title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
id: 2afafd61-6aae-4df4-baed-139fa1f4c345
status: test
description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
author: Thomas Patzke
date: 2019-01-16
modified: 2022-03-11
tags:
    - attack.credential-access
    - attack.t1003.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\ntdsutil.exe'
    condition: selection
falsepositives:
    - NTDS maintenance
level: medium

title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-12-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
        CommandLine|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
            - 'readtoend('
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
        ScriptBlockText|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
        ScriptBlockText|endswith: 'readtoend'
    condition: selection_4104
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
related:
    - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
      type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
        Payload|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
        Payload|endswith: 'readtoend'
    condition: selection_4103
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
related:
    - id: 175997c5-803c-4b08-8bb0-70b099f47595
      type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
            - 'readtoend'
        ServiceFileName|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation COMPRESS OBFUSCATION - System
id: 175997c5-803c-4b08-8bb0-70b099f47595
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
            - 'readtoend'
        ImagePath|contains:
            - ':system.io.compression.deflatestream'
            - 'system.io.streamreader'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection_4104
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
id: a23791fe-8846-485a-b16b-ca691e1b03d4
related:
    - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
      type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection_4103
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation RUNDLL LAUNCHER - Security
id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
related:
    - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
      type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Invoke-Obfuscation RUNDLL LAUNCHER - System
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: JAMF MDM Potential Suspicious Child Process
id: 2316929c-01aa-438c-970f-099145ab1ee6
status: test
description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
references:
    - https://github.com/MythicAgents/typhon/
    - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
    - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-22
tags:
    - attack.execution
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        ParentImage|endswith: '/jamf'
        Image|endswith:
            # Note: Add additional binaries/commands that are uncommon during your typical admin usage of Jamf
            - '/bash'
            - '/sh'
    condition: selection
falsepositives:
    - Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly
level: medium

title: Java Running with Remote Debugging
id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
status: test
description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
references:
    - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2023-02-01
tags:
    - attack.t1203
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_jdwp_transport:
        CommandLine|contains: 'transport=dt_socket,address='
    selection_old_jvm_version:
        CommandLine|contains:
            - 'jre1.'
            - 'jdk1.'
    exclusion:
        CommandLine|contains:
            - 'address=127.0.0.1'
            - 'address=localhost'
    condition: all of selection_* and not exclusion
falsepositives:
    - Unknown
level: medium

title: Kapeka Backdoor Configuration Persistence
id: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd
status: test
description: |
    Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
    The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
references:
    - https://labs.withsecure.com/publications/kapeka
    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1553.003
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Cryptography\Providers\{'
        TargetObject|endswith: '\Seed'
    filter_main_empty:
        Details|contains: '(Empty)'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Kerberoasting Activity - Initial Query
id: d04ae2b8-ad54-4de0-bd87-4bc1da66aa59
status: test
description: |
    This rule will collect the data needed to start looking into possible kerberoasting activity.
    Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.
    You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
references:
    - https://www.trustedsec.com/blog/art_of_kerberoast/
    - https://adsecurity.org/?p=3513
author: '@kostastsale'
date: 2022-01-21
modified: 2025-10-19
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4769
        Status: '0x0' # Translated as status from failure code field. Query only for successes
        TicketEncryptionType: '0x17' # RC4 ticket encryption type
    filter_main_krbtgt:
        ServiceName|endswith:
            - 'krbtgt' # Ignore requests for the krbtgt service
            - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
    filter_main_machine_accounts:
        TargetUserName|contains: '$@' # Ignore requests from machines
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legacy applications.
level: medium

title: Kerberos Network Traffic RC4 Ticket Encryption
id: 503fe26e-b5f2-4944-a126-eab405cc06e5
status: test
description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
references:
    - https://adsecurity.org/?p=3458
author: sigma
date: 2020-02-12
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: zeek
    service: kerberos
detection:
    selection:
        request_type: 'TGS'
        cipher: 'rc4-hmac'
    computer_acct:
        service|startswith: '$'
    condition: selection and not computer_acct
falsepositives:
    - Normal enterprise SPN requests activity
level: medium

