title: ScreenConnect User Database Modification - Security
id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
related:
    - id: 1a821580-588b-4323-9422-660f7e131020
      type: similar
status: test
description: |
    This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
    This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
    This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
references:
    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
    - https://www.cve.org/CVERecord?id=CVE-2024-1709
    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
author: Matt Anderson, Kris Luzadre, Andrew Schwartz, Huntress
date: 2024-02-20
tags:
    - cve.2024-1709
    - detection.emerging-threats
    - attack.defense-impairment
logsource:
    product: windows
    service: security
    definition: 'Requirements: SACLs must be enabled for the ScreenConnect directory'
detection:
    selection:
        EventID: 4663
        ObjectType: 'File'
        AccessMask: '0x6'
        ObjectName|endswith: '.xml'
        ObjectName|contains|all:
            - 'Temp'
            - 'ScreenConnect'
        ProcessName|contains: 'ScreenConnect.Service.exe'
    condition: selection
falsepositives:
    - This will occur legitimately as well and will result in some benign activity.
level: medium

title: ScreenSaver Registry Key Set
id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce
status: test
description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
references:
    - https://twitter.com/VakninHai/status/1517027824984547329
    - https://twitter.com/pabraeken/status/998627081360695297
    - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
date: 2022-05-04
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        Image|endswith: '\rundll32.exe'
    registry:
        TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE'
        Details|endswith: '.scr'
    filter:
        Details|contains:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and registry and not filter
falsepositives:
    - Legitimate use of screen saver
level: medium

title: Scripted Diagnostics Turn Off Check Enabled - Registry
id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86
status: test
description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
references:
    - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
date: 2022-06-15
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Administrator actions
level: medium

title: Scripting/CommandLine Process Spawned Regsvr32
id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22
related:
    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
      type: obsolete
status: test
description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
references:
    - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
    - attack.stealth
    - attack.t1218.010
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        Image|endswith: '\regsvr32.exe'
    filter_main_rpcproxy:
        ParentImage: C:\Windows\System32\cmd.exe
        CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary
    - Some legitimate Windows services
level: medium # Can be reduced to low if you experience a ton of FP

title: Sdclt Child Processes
id: da2738f2-fadb-4394-afa7-0a0674885afa
status: test
description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/6
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sdclt.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Security Software Discovery - MacOs
id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
status: test
description: Detects usage of system utilities (only grep for now) to discover security software discovery
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    category: process_creation
    product: macos
detection:
    image:
        Image: '/usr/bin/grep'
    selection_cli_1:
        CommandLine|contains:
            - 'nessusd'        # nessus vulnerability scanner
            - 'santad'         # google santa
            - 'CbDefense'      # carbon black
            - 'falcond'        # crowdstrike falcon
            - 'td-agent'       # fluentd log shipper
            - 'packetbeat'     # elastic network logger/shipper
            - 'filebeat'       # elastic log file shipper
            - 'auditbeat'      # elastic auditing agent/log shipper
            - 'osqueryd'       # facebook osquery
            - 'BlockBlock'     # Objective-See persistence locations watcher/blocker
            - 'LuLu'           # Objective-See firewall management utility
    selection_cli_2: # Objective Development Software firewall management utility
        CommandLine|contains|all:
            - 'Little'
            - 'Snitch'
    condition: image and 1 of selection_cli_*
falsepositives:
    - Legitimate activities
level: medium

title: Security Software Discovery Via Powershell Script
id: 904e8e61-8edf-4350-b59c-b905fc8e810c
status: test
description: |
    Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes.
    Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
author: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-16
modified: 2023-10-24
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'get-process | \?'
            - 'get-process | where'
            - 'gps | \?'
            - 'gps | where'
    selection_field:
        ScriptBlockText|contains:
            - 'Company -like'
            - 'Description -like'
            - 'Name -like'
            - 'Path -like'
            - 'Product -like'
    selection_keywords:
        ScriptBlockText|contains:
            # Note: These strings are using wildcard assuming the search is using the "-like" operator.
            #       You can add specific variant with the actual process names to increase coverage
            - '\*avira\*'
            - '\*carbonblack\*'
            - '\*cylance\*'
            - '\*defender\*'
            - '\*kaspersky\*'
            - '\*malware\*'
            - '\*sentinel\*'
            - '\*symantec\*'
            - '\*virus\*'
    condition: all of selection_*
falsepositives:
    - False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.
    - As the "selection_cmdlet" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced
level: medium

