title: MSI Installation From Web
id: 5594e67a-7f92-4a04-b65d-1a42fd824a60
status: test
description: Detects installation of a remote msi file from web.
references:
    - https://twitter.com/_st0pp3r_/status/1583922009842802689
author: Stamatis Chatzimangou
date: 2022-10-23
tags:
    - attack.stealth
    - attack.t1218
    - attack.t1218.007
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'MsiInstaller'
        EventID:
            - 1040
            - 1042
        Data|contains: '://'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: MSSQL Destructive Query
id: 00321fee-ca72-4cce-b011-5415af3b9960
status: experimental
description: |
    Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
references:
    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16
    - https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16
author: Daniel Degasperi '@d4ns4n_'
date: 2025-06-04
tags:
    - attack.exfiltration
    - attack.impact
    - attack.t1485
logsource:
    product: windows
    service: application
    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event (event id 33205)'
detection:
    selection:
        Provider_Name: 'MSSQLSERVER$AUDIT'
        EventID: 33205
        Data|contains:
            - 'statement:TRUNCATE TABLE'
            - 'statement:DROP TABLE'
            - 'statement:DROP DATABASE'
    condition: selection
falsepositives:
    - Legitimate transaction from a sysadmin.
level: medium

title: MSSQL Server Failed Logon From External Network
id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
related:
    - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
      type: similar
status: test
description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
references:
    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: j4son
date: 2023-10-11
modified: 2025-05-28
tags:
    - attack.credential-access
    - attack.t1110
logsource:
    product: windows
    service: application
    definition: 'Requirements: Must enable MSSQL authentication.'
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 18456
    filter_main_local_ips:
        Data|contains:
            - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
            - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
            - 'CLIENT: 172.17.'
            - 'CLIENT: 172.18.'
            - 'CLIENT: 172.19.'
            - 'CLIENT: 172.20.'
            - 'CLIENT: 172.21.'
            - 'CLIENT: 172.22.'
            - 'CLIENT: 172.23.'
            - 'CLIENT: 172.24.'
            - 'CLIENT: 172.25.'
            - 'CLIENT: 172.26.'
            - 'CLIENT: 172.27.'
            - 'CLIENT: 172.28.'
            - 'CLIENT: 172.29.'
            - 'CLIENT: 172.30.'
            - 'CLIENT: 172.31.'
            - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
            - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
            - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
            - 'CLIENT: <local machine>'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: MacOS Emond Launch Daemon
id: 23c43900-e732-45a4-8354-63e4a6c187ce
status: test
description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md
    - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
author: Alejandro Ortuno, oscd.community
date: 2020-10-23
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.014
logsource:
    category: file_event
    product: macos
detection:
    selection_1:
        TargetFilename|contains: '/etc/emond.d/rules/'
        TargetFilename|endswith: '.plist'
    selection_2:
        TargetFilename|contains: '/private/var/db/emondClients/'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration activities
level: medium

title: MacOS Scripting Interpreter AppleScript
id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
status: test
description: Detects execution of AppleScript of the macOS scripting language AppleScript.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md
    - https://redcanary.com/blog/applescript/
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2026-05-21
tags:
    - attack.execution
    - attack.t1059.002
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/osascript'
        CommandLine|contains:
            - ' -e '
            - '.scpt'
            - '.js'
    filter_optional_opencode:
        # OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
        ParentImage|endswith: 'opencode'
        CommandLine|contains|all:
            - 'osascript'
            - ' -e '
            - 'set imageData to the clipboard'
            - 'set fileRef'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Application installers might contain scripts as part of the installation process.
level: medium