title: Kubernetes Admission Controller Modification
id: eed82177-38f5-4299-8a76-098d50d225ab
related:
    - id: 6ad91e31-53df-4826-bd27-0166171c8040
      type: similar
status: test
description: |
    Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
references:
    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
    - https://security.padok.fr/en/blog/kubernetes-webhook-attackers
author: kelnage
date: 2024-07-11
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.credential-access
    - attack.t1552
    - attack.t1552.007
logsource:
    product: kubernetes
    service: audit
detection:
    selection:
        objectRef.apiGroup: 'admissionregistration.k8s.io'
        objectRef.resource:
            - 'mutatingwebhookconfigurations'
            - 'validatingwebhookconfigurations'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection
falsepositives:
    - Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
    - Automated processes may need to take these actions and may need to be filtered.
level: medium

title: Kubernetes CronJob/Job Modification
id: 0c9b3bda-41a6-4442-9345-356ae86343dc
related:
    - id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
      type: similar
status: test
description: |
    Detects when a Kubernetes CronJob or Job is created or modified.
    A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.
    An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
references:
    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
    - https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
author: kelnage
date: 2024-07-11
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
logsource:
    product: kubernetes
    service: audit
detection:
    selection:
        objectRef.apiGroup: 'batch'
        objectRef.resource:
            - 'cronjobs'
            - 'jobs'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection
falsepositives:
    - Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.
    - Automated processes may need to take these actions and may need to be filtered.
level: medium

title: Kubernetes Events Deleted
id: 3132570d-cab2-4561-9ea6-1743644b2290
related:
    - id: 225d8b09-e714-479c-a0e4-55e6f29adf35
      type: derived
status: test
description: |
    Detects when events are deleted in Kubernetes.
    An adversary may delete Kubernetes events in an attempt to evade detection.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'delete'
        objectRef.resource: 'events'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Kubernetes Potential Enumeration Activity
id: 597a7e84-187d-458b-9e4f-2f5a0e676711
status: experimental
description: |
    Detects potential Kubernetes enumeration or attack activity via the audit log.
    This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
    Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
references:
    - https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
    - https://github.com/trufflesecurity/trufflehog
    - https://github.com/corneliusweig/rakkess
author: uniqu3-us3r
date: 2026-04-28
tags:
    - attack.execution
    - attack.discovery
    - attack.t1609
    - attack.t1613
logsource:
    product: kubernetes
    service: audit
detection:
    selection_status:
        responseStatus.code: 'ALLOW'
    selection_request_uri:
        requestURI|contains:
            # Shells Encoded
            - '%2fbin%2fash'
            - '%2fbin%2fbash'
            - '%2fbin%2fbusybox'
            - '%2fbin%2fdash'
            - '%2fbin%2fsh'
            - '%2fbin%2fzsh'
            # Shells Plain
            - '/bin/ash'
            - '/bin/bash'
            - '/bin/busybox'
            - '/bin/dash'
            - '/bin/sh'
            - '/bin/zsh'
            # Tools Encoded
            - '%2fusr%2fbin%2fcurl'
            - '%2fusr%2fbin%2fkubectl'
            - '%2fusr%2fbin%2fperl'
            - '%2fusr%2fbin%2fpython'
            - '%2fusr%2fbin%2fwget'
            # Tools Plain
            - '/usr/bin/curl'
            - '/usr/bin/kubectl'
            - '/usr/bin/perl'
            - '/usr/bin/python'
            - '/usr/bin/wget'
    selection_request_user_agent:
        userAgent|contains:
            - 'access_matrix'  # Rakkess
            - 'trufflehog'     # Secret scanning tool
            - 'azurehound'     # Azure/Cloud discovery
            - 'micro-scanner'  # Vulnerability scanning
    condition: selection_status and 1 of selection_request_*
falsepositives:
    - Authorized administrative maintenance via kubectl
    - Automated internal infrastructure monitoring and certificate rotation
    - Security-approved vulnerability or secret scanning in DevSecOps pipelines
level: medium

title: Kubernetes Rolebinding Modification
id: 10b97915-ec8d-455f-a815-9a78926585f6
related:
    - id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
      type: similar
status: test
description: |
    Detects when a Kubernetes Rolebinding is created or modified.
references:
    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
    - https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
author: kelnage
date: 2024-07-11
tags:
    - attack.privilege-escalation
logsource:
    product: kubernetes
    service: audit
detection:
    selection:
        objectRef.apiGroup: 'rbac.authorization.k8s.io'
        objectRef.resource:
            - 'clusterrolebindings'
            - 'rolebindings'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection
falsepositives:
    - Modifying a Kubernetes Rolebinding may need to be done by a system administrator.
    - Automated processes may need to take these actions and may need to be filtered.
level: medium