title: Security Tools Keyword Lookup Via Findstr.EXE
id: 4fe074b4-b833-4081-8f24-7dcfeca72b42
related:
    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
      type: derived
status: test
description: |
    Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
    This detection focuses on the keywords that the attacker might use as a filter.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-10-20
modified: 2023-11-14
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|endswith:
            # Note: Add additional keywords to increase and enhance coverage
            # Note:
            #   We use the double quote variation because in cases of where the command is executed through cmd for example:
            #       cmd /c "tasklist | findstr virus"
            #   Logging utilties such as Sysmon would capture the end quote as part of findstr execution
            - ' avira'
            - ' avira"'
            - ' cb'
            - ' cb"'
            - ' cylance'
            - ' cylance"'
            - ' defender'
            - ' defender"'
            - ' kaspersky'
            - ' kaspersky"'
            - ' kes'
            - ' kes"'
            - ' mc'
            - ' mc"'
            - ' sec'
            - ' sec"'
            - ' sentinel'
            - ' sentinel"'
            - ' symantec'
            - ' symantec"'
            - ' virus'
            - ' virus"'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml
simulation:
    - type: atomic-red-team
      name: Security Software Discovery
      technique: T1518.001
      atomic_guid: f92a380f-ced9-491f-b338-95a991418ce2

title: Self Extraction Directive File Created In Potentially Suspicious Location
id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
related:
    - id: ab90dab8-c7da-4010-9193-563528cfa347
      type: derived
status: test
description: |
    Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
    These files are used by the "iexpress.exe" utility in order to create self extracting packages.
    Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
references:
    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
    - https://en.wikipedia.org/wiki/IExpress
    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
        TargetFilename|endswith: '.sed'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Service Binary in User Controlled Folder
id: 277dc340-0540-42e7-8efb-5ff460045e07
related:
    - id: c625c4c2-515d-407f-8bb6-456f65955669
      type: obsolete
status: test
description: |
    Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\".
    Attackers often use such directories for staging purposes.
    This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.
    Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-05-02
modified: 2024-03-25
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - detection.threat-hunting
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - 'ControlSet'
            - '\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
            - ':\ProgramData\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
    filter_optional_zoom:
        TargetObject|contains: '\Services\ZoomCptService'
        Details|contains: 'C:\Program Files\Common Files\Zoom\Support\CptService.exe'
    filter_optional_mbami:
        TargetObject|contains: '\Services\MBAMInstallerService'
        Details|contains|all:
            - 'C:\Users\'
            - 'AppData\Local\Temp\MBAMInstallerService.exe'
    filter_main_windefend:
        TargetObject|contains:
            - '\Services\WinDefend\'
            - '\Services\MpKs'
        Details|contains: 'C:\ProgramData\Microsoft\Windows Defender\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Service Installation in Suspicious Folder
id: 5e993621-67d4-488a-b9ae-b420d08b96cb
status: test
description: Detects service installation in suspicious folder appdata
author: pH-T (Nextron Systems)
references:
    - Internal Research
date: 2022-03-18
modified: 2024-01-18
tags:
    - attack.persistence
    - attack.privilege-escalation
    - car.2013-09-005
    - attack.t1543.003
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains:
            - '\AppData\'
            - '\\\\127.0.0.1'
            - '\\\\localhost'
    filter_optional_zoom:
        ServiceName: 'Zoom Sharing Service'
        ImagePath|contains: ':\Program Files\Common Files\Zoom\Support\CptService.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Service Reconnaissance Via Wmic.EXE
id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
related:
    - id: 68bcd73b-37ef-49cb-95fc-edc809730be6
      type: similar
status: test
description: |
    An adversary might use WMI to check if a certain remote service is running on a remote device.
    When the test completes, a service information will be displayed on the screen if it exists.
    A common feedback message is that "No instance(s) Available" if the service queried is not running.
    A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
    - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-service
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
modified: 2026-01-07
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: 'service'
    filter_main_win32_methods:
        CommandLine|contains:
            - 'Change'
            - 'Create'
            - 'Delete'
            - 'PauseService'
            - 'ResumeService'
            - 'SetSecurityDescriptor'
            - 'StartService'
            - 'StopService'
            - 'UserControlService'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Service Registry Permissions Weakness Check
id: 95afc12e-3cbb-40c3-9340-84a032e596a3
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
    Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
author: frack113
date: 2021-12-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.011
    - stp.2a
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'get-acl'
            - 'REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium

