '8.0.5'
            - '8.0.6'
            - '8.0.7'
    filter_main_uninstall:
        CommandLine|contains:
            - ' --remove'
            - ' --uninstall'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: medium

title: Remote Access Tool - AnyDesk Incoming Connection
id: d58ba5c6-0ed7-4b9d-a433-6878379efda9
status: experimental
description: |
    Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
    - https://asec.ahnlab.com/en/40263/
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2024-09-02
modified: 2025-02-24
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\AnyDesk.exe'
            - '\AnyDeskMSI.exe'
        Initiated: 'false' # If the network connection is initiated remotely (incoming), the field is set to false.
    condition: selection
falsepositives:
    - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally).
level: medium

title: Remote Access Tool - AnyDesk Piped Password Via CLI
id: b1377339-fda6-477a-b455-ac0923f9ec2c
status: test
description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password
            - '/c '
            - 'echo '
            - '.exe --set-password'
    condition: selection
falsepositives:
    - Legitimate piping of the password to anydesk
    - Some FP could occur with similar tools that uses the same command line '--set-password'
level: medium

title: Remote Access Tool - Cmd.EXE Execution via AnyViewer
id: bc533330-fc29-44c0-b245-7dc6e5939c87
status: test
description: |
    Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions.
references:
    - https://www.anyviewer.com/help/remote-technical-support.html
author: '@kostastsale'
date: 2024-08-03
tags:
    - attack.execution
    - attack.persistence
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\AVCore.exe'
        ParentCommandLine|contains: 'AVCore.exe" -d'
        Image|endswith: '\cmd.exe'
    condition: selection
falsepositives:
    - Legitimate use for admin activity.
level: medium

title: Remote Access Tool - GoToAssist Execution
id: b6d98a4f-cef0-4abf-bbf6-24132854a83d
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
author: frack113
date: 2022-02-13
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'GoTo Opener'
        - Product: 'GoTo Opener'
        - Company: 'LogMeIn, Inc.'
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Remote Access Tool - LogMeIn Execution
id: d85873ef-a0f8-4c48-a53a-6b621f11729d
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
author: frack113
date: 2022-02-11
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: LMIGuardianSvc
        - Product: LMIGuardianSvc
        - Company: LogMeIn, Inc.
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Remote Access Tool - MeshAgent Command Execution via MeshCentral
id: 74a2b202-73e0-4693-9a3a-9d36146d0775
status: test
description: |
    Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
    MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
references:
    - https://github.com/Ylianst/MeshAgent
    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55
author: '@Kostastsale'
date: 2024-09-22
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\meshagent.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - False positives can be found in environments using MeshAgent for remote management, analysis should prioritize the grandparent process, MeshAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
level: medium

title: Remote Access Tool - NetSupport Execution
id: 758ff488-18d5-4cbe-8ec4-02b6285a434f
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
author: frack113
date: 2022-09-25
modified: 2023-03-06
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: NetSupport Client Configurator
        - Product: NetSupport Remote Control
        - Company: NetSupport Ltd
        - OriginalFileName: PCICFGUI.EXE
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Remote Access Tool - NetSupport Execution From Unusual Location
id: 37e8d358-6408-4853-82f4-98333fca7014
status: test
description: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2024-11-23
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\client32.exe'
        - Product|contains: 'NetSupport Remote Control'
        - OriginalFileName|contains: 'client32.exe'
        - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e
    filter:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Remote Access Tool - Potential MeshAgent Execution - MacOS
id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
related:
    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968
      type: similar
status: experimental
description: |
    Detects potential execution of MeshAgent which is a tool used for remote access.
    Historical data shows that threat actors rename MeshAgent binary to evade detection.
    Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        CommandLine|contains: '--meshServiceName'
    condition: selection
falsepositives:
    - Environments that legitimately use MeshAgent
level: medium

title: Remote Access Tool - Potential MeshAgent Execution - Windows
id: 2fbbe9ff-0afc-470b-bdc0-592198339968
related:
    - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
      type: similar
status: experimental
description: |
    Detects potential execution of MeshAgent which is a tool used for remote access.
    Historical data shows that threat actors rename MeshAgent binary to evade detection.
    Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '--meshServiceName'
    condition: selection
falsepositives:
    - Environments that legitimately use MeshAgent
level: medium

title: Remote Access Tool - RURAT Execution From Unusual Location
id: e01fa958-6893-41d4-ae03-182477c5e77d
status: test
description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-03-05
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\rutserv.exe'
              - '\rfusclient.exe'
        - Product: 'Remote Utilities'
    filter:
        Image|startswith:
            - 'C:\Program Files\Remote Utilities'
            - 'C:\Program Files (x86)\Remote Utilities'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Remote Access Tool - ScreenConnect Execution
id: 57bff678-25d1-4d6c-8211-8ca106d12053
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022-02-13
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'ScreenConnect Service'
        - Product: 'ScreenConnect'
        - Company: 'ScreenConnect Software'
    condition: selection
falsepositives:
    - Legitimate usage of the tool
level: medium