title: Kubernetes Secrets Modified or Deleted
id: 58d31a75-a4f8-4c40-985b-373d58162ca2
related:
    - id: 2f0bae2d-bf20-4465-be86-1311addebaa3
      type: similar
status: test
description: |
    Detects when Kubernetes Secrets are Modified or Deleted.
references:
    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
    - https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
author: kelnage
date: 2024-07-11
tags:
    - attack.credential-access
logsource:
    product: kubernetes
    service: audit
detection:
    selection:
        objectRef.resource: 'secrets'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection
falsepositives:
    - Secrets being modified or deleted may be performed by a system administrator.
    - Automated processes may need to take these actions and may need to be filtered.
level: medium

title: LOLBAS Data Exfiltration by DataSvcUtil.exe
id: e290b10b-1023-4452-a4a9-eb31a9013b3a
status: test
description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
references:
    - https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
    - https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/
author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
date: 2021-09-30
modified: 2022-05-16
tags:
    - attack.exfiltration
    - attack.t1567
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli:
        CommandLine|contains:
            - '/in:'
            - '/out:'
            - '/uri:'
    selection_img:
        - Image|endswith: '\DataSvcUtil.exe'
        - OriginalFileName: 'DataSvcUtil.exe'
    condition: all of selection*
falsepositives:
    - DataSvcUtil.exe being used may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: LOLBIN Execution From Abnormal Drive
id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87
related:
    - id: 5b80cf53-3a46-4adc-960b-05ec19348d74
      type: similar
status: test
description: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://www.scythe.io/library/threat-emulation-qakbot
    - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman
date: 2022-01-25
modified: 2023-08-29
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: add more lolbins for additional coverage
        - Image|endswith:
              - '\calc.exe'
              - '\certutil.exe'
              - '\cmstp.exe'
              - '\cscript.exe'
              - '\installutil.exe'
              - '\mshta.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        - OriginalFileName:
              - 'CALC.EXE'
              - 'CertUtil.exe'
              - 'CMSTP.EXE'
              - 'cscript.exe'
              - 'installutil.exe'
              - 'MSHTA.EXE'
              - 'REGSVR32.EXE'
              - 'RUNDLL32.EXE'
              - 'wscript.exe'
    filter_main_currentdirectory:
        CurrentDirectory|contains: 'C:\'
    filter_main_empty:
        CurrentDirectory: ''
    filter_main_null:
        CurrentDirectory: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Rare false positives could occur on servers with multiple drives.
level: medium

title: LSA PPL Protection Setting Modification via CommandLine
id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9
status: test
description: |
    Detects modification of LSA PPL protection settings via CommandLine.
    It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.
references:
    - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
    - https://github.com/shoober420/windows11-scripts/blob/38d83331738cd713ccb42f2c4557d17a27aefd98/Windows11Tweaks.bat#L1825
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-03-22
modified: 2026-03-13
tags:
    - attack.defense-impairment
    - attack.t1689
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\reg.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'reg.exe'
              - 'powershell.exe'
              - 'pwsh.dll'
    selection_cli_action:
        CommandLine|contains|all:
            - 'ControlSet'
            - '\Control\Lsa'
        CommandLine|contains:
            - 'Set-ItemProperty'
            - 'New-ItemProperty'
            - ' add '
    selection_key:
        CommandLine|contains:
            - 'IsPplAutoEnabled'
            - 'RunAsPPL'
            - 'RunAsPPLBoot'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: medium