title: Service Security Descriptor Tampering Via Sc.EXE
id: 98c5aeef-32d5-492f-b174-64a691896d25
related:
    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
      type: similar
    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
      type: similar
status: test
description: Detection of sc.exe utility adding a new service with special permission which hides that service.
references:
    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
    - https://twitter.com/0gtweet/status/1628720819537936386
    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_cli:
        CommandLine|contains: 'sdset'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Service Started/Stopped Via Wmic.EXE
id: 0b7163dc-7eee-4960-af17-c0cd517f92da
status: test
description: Detects usage of wmic to start or stop a service
references:
    - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'wmic.exe'
        - Image|endswith: '\WMIC.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' service '
            - ' call '
        CommandLine|contains:
            - 'stopservice'
            - 'startservice'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Service Startup Type Change Via Wmic.EXE
id: c0514f28-fdae-42df-b886-06e2b2bc5b37
status: experimental
description: |
    Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
references:
    - https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1047
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' service '
            - 'ChangeStartMode'
        CommandLine|contains:
            - 'Manual'
            - 'Disabled'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative changes to service startup types using WMIC, investigate accordingly.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/info.yml

title: Service StartupType Change Via PowerShell Set-Service
id: 62b20d44-1546-4e61-afce-8e175eb9473c
status: test
description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
references:
    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-04
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\powershell.exe'
        - OriginalFileName: 'PowerShell.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'Set-Service'
            - '-StartupType'
        CommandLine|contains:
            - 'Disabled'
            - 'Manual'
    condition: all of selection_*
falsepositives:
    - False positives may occur with troubleshooting scripts
level: medium

title: Service StartupType Change Via Sc.EXE
id: 85c312b7-f44d-4a51-a024-d671c40b49fc
status: test
description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
references:
    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-03-04
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' config '
            - 'start'
        CommandLine|contains:
            - 'disabled'
            - 'demand'
    condition: all of selection_*
falsepositives:
    - False positives may occur with troubleshooting scripts
level: medium

title: ServiceDll Hijack
id: 612e47e9-8a59-43a6-b404-f48683f45bd6
status: test
description: |
    Detects changes to the "ServiceDLL" value related to a service in the registry.
    This is often used as a method of persistence.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time
    - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
author: frack113
date: 2022-02-04
modified: 2024-04-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\System\'
            - 'ControlSet'
            - '\Services\'
        TargetObject|endswith: '\Parameters\ServiceDll'
    filter_main_printextensionmanger:
        Details: 'C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll'
    filter_main_domain_controller:
        Image: 'C:\Windows\system32\lsass.exe'
        TargetObject|endswith: '\Services\NTDS\Parameters\ServiceDll'
        Details: '%%systemroot%%\system32\ntdsa.dll'
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
    filter_optional_safetica:
        Image|endswith: '\regsvr32.exe'
        Details: 'C:\Windows\System32\STAgent.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrative scripts
    - Installation of a service
level: medium

title: Session Manager Autorun Keys Modification
id: 046218bd-e0d8-4113-a3c3-895a12b2b298
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - attack.t1546.009
logsource:
    category: registry_set
    product: windows
detection:
    session_manager_base:
        TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
    session_manager:
        TargetObject|contains:
            - '\SetupExecute'
            - '\S0InitialCommand'
            - '\KnownDlls'
            - '\Execute'
            - '\BootExecute'
            - '\AppCertDlls'
    filter:
        Details: '(Empty)'
    condition: session_manager_base and session_manager and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Setup16.EXE Execution With Custom .Lst File
id: 99c8be4f-3087-4f9f-9c24-8c7e257b442e
status: test
description: |
    Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
    These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
    Attackers and adversaries might leverage this as a living of the land utility.
references:
    - https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
author: frack113
date: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage: 'C:\Windows\SysWOW64\setup16.exe'
        ParentCommandLine|contains: ' -m '
    filter_optional_valid_path:
        Image|startswith: 'C:\~MSSETUP.T\'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare.
level: medium