title: Mail Forwarding/Redirecting Activity In O365
id: c726e007-2cd0-4a55-abfb-79730fbedee5
status: test
description: Detects email forwarding or redirecting activity in O365 Audit logs.
references:
    - https://redcanary.com/blog/email-forwarding-rules/
    - https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf
author: RedCanary Team (idea), Harjot Singh @cyb3rjy0t
date: 2023-10-11
modified: 2024-11-17
tags:
    - attack.collection
    - attack.stealth
    - attack.t1114.003
    - attack.t1564.008
    - attack.exfiltration
    - attack.t1020
    - detection.threat-hunting
logsource:
    service: audit
    product: m365
    definition: "Requirements: The 'OperationProperties' and 'Parameters' fields are a list of dict. A correct mapping to the 'Value' field inside is recommended to avoid greedy search"
detection:
    # Note: Might require seperation in the future when enough data is gatherd
    selection_updateinbox:
        Operation|contains: 'UpdateInboxRules'
        OperationProperties|contains:
            - 'Forward'
            - 'Recipients'
    selection_setmailbox:
        Operation|contains: 'Set-Mailbox'
        Parameters|contains:
            - 'ForwardingSmtpAddress'
            - 'ForwardingAddress'
    selection_setinbox:
        Operation|contains:
            - 'New-InboxRule'
            - 'Set-InboxRule'
        Parameters|contains:
            - 'ForwardAsAttachmentTo'
            - 'ForwardingAddress'
            - 'ForwardingSmtpAddress'
            - 'ForwardTo'
            - 'RedirectTo'
            - 'RedirectToRecipients'
    condition: 1 of selection_*
falsepositives:
    - False positives are expected from legitimate mail forwarding rules. You need organisation specific knowledge. Filter out the domains that are allowed as forwarding targets as well as any additional metadata that you can use for exclusion from trusted sources/targets in order to promote this to a potential detection rule.
level: medium

title: Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
id: 0c7686d5-c74e-4292-b224-2a08e956ebc4
related:
    - id: c726e007-2cd0-4a55-abfb-79730fbedee5
      type: similar
    - id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474
      type: obsolete
status: experimental
description: Detects email forwarding or redirecting activity via ExchangePowerShell Cmdlet
references:
    - https://redcanary.com/blog/email-forwarding-rules/
    - https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf
author: Nasreddine Bencherchali (Nextron Systems), Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-03-01
tags:
    - attack.collection
    - attack.stealth
    - attack.t1114.003
    - attack.t1564.008
    - attack.exfiltration
    - attack.t1020
    - detection.threat-hunting
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'New-InboxRule'
            - 'Set-InboxRule'
            - 'Set-Mailbox'
    selection_params:
        ScriptBlockText|contains:
            - 'ForwardAsAttachmentTo'
            - 'ForwardingAddress'
            - 'ForwardingSmtpAddress'
            - 'ForwardTo'
            - 'RedirectTo' # Also covers "RedirectToRecipients"
    condition: all of selection_*
falsepositives:
    - Legitimate mail forwarding rules created by users or administrators to forward email to designated internal or external recipients for business or operational purposes.
level: medium

title: Malicious Driver Load By Name
id: 39b64854-5497-4b57-a448-40977b8c9679
status: test
description: Detects loading of known malicious drivers via the file name of the drivers.
references:
    - https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-03
modified: 2023-12-02
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
    - attack.t1068
logsource:
    product: windows
    category: driver_load
detection:
    selection:
        ImageLoaded|endswith:
            - '\wfshbr64.sys'
            - '\ktmutil7odm.sys'
            - '\ktes.sys'
            - '\a26363e7b02b13f2b8d697abb90cd5c3.sys'
            - '\kt2.sys'
            - '\4748696211bd56c2d93c21cab91e82a5.sys'
            - '\malicious.sys'
            - '\a236e7d654cd932b7d11cb604629a2d0.sys'
            - '\spwizimgvt.sys'
            - '\c94f405c5929cfcccc8ad00b42c95083.sys'
            - '\fur.sys'
            - '\wantd.sys'
            - '\windbg.sys'
            - '\4118b86e490aed091b1a219dba45f332.sys'
            - '\gmer64.sys'
            - '\1fc7aeeff3ab19004d2e53eae8160ab1.sys'
            - '\poortry2.sys'
            - '\wintapix.sys'
            - '\daxin_blank6.sys'
            - '\6771b13a53b9c7449d4891e427735ea2.sys'
            - '\blacklotus_driver.sys'
            - '\air_system10.sys'
            - '\dkrtk.sys'
            - '\7.sys'
            - '\sense5ext.sys'
            - '\ktgn.sys'
            - '\ndislan.sys'
            - '\nlslexicons0024uvn.sys'
            - '\be6318413160e589080df02bb3ca6e6a.sys'
            - '\4.sys'
            - '\wantd_2.sys'
            - '\e29f6311ae87542b3d693c1f38e4e3ad.sys'
            - '\daxin_blank3.sys'
            - '\gftkyj64.sys'
            - '\daxin_blank2.sys'
            - '\wantd_4.sys'
            - '\reddriver.sys'
            - '\834761775.sys'
            - '\mlgbbiicaihflrnh.sys'
            - '\mjj0ge.sys'
            - '\daxin_blank.sys'
            - '\daxin_blank5.sys'
            - '\poortry1.sys'
            - '\msqpq.sys'
            - '\mimidrv.sys'
            - '\e939448b28a4edc81f1f974cebf6e7d2.sys'
            - '\prokiller64.sys'
            - '\nodedriver.sys'
            - '\wantd_3.sys'
            - '\lctka.sys'
            - '\kapchelper_x64.sys'
            - '\daxin_blank4.sys'
            - '\a9df5964635ef8bd567ae487c3d214c4.sys'
            - '\wantd_6.sys'
            - '\ntbios.sys'
            - '\wantd_5.sys'
            - '\pciecubed.sys'
            - '\mimikatz.sys'
            - '\nqrmq.sys'
            - '\2.sys'
            - '\poortry.sys'
            - '\ntbios_2.sys'
            - '\fgme.sys'
            - '\telephonuafy.sys'
            - '\typelibde.sys'
            - '\daxin_blank1.sys'
            - '\ef0e1725aaf0c6c972593f860531a2ea.sys'
            - '\5a4fe297c7d42539303137b6d75b150d.sys'
    condition: selection
falsepositives:
    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
    - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
level: medium