title: LSASS Access From Non System Account
id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
status: test
description: Detects potential mimikatz-like tools accessing LSASS from non system account
references:
    - https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2023-12-11
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4663
            - 4656
        AccessMask:
            - '0x100000'
            - '0x1010'    # car.2019-04-004
            - '0x1400'
            - '0x1410'    # car.2019-04-004
            - '0x1418'    # car.2019-04-004
            - '0x1438'    # car.2019-04-004
            - '0x143a'    # car.2019-04-004
            - '0x1f0fff'
            - '0x1f1fff'
            - '0x1f2fff'
            - '0x1f3fff'
            - '0x40'
            - '143a'    # car.2019-04-004
            - '1f0fff'
            - '1f1fff'
            - '1f2fff'
            - '1f3fff'
            # - '0x1000'  # minimum access requirements to query basic info from service
        ObjectType: 'Process'
        ObjectName|endswith: '\lsass.exe'
    filter_main_service_account:
        SubjectUserName|endswith: '$'
    filter_main_generic:
        ProcessName|contains:
            # Legitimate AV and EDR solutions
            - ':\Program Files\'
            - ':\Program Files (x86)\'
    filter_main_wmiprvse:
        ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
        AccessMask: '0x1410'
    filter_optional_steam:
        ProcessName|contains: '\SteamLibrary\steamapps\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: LSASS Access From Program In Potentially Suspicious Folder
id: fa34b441-961a-42fa-a100-ecc28c886725
status: test
description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
references:
    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth (Nextron Systems)
date: 2021-11-27
modified: 2023-12-06
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
    - detection.threat-hunting
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|endswith:
            - '10'
            - '30'
            - '50'
            - '70'
            - '90'
            - 'B0'
            - 'D0'
            - 'F0'
            - '18'
            - '38'
            - '58'
            - '78'
            - '98'
            - 'B8'
            - 'D8'
            - 'F8'
            - '1A'
            - '3A'
            - '5A'
            - '7A'
            - '9A'
            - 'BA'
            - 'DA'
            - 'FA'
            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
            - 'FF'
        SourceImage|contains:
            - '\Temp\'
            - '\Users\Public\'
            - '\PerfLogs\'
            - '\AppData\'
            - '\Temporary'
    filter_optional_generic_appdata:
        SourceImage|contains|all:
            - ':\Users\'
            - '\AppData\Local\'
        SourceImage|endswith:
            - '\Microsoft VS Code\Code.exe'
            - '\software_reporter_tool.exe'
            - '\DropboxUpdate.exe'
            - '\MBAMInstallerService.exe'
            - '\WebexMTA.exe'
            - '\Meetings\WebexMTAV2.exe'
            - '\WebEx\WebexHost.exe'
            - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe'
        GrantedAccess: '0x410'
    filter_optional_dropbox_1:
        SourceImage|contains: ':\Windows\Temp\'
        SourceImage|endswith: '.tmp\DropboxUpdate.exe'
        GrantedAccess:
            - '0x410'
            - '0x1410'
    filter_optional_dropbox_2:
        SourceImage|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\'
        SourceImage|endswith: '.tmp\DropboxUpdate.exe'
        GrantedAccess: '0x1410'
    filter_optional_dropbox_3:
        SourceImage|contains:
            - ':\Program Files (x86)\Dropbox\'
            - ':\Program Files\Dropbox\'
        SourceImage|endswith: '\DropboxUpdate.exe'
        GrantedAccess: '0x1410'
    filter_optional_nextron:
        SourceImage|contains:
            - ':\Windows\Temp\asgard2-agent\'
            - ':\Windows\Temp\asgard2-agent-sc\'
        SourceImage|endswith:
            - '\thor64.exe'
            - '\thor.exe'
            - '\aurora-agent-64.exe'
            - '\aurora-agent.exe'
        GrantedAccess:
            - '0x1fffff'
            - '0x1010'
            - '0x101010'
    filter_optional_ms_products:
        SourceImage|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\'
            - '\vs_bootstrapper_'
        GrantedAccess: '0x1410'
    filter_optional_chrome_update:
        SourceImage|contains: ':\Program Files (x86)\Google\Temp\'
        SourceImage|endswith: '.tmp\GoogleUpdate.exe'
        GrantedAccess:
            - '0x410'
            - '0x1410'
    filter_optional_keybase:
        SourceImage|contains: ':\Users\'
        SourceImage|endswith: \AppData\Local\Keybase\keybase.exe
        GrantedAccess: '0x1fffff'
    filter_optional_avira:
        SourceImage|contains: '\AppData\Local\Temp\is-'
        SourceImage|endswith: '.tmp\avira_system_speedup.tmp'
        GrantedAccess: '0x1410'
    filter_optional_viberpc_updater:
        SourceImage|contains: '\AppData\Roaming\ViberPC\'
        SourceImage|endswith: '\updater.exe'
        TargetImage|endswith: '\winlogon.exe'
        GrantedAccess: '0x1fffff'
    filter_optional_adobe_arm_helper:
        SourceImage|contains:  # Example path: 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\2092867405\AdobeARMHelper.exe'
            - ':\Program Files\Common Files\Adobe\ARM\'
            - ':\Program Files (x86)\Common Files\Adobe\ARM\'
        SourceImage|endswith: '\AdobeARMHelper.exe'
        GrantedAccess: '0x1410'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Updaters and installers are typical false positives. Apply custom filters depending on your environment
level: medium