title: Shadow Copies Creation Using Operating Systems Utilities
id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
status: test
description: Shadow Copies creation using operating systems utilities, possible credential access
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2019-10-22
modified: 2022-11-10
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1003.002
    - attack.t1003.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wmic.exe'
              - '\vssadmin.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'wmic.exe'
              - 'VSSADMIN.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'shadow'
            - 'create'
    condition: all of selection_*
falsepositives:
    - Legitimate administrator working with shadow copies, access for backup purposes
level: medium

title: SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
id: 48d053db-6a56-4866-b60d-0975647050ed
status: experimental
description: |
    Detects access to vulnerable SharePoint components potentially being exploited in CVE-2025-53770 through IIS web server logs.
    CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
references:
    - https://www.linkedin.com/posts/mauricefielenbach_sharepoint-incidentresponse-windowssecurity-activity-7352653907363303425-bL2f
    - https://research.eye.security/sharepoint-under-siege/
    - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-21
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2025-53770
    - detection.emerging-threats
logsource:
    category: webserver # IIS web server logs
detection:
    selection_exploit_post:
        cs-method: 'POST'
        cs-uri-stem|contains: '/_layouts/15/ToolPane.aspx'
        cs-uri-query|contains: 'DisplayMode=Edit&a=/ToolPane.aspx'
    selection_exploit_get:
        cs-method: 'GET'
        cs-uri-stem|contains: '/_layouts/15/spinstall0.aspx'
    selection_referer:
        cs-referer|contains: '/_layouts/SignOut.aspx'
    condition: 1 of selection_exploit_* and selection_referer
falsepositives:
    - Unknown
level: medium

title: Shell Invocation via Apt - Linux
id: bb382fd5-b454-47ea-a264-1828e4c766d6
status: test
description: |
    Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
    Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/apt/
    - https://gtfobins.github.io/gtfobins/apt-get/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/apt'
            - '/apt-get'
        CommandLine|contains: 'APT::Update::Pre-Invoke::='
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Shell Process Spawned by Java.EXE
id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
related:
    - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
      type: similar
status: test
description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
references:
    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
date: 2021-12-17
modified: 2024-01-18
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\java.exe'
        Image|endswith:
            - '\bash.exe'
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_main_build:
        ParentImage|contains: 'build'  # excluding CI build agents
        CommandLine|contains: 'build'  # excluding CI build agents
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate calls to system binaries
    - Company specific internal usage
level: medium

title: Source Code Enumeration Detection by Keyword
id: 953d460b-f810-420a-97a2-cfca4c98e602
status: test
description: Detects source code enumeration that use GET requests by keyword searches in URL strings
references:
    - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
    - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
author: James Ahearn
date: 2019-06-08
modified: 2022-10-05
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: webserver
detection:
    keywords:
        - '.git/'
    condition: keywords
falsepositives:
    - Unknown
level: medium

title: Spring Framework Exceptions
id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
status: stable
description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
references:
    - https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html
author: Thomas Patzke
date: 2017-08-06
modified: 2020-09-01
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: spring
detection:
    keywords:
        - AccessDeniedException
        - CsrfException
        - InvalidCsrfTokenException
        - MissingCsrfTokenException
        - CookieTheftException
        - InvalidCookieException
        - RequestRejectedException
    condition: keywords
falsepositives:
    - Application bugs
level: medium

title: Standard User In High Privileged Group
id: 7ac407cc-0f48-4328-aede-de1d2e6fef41
status: test
description: Detect standard users login that are part of high privileged groups such as the Administrator group
references:
    - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
    - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml
author: frack113
date: 2023-01-13
modified: 2023-05-05
tags:
    - attack.credential-access
    - attack.privilege-escalation
logsource:
    product: windows
    service: lsa-server
    definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) Event Log must be enabled and collected in order to use this rule.'
detection:
    selection:
        EventID: 300
        TargetUserSid|startswith: 'S-1-5-21-' # Standard user
        SidList|contains:
            - 'S-1-5-32-544'    # Local admin
            - '-500}'           # Domain admin
            - '-518}'           # Schema admin
            - '-519}'           # Enterprise admin
    filter_main_admin:
        TargetUserSid|endswith:
            - '-500'           # Domain admin
            - '-518'           # Schema admin
            - '-519'           # Enterprise admin
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Standard domain users who are part of the administrator group.
      These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the "TargetUserName" field
level: medium