title: Remote Access Tool - ScreenConnect Installation Execution
id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962
status: test
description: Detects ScreenConnect program starts that establish a remote access to a system.
references:
    - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2024-02-26
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'e=Access&'
            - 'y=Guest&'
            - '&p='
            - '&c='
            - '&k='
    condition: selection
falsepositives:
    - Legitimate use by administrative staff
level: medium

title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
related:
    - id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
      type: derived
status: test
description: |
    Detects potentially suspicious child processes launched via the ScreenConnect client service.
references:
    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
    - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
    - https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2022-02-25
modified: 2024-02-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentCommandLine|contains|all:
            - ':\Windows\TEMP\ScreenConnect\'
            - 'run.cmd'
        Image|endswith:
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\curl.exe'
            - '\dllhost.exe'
            - '\net.exe'
            - '\nltest.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\rundll32.exe'
            - '\wevtutil.exe'
    condition: selection
falsepositives:
    - If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
level: medium

title: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
related:
    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
      type: derived
    - id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
      type: derived
status: test
description: |
    Detects remote binary or command execution via the ScreenConnect Service.
    Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
modified: 2024-02-26
tags:
    - attack.execution
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\ScreenConnect.ClientService.exe'
    condition: selection
falsepositives:
    - Legitimate commands launched from ScreenConnect will also trigger this rule. Look for anomalies.
level: medium

title: Remote Access Tool - Simple Help Execution
id: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - '\JWrapper-Remote Access\'
            - '\JWrapper-Remote Support\'
        Image|endswith: '\SimpleService.exe'
    condition: selection
falsepositives:
    - Legitimate usage of the tool
level: medium

title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
id: 2db93a3f-3249-4f73-9e68-0e77a0f8ae7e
status: experimental
description: |
    Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
    These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.
    This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
references:
    - https://github.com/amidaware/tacticalrmm
    - https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3
author: Ahmed Nosir (@egycondor)
date: 2025-05-29
tags:
    - attack.command-and-control
    - attack.t1219
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains: '\TacticalAgent\tacticalrmm.exe'
        CommandLine|contains|all:
            - '--api'
            - '--auth'
            - '--client-id'
            - '--site-id'
            - '--agent-type'
    condition: selection
falsepositives:
    - Legitimate system administrator deploying TacticalRMM
level: medium

title: Remote Access Tool - UltraViewer Execution
id: 88656cec-6c3b-487c-82c0-f73ebb805503
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
author: frack113
date: 2022-09-25
modified: 2024-03-14
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Product: 'UltraViewer'
        - Company: 'DucFabulous Co,ltd'
        - OriginalFileName: 'UltraViewer_Desktop.exe'
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Remote Access Tool Services Have Been Installed - Security
id: c8b00925-926c-47e3-beea-298fd563728e
related:
    - id: 1a31b18a-f00c-4061-9900-f735b96c99fc
      type: similar
status: test
description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Connor Martin, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2024-12-07
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceName|contains:
            # Based on https://github.com/SigmaHQ/sigma/pull/2841
            - 'AmmyyAdmin' # https://www.ammyy.com/en/
            - 'AnyDesk' # https://usersince99.medium.com/windows-privilege-escalation-8214ceaf4db8
            - 'Atera'
            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
            - 'chromoting'
            - 'GoToAssist' # https://www.goto.com/it-management/resolve
            - 'GoToMyPC' # https://get.gotomypc.com/
            - 'jumpcloud'
            - 'LMIGuardianSvc' # https://www.logmein.com/
            - 'LogMeIn' # https://www.logmein.com/
            - 'monblanking'
            - 'Parsec'
            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
            - 'RPCPerformanceService' # https://www.remotepc.com/
            - 'RPCService' # https://www.remotepc.com/
            - 'SplashtopRemoteService' # https://www.splashtop.com/
            - 'SSUService'
            - 'TeamViewer'
            - 'TightVNC' # https://www.tightvnc.com/
            - 'vncserver'
            - 'Zoho'
    condition: selection
falsepositives:
    - The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out
level: medium