title: Launch Agent/Daemon Execution Via Launchctl
id: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
status: test
description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
    - https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
    - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
    - https://www.loobins.io/binaries/launchctl/
author: Pratinav Chandra
date: 2024-05-13
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1569.001
    - attack.t1543.001
    - attack.t1543.004
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/launchctl'
        CommandLine|contains:
            - 'submit'
            - 'load'
            - 'start'
    condition: selection
falsepositives:
    - Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.
level: medium

title: Launch-VsDevShell.PS1 Proxy Execution
id: 45d3a03d-f441-458c-8883-df101a3bb146
status: test
description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
references:
    - https://twitter.com/nas_bench/status/1535981653239255040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
    - attack.stealth
    - attack.t1216.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_script:
        CommandLine|contains: 'Launch-VsDevShell.ps1'
    selection_flags:
        CommandLine|contains:
            - 'VsWherePath '
            - 'VsInstallationPath '
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the script by a developer
level: medium

title: Linux Base64 Encoded Pipe to Shell
id: ba592c6d-6888-43c3-b8c6-689b8fe47337
status: test
description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
references:
    - https://github.com/arget13/DDexec
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: pH-T (Nextron Systems)
date: 2022-07-26
modified: 2023-06-16
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection_base64:
        CommandLine|contains: 'base64 '
    selection_exec:
        - CommandLine|contains:
              - '| bash '
              - '| sh '
              - '|bash '
              - '|sh '
        - CommandLine|endswith:
              - ' |sh'
              - '| bash'
              - '| sh'
              - '|bash'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
level: medium

title: Linux Base64 Encoded Shebang In CLI
id: fe2f9663-41cb-47e2-b954-8a228f3b9dff
status: test
description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
references:
    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
    - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - "IyEvYmluL2Jhc2" # Note: #!/bin/bash"
            - "IyEvYmluL2Rhc2" # Note: #!/bin/dash"
            - "IyEvYmluL3pza" # Note: #!/bin/zsh"
            - "IyEvYmluL2Zpc2" # Note: #!/bin/fish
            - "IyEvYmluL3No" # Note: # !/bin/sh"
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

title: Linux Doas Conf File Creation
id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681
status: stable
description: Detects the creation of doas.conf file in linux host platform.
references:
    - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/
    - https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
modified: 2022-12-31
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '/etc/doas.conf'
    condition: selection
falsepositives:
    - Unlikely
level: medium

title: Linux Logs Clearing Attempts
id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
status: stable
description: |
    Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories.
    Adversaries often try to clear logs to cover their tracks after performing malicious activities.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
author: Ömer Günal, oscd.community
date: 2020-10-07
modified: 2026-03-18
tags:
    - attack.defense-impairment
    - attack.t1685.006
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/rm'    # covers /rmdir as well
            - '/rmdir'
            - '/shred'
            - '/unlink'
        CommandLine|contains:
            - '/var/log'
            - '/var/spool/mail'
    filter_main_legit_systat:
        Image|endswith: '/rm'
        CommandLine|startswith: 'rm -f /var/log/sysstat/'
    filter_main_dmseg:
        Image|endswith: '/rm'
        CommandLine|startswith: 'rm -f -- /var/log//dmesg' # // before dmesg is not typo
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate administration activities
level: medium

title: Linux Shell Pipe to Shell
id: 880973f3-9708-491c-a77b-2a35a1921158
status: test
description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
modified: 2022-07-26
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        CommandLine|startswith:
            - 'sh -c '
            - 'bash -c '
    selection_exec:
        - CommandLine|contains:
              - '| bash '
              - '| sh '
              - '|bash '
              - '|sh '
        - CommandLine|endswith:
              - '| bash'
              - '| sh'
              - '|bash'
              - ' |sh'
    condition: all of selection*
falsepositives:
    - Legitimate software that uses these patterns
level: medium