title: Start of NT Virtual DOS Machine
id: 16905e21-66ee-42fe-b256-1318ada2d770
status: test
description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
references:
    - https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
    - https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7
    - https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/
    - https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/
author: frack113
date: 2022-07-16
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\ntvdm.exe'
            - '\csrstub.exe'
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Startup Folder File Write
id: 2aa0a6b4-a865-495b-ab51-c28249537b75
related:
    - id: 28208707-fe31-437f-9a7f-4b1108b94d2e
      type: similar
status: test
description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/12
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-12-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\StartUp'
    filter_main_update:
        - Image:
              - 'C:\Windows\System32\wuauclt.exe'
              - 'C:\Windows\uus\ARM64\wuaucltcore.exe'
        - TargetFilename|startswith:
              - 'C:\$WINDOWS.~BT\NewOS\'
              - 'C:\$WinREAgent\Scratch\Mount\'
    filter_optional_onenote:
        Image|endswith: '\ONENOTE.EXE'
        TargetFilename|endswith: '\Send to OneNote.lnk'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
level: medium

title: Startup/Logon Script Added to Group Policy Object
id: 123e4e6d-b123-48f8-b261-7214938acaf0
status: test
description: |
    Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
references:
    - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
author: Elastic, Josh Nickels, Marius Rothenbücher
date: 2024-09-06
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
    - attack.t1547
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection_eventid:
        EventID:
            - 5136
            - 5145
    selection_attributes_main:
        AttributeLDAPDisplayName:
            - 'gPCMachineExtensionNames'
            - 'gPCUserExtensionNames'
        AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'
    selection_attributes_optional:
        AttributeValue|contains:
            - '40B6664F-4972-11D1-A7CA-0000F87571E3'
            - '40B66650-4972-11D1-A7CA-0000F87571E3'
    selection_share:
        ShareName|endswith: '\SYSVOL'
        RelativeTargetName|endswith:
            - '\scripts.ini'
            - '\psscripts.ini'
        AccessList|contains: '%%4417'
    condition: selection_eventid and (all of selection_attributes_* or selection_share)
falsepositives:
    - Legitimate execution by system administrators.
level: medium

title: Successful Authentications From Countries You Do Not Operate Out Of
id: 8c944ecb-6970-4541-8496-be554b8e2846
status: test
description: Detect successful authentications from countries you do not operate out of.
references:
    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        Status: 'Success'
    filter:
        Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'
    condition: selection and not filter
falsepositives:
    - If this was approved by System Administrator.
level: medium

title: Successful IIS Shortname Fuzzing Scan
id: 7cb02516-6d95-4ffc-8eee-162075e111ac
status: test
description: When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
references:
    - https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml
    - https://www.exploit-db.com/exploits/19525
    - https://github.com/lijiejie/IIS_shortname_Scanner
author: frack113
date: 2021-10-06
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains: '~1'
        cs-uri-query|endswith: 'a.aspx'
        cs-method:
            - GET
            - OPTIONS
        # Success only
        sc-status:
            - 200
            - 301
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious Access to Sensitive File Extensions
id: 91c945bc-2ad1-4799-a591-4d00198a1215
related:
    - id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
      type: similar
status: test
description: Detects known sensitive file extensions accessed on a network share
references:
    - Internal Research
author: Samir Bousseaden
date: 2019-04-03
modified: 2025-10-17
tags:
    - attack.collection
    - attack.t1039
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        RelativeTargetName|endswith:
            - '.bak'
            - '.dmp'
            - '.edb'
            - '.kirbi'
            - '.msg'
            - '.nsf'
            - '.nst'
            - '.oab'
            - '.ost'
            - '.pst'
            - '.rdp'
            # - '\groups.xml'  # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments
    condition: selection
falsepositives:
    - Help Desk operator doing backup or re-imaging end user machine or backup software
    - Users working with these data types or exchanging message files
level: medium

title: Suspicious Access to Sensitive File Extensions - Zeek
id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
related:
    - id: 91c945bc-2ad1-4799-a591-4d00198a1215
      type: derived
status: test
description: Detects known sensitive file extensions via Zeek
references:
    - Internal Research
author: Samir Bousseaden, @neu5ron
date: 2020-04-02
modified: 2025-10-17
tags:
    - attack.collection
logsource:
    product: zeek
    service: smb_files
detection:
    selection:
        name|endswith:
            - '.pst'
            - '.ost'
            - '.msg'
            - '.nst'
            - '.oab'
            - '.edb'
            - '.nsf'
            - '.bak'
            - '.dmp'
            - '.kirbi'
            # - '\groups.xml'  # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments
            - '.rdp'
    condition: selection
falsepositives:
    - Help Desk operator doing backup or re-imaging end user machine or backup software
    - Users working with these data types or exchanging message files
level: medium