title: Malicious PE Execution by Microsoft Visual Studio Debugger
id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
status: test
description: |
  There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger.
  This option may be used adversaries to execute malicious code by signed verified binary.
  The debugger is installed alongside with Microsoft Visual Studio package.
references:
    - https://twitter.com/pabraeken/status/990758590020452353
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/
    - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
date: 2020-10-14
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\vsjitdebugger.exe'
    reduction1:
        Image|endswith: '\vsimmersiveactivatehelper*.exe'
    reduction2:
        Image|endswith: '\devenv.exe'
    condition: selection and not (reduction1 or reduction2)
falsepositives:
    - The process spawned by vsjitdebugger.exe is uncommon.
level: medium

title: Malicious PowerShell Keywords
id: f62176f3-8128-4faa-bf6c-83261322e5eb
status: test
description: Detects keywords from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-06-20
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'AdjustTokenPrivileges'
            - 'IMAGE_NT_OPTIONAL_HDR64_MAGIC'
            # - 'LSA_UNICODE_STRING'
            - 'Metasploit'
            - 'Microsoft.Win32.UnsafeNativeMethods'
            - 'Mimikatz'
            - 'MiniDumpWriteDump'
            - 'PAGE_EXECUTE_READ'
            - 'ReadProcessMemory.Invoke'
            - 'SE_PRIVILEGE_ENABLED'
            - 'SECURITY_DELEGATION'
            - 'TOKEN_ADJUST_PRIVILEGES'
            - 'TOKEN_ALL_ACCESS'
            - 'TOKEN_ASSIGN_PRIMARY'
            - 'TOKEN_DUPLICATE'
            - 'TOKEN_ELEVATION'
            - 'TOKEN_IMPERSONATE'
            - 'TOKEN_INFORMATION_CLASS'
            - 'TOKEN_PRIVILEGES'
            - 'TOKEN_QUERY'
    condition: selection
falsepositives:
    - Depending on the scripts, this rule might require some initial tuning to fit the environment
level: medium

title: Manipulation of User Computer or Group Security Principals Across AD
id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
status: test
description: |
    Adversaries may create a domain account to maintain access to victim systems.
    Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell
    - https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
author: frack113
date: 2021-12-28
tags:
    - attack.persistence
    - attack.t1136.002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: System.DirectoryServices.AccountManagement
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium

title: Manual Execution of Script Inside of a Compressed File
id: 95724fc1-a258-4674-97db-a30351981c5a
status: test
description: |
    This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.

    From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios.
        1. Compressed file opened using 7zip.
        2. Compressed file opened using WinRar.
        3. Compressed file opened using native windows File Explorer capabilities.

    When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
references:
    - https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a
    - https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692
author: '@kostastsale'
date: 2023-02-15
modified: 2024-08-13
tags:
    - attack.execution
    - attack.t1059
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent_7zip:
        ParentImage|endswith: '\7z*.exe'
        CommandLine|contains: '\AppData\local\temp\7z*\'
    selection_parent_winrar:
        ParentImage|endswith: '\winrar.exe'
        CommandLine|contains: '\AppData\local\temp\rar*\'
    selection_parent_explorer:
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains:
            - '\AppData\local\temp\*.rar\'
            - '\AppData\local\temp\*.zip\'
    selection_child:
        Image|endswith:
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        CommandLine|endswith:
            - '.hta'
            - '.js'
            - '.jse'
            - '.ps1'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    condition: 1 of selection_parent_* and selection_child
falsepositives:
    - Batch files may produce a lot of noise, as many applications appear to bundle them as part of their installation process. You should baseline your environment and generate a new query excluding the noisy and expected activity. Some false positives may come up depending on your environment. All results should be investigated thoroughly before filtering out results.
level: medium