title: Remote Access Tool Services Have Been Installed - System
id: 1a31b18a-f00c-4061-9900-f735b96c99fc
related:
    - id: c8b00925-926c-47e3-beea-298fd563728e
      type: similar
status: test
description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Connor Martin, Nasreddine Bencherchali
date: 2022-12-23
modified: 2023-06-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID:
            - 7045
            - 7036
        ServiceName|contains:
            # Based on https://github.com/SigmaHQ/sigma/pull/2841
            - 'AmmyyAdmin' # https://www.ammyy.com/en/
            - 'Atera'
            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
            - 'chromoting'
            - 'GoToAssist' # https://www.goto.com/it-management/resolve
            - 'GoToMyPC' # https://get.gotomypc.com/
            - 'jumpcloud'
            - 'LMIGuardianSvc' # https://www.logmein.com/
            - 'LogMeIn' # https://www.logmein.com/
            - 'monblanking'
            - 'Parsec'
            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
            - 'RPCPerformanceService' # https://www.remotepc.com/
            - 'RPCService' # https://www.remotepc.com/
            - 'SplashtopRemoteService' # https://www.splashtop.com/
            - 'SSUService'
            - 'TeamViewer'
            - 'TightVNC' # https://www.tightvnc.com/
            - 'vncserver'
            - 'Zoho'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote Code Execute via Winrm.vbs
id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
status: test
description: Detects an attempt to execute code or create service on remote host via winrm.vbs.
references:
    - https://twitter.com/bohops/status/994405551751815170
    - https://redcanary.com/blog/lateral-movement-winrm-wmi/
    - https://lolbas-project.github.io/lolbas/Scripts/Winrm/
author: Julia Fomina, oscd.community
date: 2020-10-07
modified: 2023-03-03
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        # Note: winrm.vbs can only be run by a process named cscript (see "IsCScriptEnv" function)
        - Image|endswith: '\cscript.exe'
        - OriginalFileName: 'cscript.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'winrm'
            - 'invoke Create wmicimv2/Win32_'
            - '-r:http'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Remote DLL Load Via Rundll32.EXE
id: f40017b3-cb2e-4335-ab5d-3babf679c1de
status: test
description: Detects a remote DLL load event via "rundll32.exe".
references:
    - https://github.com/gabe-k/themebleed
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-18
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        ImageLoaded|startswith: '\\\\'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote File Download Via Desktopimgdownldr Utility
id: 214641c2-c579-4ecb-8427-0cf19df6842e
status: test
description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
references:
    - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\desktopimgdownldr.exe'
        ParentImage|endswith: '\desktopimgdownldr.exe'
        CommandLine|contains: '/lockscreenurl:http'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote File Download Via Findstr.EXE
id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
related:
    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
      type: obsolete
status: test
description: |
    Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2024-03-05
tags:
    - attack.credential-access
    - attack.command-and-control
    - attack.stealth
    - attack.t1218
    - attack.t1564.004
    - attack.t1552.001
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr:
        - CommandLine|contains: findstr
        - Image|endswith: 'findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_cli_download_1:
        CommandLine|contains|windash: ' -v '
    selection_cli_download_2:
        CommandLine|contains|windash: ' -l '
    selection_cli_download_3:
        CommandLine|contains: '\\\\'
    condition: selection_findstr and all of selection_cli_download_*
falsepositives:
    - Unknown
level: medium

title: Remote PowerShell Session Host Process (WinRM)
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
status: test
description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2022-10-09
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1059.001
    - attack.t1021.006
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\wsmprovhost.exe'
        - ParentImage|endswith: '\wsmprovhost.exe'
    condition: selection
falsepositives:
    - Legitimate usage of remote Powershell, e.g. for monitoring purposes.
level: medium

title: Remote Service Activity via SVCCTL Named Pipe
id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
status: test
description: Detects remote service activity via remote access to the svcctl named pipe
references:
    - https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2024-08-01
tags:
    - attack.lateral-movement
    - attack.persistence
    - attack.t1021.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName: svcctl
        AccessList|contains: 'WriteData'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote Task Creation via ATSVC Named Pipe
id: f6de6525-4509-495a-8a82-1f8b0ed73a00
status: test
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
references:
    - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2024-08-01
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.lateral-movement
    - attack.persistence
    - car.2013-05-004
    - car.2015-04-001
    - attack.t1053.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName: atsvc
        AccessList|contains: 'WriteData'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote Task Creation via ATSVC Named Pipe - Zeek
id: dde85b37-40cd-4a94-b00c-0b8794f956b5
related:
    - id: f6de6525-4509-495a-8a82-1f8b0ed73a00
      type: derived
status: test
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
references:
    - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
author: 'Samir Bousseaden, @neu5rn'
date: 2020-04-03
modified: 2022-12-27
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.lateral-movement
    - attack.persistence
    - car.2013-05-004
    - car.2015-04-001
    - attack.t1053.002
logsource:
    product: zeek
    service: smb_files
detection:
    selection:
        path: '\\\*\IPC$'
        name: 'atsvc'
        # Accesses: '*WriteData*'
    condition: selection
falsepositives:
    - Unknown
level: medium