title: LiveKD Driver Creation
id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
status: test
description: Detects the creation of the LiveKD driver, which is used for live kernel debugging
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
    - attack.privilege-escalation
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
        Image|endswith:
            - '\livekd.exe'
            - '\livek64.exe'
    condition: selection
falsepositives:
    - Legitimate usage of LiveKD for debugging purposes will also trigger this
level: medium

title: LoadBalancer Security Group Modification
id: 7a4409fc-f8ca-45f6-8006-127d779eaad9
status: test
description: |
    Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).
    This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'elasticloadbalancing.amazonaws.com'
        eventName:
            - 'ApplySecurityGroupsToLoadBalancer'
            - 'SetSecurityGroups'
    condition: selection
falsepositives:
    - Repurposing of an ELB or ALB to serve a different or additional application
    - Changes to security groups to allow for new services to be deployed
level: medium

title: Loaded Module Enumeration Via Tasklist.EXE
id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
status: test
description: |
    Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
    This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
    In order to dump the process memory or perform other nefarious actions.
references:
    - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
    - https://pentestlab.blog/tag/svchost/
author: Swachchhanda Shrawan Poudel
date: 2024-02-12
modified: 2024-03-13
tags:
    - attack.t1003
    - attack.credential-access
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\tasklist.exe'
        - OriginalFileName: 'tasklist.exe'
    selection_flags:
        CommandLine|contains|windash: '-m'
    selection_module:
        # Note: add other interesting modules or binaries
        CommandLine|contains: 'rdpcorets.dll'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Local File Read Using Curl.EXE
id: aa6f6ea6-0676-40dd-b510-6e46f02d8867
status: test
description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
references:
    - https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\curl.exe'
        - OriginalFileName: 'curl.exe'
    selection_cli:
        CommandLine|contains: 'file:///'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml

title: Local Network Connection Initiated By Script Interpreter
id: 08249dc0-a28d-4555-8ba5-9255a198e08c
related:
    - id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
      type: derived
status: test
description: |
    Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113
date: 2022-08-28
modified: 2024-05-31
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        # Note: This list is added to avoid duplicate alerting with 992a6cae-db6a-43c8-9cec-76d7195c96fc
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection
falsepositives:
    - Legitimate scripts
level: medium

title: Logged-On User Password Change Via Ksetup.EXE
id: c9783e20-4793-4164-ba96-d9ee483992c4
status: test
description: Detects password change for the logged-on user's via "ksetup.exe"
references:
    - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-06
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\ksetup.exe'
        - OriginalFileName: 'ksetup.exe'
    selection_cli:
        CommandLine|contains: ' /ChangePassword '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Login to Disabled Account
id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
status: test
description: Detect failed attempts to sign in to disabled accounts.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        ResultType: 50057
        ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Logon from a Risky IP Address
id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f
status: test
description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Log on from a risky IP address'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Lolbin Runexehelper Use As Proxy
id: cd71385d-fd9b-4691-9b98-2b1f7e508714
status: test
description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
references:
    - https://twitter.com/0gtweet/status/1206692239839289344
    - https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/
author: frack113
date: 2022-12-29
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\runexehelper.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Lolbin Unregmp2.exe Use As Proxy
id: 727454c0-d851-48b0-8b89-385611ab0704
status: test
description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/
author: frack113
date: 2022-12-29
modified: 2024-06-04
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\unregmp2.exe'
        - OriginalFileName: 'unregmp2.exe'
    selection_cmd:
        CommandLine|contains|windash: ' /HideWMP'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Low Reputation Effective Top-Level Domain (eTLD)
id: cf5ee356-65c4-4556-8d11-6977fcdfed4b
status: experimental
description: Detects DNS queries to domains within known low reputation eTLDs. This rule uses AlphaSOC's threat intelligence data and is updated on a monthly basis.
references:
    - https://feeds.alphasoc.net/bad-etlds.txt
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-08-04
tags:
    - attack.command-and-control
    - attack.t1071.004
    - attack.initial-access
    - detection.threat-hunting
logsource:
    category: dns
detection:
    selection:
        query|endswith:
            - '.duckdns.org'
            - '.top'
            - '.ddns.net'
            - '.gl.at.ply.gg'
            - '.portmap.io'
            - '.icu'
            - '.zapto.org'
            - '.live'
            - '.hopto.org'
            - '.portmap.host'
            - '.sbs'
            - '.sytes.net'
            - '.click'
            - '.ydns.eu'
            - '.site'
            - '.cloud'
            - '.no-ip.org'
            - '.kozow.com'
            - '.lat'
            - '.pro'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: MITRE BZAR Indicators for Execution
id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
status: test
description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
references:
    - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1047
    - attack.t1053.002
    - attack.t1569.002
logsource:
    product: zeek
    service: dce_rpc
detection:
    op1:
        endpoint: 'JobAdd'
        operation: 'atsvc'
    op2:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcEnableTask'
    op3:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRegisterTask'
    op4:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRun'
    op5:
        endpoint: 'IWbemServices'
        operation: 'ExecMethod'
    op6:
        endpoint: 'IWbemServices'
        operation: 'ExecMethodAsync'
    op7:
        endpoint: 'svcctl'
        operation: 'CreateServiceA'
    op8:
        endpoint: 'svcctl'
        operation: 'CreateServiceW'
    op9:
        endpoint: 'svcctl'
        operation: 'StartServiceA'
    op10:
        endpoint: 'svcctl'
        operation: 'StartServiceW'
    condition: 1 of op*
falsepositives:
    - Windows administrator tasks or troubleshooting
    - Windows management scripts or software
level: medium