title: Suspicious Appended Extension
id: e3f673b3-65d1-4d80-9146-466f8b63fa99
status: test
description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
references:
    - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/
    - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
author: frack113
date: 2022-07-16
modified: 2023-11-11
tags:
    - attack.impact
    - attack.t1486
logsource:
    product: windows
    category: file_rename
    definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
detection:
    selection:
        SourceFilename|endswith:
            - '.doc'
            - '.docx'
            - '.jpeg'
            - '.jpg'
            - '.lnk'
            - '.pdf'
            - '.png'
            - '.pst'
            - '.rtf'
            - '.xls'
            - '.xlsx'
        TargetFilename|contains:
            - '.doc.'
            - '.docx.'
            - '.jpeg.'
            - '.jpg.'
            - '.lnk.'
            - '.pdf.'
            - '.png.'
            - '.pst.'
            - '.rtf.'
            - '.xls.'
            - '.xlsx.'
    filter_main_generic:
        TargetFilename|endswith:
            # Note: Please add more used extensions by backup or recovery software
            - '.backup'
            - '.bak'
            - '.old'
            - '.orig'
            - '.temp'
            - '.tmp'
    filter_optional_anaconda:
        TargetFilename|contains: ':\ProgramData\Anaconda3\'
        TargetFilename|endswith: '.c~'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Backup software
level: medium

title: Suspicious Application Installed
id: 83c161b6-ca67-4f33-8ad0-644a0737cf07
status: test
description: Detects suspicious application installed by looking at the added shortcut to the app resolver cache
references:
    - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
tags:
    - attack.execution
logsource:
    product: windows
    service: shell-core
detection:
    selection_name:
        EventID: 28115
        Name|contains:
            # Please add more
            - 'Zenmap'
            - 'AnyDesk'
            - 'wireshark'
            - 'openvpn'
    selection_packageid:
        EventID: 28115
        AppID|contains:
            # Please add more
            - 'zenmap.exe'
            - 'prokzult ad' # AnyDesk
            - 'wireshark'
            - 'openvpn'
    condition: 1 of selection_*
falsepositives:
    - Packages or applications being legitimately used by users or administrators
level: medium

title: Suspicious Base64 Encoded User-Agent
id: d443095b-a221-4957-a2c4-cd1756c9b747
related:
    - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
      type: derived
status: test
description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
references:
    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith:
            - 'Q2hyb21l' # Chrome Encoded with offset to not include padding
            - 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding
            - 'RGFsdmlr' # Dalvik Encoded with offset to not include padding
            - 'TW96aWxsY'  # Mozilla Encoded with offset to not include padding (as used by YamaBot)
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious C2 Activities
id: f7158a64-6204-4d6d-868a-6e6378b467e0
status: test
description: |
    Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.
    This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
    These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
references:
    - https://github.com/Neo23x0/auditd
author: Marie Euler
date: 2020-05-18
modified: 2021-11-27
tags:
    - attack.command-and-control
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -w /usr/bin/wget -p x -k susp_activity
        -w /usr/bin/curl -p x -k susp_activity
        -w /usr/bin/base64 -p x -k susp_activity
        -w /bin/nc -p x -k susp_activity
        -w /bin/netcat -p x -k susp_activity
        -w /usr/bin/ncat -p x -k susp_activity
        -w /usr/bin/ss -p x -k susp_activity
        -w /usr/bin/netstat -p x -k susp_activity
        -w /usr/bin/ssh -p x -k susp_activity
        -w /usr/bin/scp -p x -k susp_activity
        -w /usr/bin/sftp -p x -k susp_activity
        -w /usr/bin/ftp -p x -k susp_activity
        -w /usr/bin/socat -p x -k susp_activity
        -w /usr/bin/wireshark -p x -k susp_activity
        -w /usr/bin/tshark -p x -k susp_activity
        -w /usr/bin/rawshark -p x -k susp_activity
        -w /usr/bin/rdesktop -p x -k susp_activity
        -w /usr/local/bin/rdesktop -p x -k susp_activity
        -w /usr/bin/wlfreerdp -p x -k susp_activity
        -w /usr/bin/xfreerdp -p x -k susp_activity
        -w /usr/local/bin/xfreerdp -p x -k susp_activity
        -w /usr/bin/nmap -p x -k susp_activity
        (via https://github.com/Neo23x0/auditd/blob/ddf2603dbc985f97538d102f13b4e4446b402bae/audit.rules#L336)
detection:
    selection:
        key: 'susp_activity'
    condition: selection
falsepositives:
    - Admin or User activity
level: medium

title: Suspicious Cabinet File Execution Via Msdt.EXE
id: dc4576d4-7467-424f-9eee-fd2b02855fe0
related:
    - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3
      type: obsolete
status: test
description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
references:
    - https://twitter.com/nas_bench/status/1537896324837781506
    - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0
    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113
date: 2022-06-21
modified: 2024-03-13
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msdt.exe'
        - OriginalFileName: 'msdt.exe'
    selection_cmd:
        CommandLine|contains|windash: ' -cab '
    condition: all of selection_*
falsepositives:
    - Legitimate usage of ".diagcab" files
level: medium

title: Suspicious Child Process of SAP NetWeaver
id: 5b304bcb-ac33-49d0-87af-fa1b3ca94333
status: experimental
description: |
    Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential
    exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
    - attack.execution
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1059.003
    - cve.2025-31324
    - detection.emerging-threats
references:
    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent_img:
        ParentImage|contains:
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
    selection_current_dict:
        CurrentDirectory|contains:
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\mshta.exe'
            - '\certutil.exe'
            - '\bitsadmin.exe'
            - '\python.exe'
    condition: (selection_parent_img or selection_current_dict) and selection_child
falsepositives:
    - Legitimate administrative activities such as software updates
level: medium

title: Suspicious Child Process of SAP NetWeaver - Linux
id: 69dea60b-2deb-4c9e-a685-ad542f4367f9
status: experimental
description: |
    Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential
    exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
    - attack.execution
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1059.003
    - cve.2025-31324
    - detection.emerging-threats
references:
    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent_img:
        ParentImage|contains:
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
    selection_current_dict:
        CurrentDirectory|contains:
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
    selection_child:
        Image|endswith:
            - '/ash'
            - '/bash'
            - '/csh'
            - '/dash'
            - '/ksh'
            - '/sh'
            - '/tcsh'
            - '/zsh'
            - '/python'
            - '/python2'
            - '/python3'
            - '/perl'
            - '/ruby'
            - '/curl'
            - '/wget'
            - '/nc'
            - '/netcat'
            - '/ncat'
            - '/socat'
            - '/nmap'
            - '/telnet'
            - '/awk'
            - '/sed'
    condition: (selection_parent_img or selection_current_dict) and selection_child
falsepositives:
    - Legitimate administrative activities such as software updates
level: medium

title: Suspicious CodePage Switch Via CHCP
id: c7942406-33dd-4377-a564-0f62db0593a3
status: test
description: Detects a code page switch in command line or batch scripts to a rare language
references:
    - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
    - https://twitter.com/cglyer/status/1183756892952248325
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-10-14
modified: 2023-03-07
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\chcp.com'
        CommandLine|endswith:
            - ' 936'    # Chinese
            # - ' 1256' # Arabic
            - ' 1258'   # Vietnamese
            # - ' 855'  # Russian
            # - ' 866'  # Russian
            # - ' 864'  # Arabic
    condition: selection
falsepositives:
    - Administrative activity (adjust code pages according to your organization's region)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml

title: Suspicious Commands Linux
id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
status: test
description: Detects relevant commands often related to malware or hacking activity
references:
    - Internal Research - mostly derived from exploit code including code in MSF
author: Florian Roth (Nextron Systems)
date: 2017-12-12
modified: 2022-10-05
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
    service: auditd
detection:
    cmd1:
        type: 'EXECVE'
        a0: 'chmod'
        a1: 777
    cmd2:
        type: 'EXECVE'
        a0: 'chmod'
        a1: 'u+s'
    cmd3:
        type: 'EXECVE'
        a0: 'cp'
        a1: '/bin/ksh'
    cmd4:
        type: 'EXECVE'
        a0: 'cp'
        a1: '/bin/sh'
    condition: 1 of cmd*
falsepositives:
    - Admin activity
level: medium