title: MITRE BZAR Indicators for Persistence
id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
status: test
description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
references:
    - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.004
logsource:
    product: zeek
    service: dce_rpc
detection:
    op1:
        endpoint: 'spoolss'
        operation: 'RpcAddMonitor'
    op2:
        endpoint: 'spoolss'
        operation: 'RpcAddPrintProcessor'
    op3:
        endpoint: 'IRemoteWinspool'
        operation: 'RpcAsyncAddMonitor'
    op4:
        endpoint: 'IRemoteWinspool'
        operation: 'RpcAsyncAddPrintProcessor'
    op5:
        endpoint: 'ISecLogon'
        operation: 'SeclCreateProcessWithLogonW'
    op6:
        endpoint: 'ISecLogon'
        operation: 'SeclCreateProcessWithLogonExW'
    condition: 1 of op*
falsepositives:
    - Windows administrator tasks or troubleshooting
    - Windows management scripts or software
level: medium

title: MMC Loading Script Engines DLLs
id: a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad
status: experimental
description: |
    Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
    to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
references:
    - https://tria.ge/241015-l98snsyeje/behavioral2
    - https://www.elastic.co/security-labs/grimresource
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1218.014
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\mmc.exe'
        ImageLoaded|endswith:
            - '\vbscript.dll'
            - '\jscript.dll'
            - '\jscript9.dll'
    condition: selection
falsepositives:
    - Legitimate MMC operations or extensions loading these libraries
level: medium

title: MSExchange Transport Agent Installation
id: 83809e84-4475-4b69-bc3e-4aad8568612f
related:
    - id: 83809e84-4475-4b69-bc3e-4aad8568612f
      type: similar
status: test
description: Detects the Installation of a Exchange Transport Agent
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.t1505.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: 'Install-TransportAgent'
    condition: selection
falsepositives:
    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium

title: MSExchange Transport Agent Installation - Builtin
id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
related:
    - id: 83809e84-4475-4b69-bc3e-4aad8568612f
      type: derived
status: test
description: Detects the Installation of a Exchange Transport Agent
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-11-27
tags:
    - attack.persistence
    - attack.t1505.002
logsource:
    product: windows
    service: msexchange-management
detection:
    selection:
        - 'Install-TransportAgent'
    condition: selection
falsepositives:
    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium

title: MSI Installation From Suspicious Locations
id: c7c8aa1c-5aff-408e-828b-998e3620b341
status: test
description: Detects MSI package installation from suspicious locations
references:
    - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
modified: 2023-10-23
tags:
    - attack.execution
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'MsiInstaller'
        EventID:
            - 1040
            - 1042
        Data|contains:
            # Add more suspicious paths
            - ':\Windows\TEMP\'
            - '\\\\'
            - '\Desktop\'
            - '\PerfLogs\'
            - '\Users\Public\'
            # - '\AppData\Local\Temp\'  # too many FPs
            # - '\Downloads\'  # too many FPs, typical legitimate staging directory
    filter_winget:
        Data|contains: '\AppData\Local\Temp\WinGet\'
    filter_updhealthtools:
        Data|contains: 'C:\Windows\TEMP\UpdHealthTools.msi'
    condition: selection and not 1 of filter_*
falsepositives:
    - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.
level: medium