title: Suspicious Computer Machine Password by PowerShell
id: e3818659-5016-4811-a73c-dde4679169d2
status: test
description: |
    The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.
    You can use it to reset the password of the local computer.
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: frack113
date: 2022-02-21
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        ContextInfo|contains: 'Reset-ComputerMachinePassword'
    condition: selection
falsepositives:
    - Administrator PowerShell scripts
level: medium

title: Suspicious Copy From or To System Directory
id: fff9d2b7-e11c-4a69-93d3-40ef66189767
related:
    - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
      type: derived
status: test
description: |
    Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
    Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
references:
    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
date: 2020-07-03
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'copy '
    selection_img_pwsh:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'copy-item'
            - ' copy '
            - 'cpi '
            - ' cp '
    selection_img_other:
        - Image|endswith:
              - '\robocopy.exe'
              - '\xcopy.exe'
        - OriginalFileName:
              - 'robocopy.exe'
              - 'XCOPY.EXE'
    selection_target:
        CommandLine|re|i: \s['"]?C:\\Windows\\(?:System32|SysWOW64|WinSxS)
    filter_optional_avira:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/c copy'
            - '\Temp\'
            - '\avira_system_speedup.exe'
        CommandLine|contains:
            - 'C:\Program Files\Avira\'
            - 'C:\Program Files (x86)\Avira\'
    condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_*
falsepositives:
    - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
    - When cmd.exe and xcopy.exe are called directly #  C:\Windows\System32\cmd.exe /c copy file1 file2
    - When the command contains the keywords but not in the correct order
level: medium

title: Suspicious Creation TXT File in User Desktop
id: caf02a0a-1e1c-4552-9b48-5e070bd88d11
status: test
description: |
    Detects creation of .txt files in user desktop folders via cmd.exe. This behavior may indicate ransomware deploying ransom notes, but can also occur during legitimate administrative tasks.
    Analysts should investigate for suspicious filenames (e.g., "RANSOM", "DECRYPT", "READ_ME"), bulk file creation patterns, or concurrent encryption activity to determine if this is part of a ransomware attack.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
author: frack113
date: 2021-12-26
modified: 2026-01-09
tags:
    - attack.impact
    - attack.t1486
    - detection.threat-hunting
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\cmd.exe'
        TargetFilename|contains|all:
            - '\Users\'
            - '\Desktop\'
        TargetFilename|endswith: '.txt'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
id: 5a7132c0-86db-4e6b-95c0-f0e9d7f461aa
status: experimental
description: |
    Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction.
    If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker.
references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
    - https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
author: Gene Kazimiarovich
date: 2025-04-20
tags:
    - detection.emerging-threats
    - attack.credential-access
    - attack.t1187   # Forced Authentication
    - cve.2025-24054
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.library-ms'
        Image|endswith:
            - '\7z.exe'
            - '\winrar.exe'
            - '\explorer.exe'
    condition: selection
falsepositives:
    - Legitimate Library shortcuts under %APPDATA%\Microsoft\Windows\Libraries\ (rarely created by end-users)
    - Custom corporate scripts that programmatically generate .library-ms Files
level: medium

title: Suspicious CrushFTP Child Process
id: 459628e3-1b00-4e9b-9e5b-7da8961aea35
status: experimental
description: |
    Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as
    CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests.
    The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-2825
    - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
    - https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
    - https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
    - https://projectdiscovery.io/blog/crushftp-authentication-bypass
author: Craig Sweeney, Matt Anderson, Jose Oregon, Tim Kasper, Faith Stratton, Samantha Shaw, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-10
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1190
    - cve.2025-31161
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\crushftpservice.exe'
    selection_child:
        Image|endswith:
            - '\bash.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\sh.exe'
            - '\wscript.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate CrushFTP administrative actions
    - Software updates
level: medium

title: Suspicious Csi.exe Usage
id: 40b95d31-1afc-469e-8d34-9a3a667d058e
status: test
description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/
    - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
    - https://twitter.com/Z3Jpa29z/status/1317545798981324801
author: Konstantin Grishchenko, oscd.community
date: 2020-10-17
modified: 2022-07-11
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.stealth
    - attack.t1072
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\csi.exe'
              - '\rcsi.exe'
        - OriginalFileName:
              - 'csi.exe'
              - 'rcsi.exe'
    selection_cli:
        Company: 'Microsoft Corporation'
    condition: all of selection*
falsepositives:
    - Legitimate usage by software developers
level: medium