title: Masquerading as Linux Crond Process
id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
status: test
description: |
  Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.
  Several different variations of this technique have been observed.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-08-22
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'execve'
        a0: 'cp'
        a1: '/bin/sh'
        a2|endswith: '/crond'
    condition: selection
level: medium

title: Mesh Agent Service Installation
id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc
status: test
description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
references:
    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    service: system
detection:
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: 'MeshAgent.exe'
        - ServiceName|contains: 'Mesh Agent'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium

title: Microsoft 365 - Impossible Travel Activity
id: d7eab125-5f94-43df-8710-795b80fa1189
status: test
description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2020-07-06
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Impossible travel activity'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Microsoft 365 - Potential Ransomware Activity
id: bd132164-884a-48f1-aa2d-c6d646b04c69
status: test
description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1486
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Potential ransomware activity'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Microsoft 365 - Unusual Volume of File Deletion
id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd
status: test
description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1485
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Unusual volume of file deletion'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Microsoft 365 - User Restricted from Sending Email
id: ff246f56-7f24-402a-baca-b86540e3925c
status: test
description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
    - attack.initial-access
    - attack.t1199
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'User restricted from sending email'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Microsoft Excel Add-In Loaded From Uncommon Location
id: af4c4609-5755-42fe-8075-4effb49f5d44
related:
    - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
      type: derived
status: test
description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
references:
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
    - https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-12
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\excel.exe'
        ImageLoaded|contains:
            # Note: Add or remove locations from this list based on your internal policy
            - '\Desktop\'
            - '\Downloads\'
            - '\Perflogs\'
            - '\Temp\'
            - '\Users\Public\'
            - '\Windows\Tasks\'
        ImageLoaded|endswith: '.xll'
    condition: selection
falsepositives:
    - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
level: medium

title: Microsoft Office Trusted Location Updated
id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
related:
    - id: f742bde7-9528-42e5-bd82-84f51a8387d2
      type: similar
status: test
description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - detection.threat-hunting
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'Security\Trusted Locations\Location'
        TargetObject|endswith: '\Path'
    filter_main_office_click_to_run:
        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_office_apps:
        Image|contains:
            - ':\Program Files\Microsoft Office\'
            - ':\Program Files (x86)\Microsoft Office\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - During office installations or setup, trusted locations are added, which will trigger this rule.
level: medium

title: Microsoft Sync Center Suspicious Network Connections
id: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
status: test
description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2024-03-12
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - attack.t1218
    - attack.execution
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        Image|endswith: '\mobsync.exe'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Microsoft Teams Sensitive File Access By Uncommon Applications
id: 65744385-8541-44a6-8630-ffc824d7d4cc
status: test
description: |
    Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
references:
    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
    - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2024-07-22
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: windows
    category: file_access
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection:
        FileName|contains:
            - '\Microsoft\Teams\Cookies'
            - '\Microsoft\Teams\Local Storage\leveldb'
    filter_main_legit_location:
        # Note: its best to filter the full path to avoid false negatives
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Microsoft VBA For Outlook Addin Loaded Via Outlook
id: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
status: test
description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2024-03-12
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\outlook.exe'
        ImageLoaded|endswith: '\outlvba.dll'
    condition: selection
falsepositives:
    - Legitimate macro usage. Add the appropriate filter according to your environment
level: medium

title: Microsoft Workflow Compiler Execution
id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d
status: test
description: |
    Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
references:
    - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/
author: Nik Seetharaman, frack113
date: 2019-01-16
modified: 2023-02-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
    - attack.t1218
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Microsoft.Workflow.Compiler.exe'
        - OriginalFileName: 'Microsoft.Workflow.Compiler.exe'
    condition: selection
falsepositives:
    - Legitimate MWC use (unlikely in modern enterprise environments)
level: medium

title: Modify Group Policy Settings
id: ada4b0c4-758b-46ac-9033-9004613a150d
related:
    - id: b7216a7d-687e-4c8d-82b1-3080b2ad961f
      type: similar
status: test
description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
author: frack113
date: 2022-08-19
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_path:
        CommandLine|contains: '\SOFTWARE\Policies\Microsoft\Windows\System'
    selection_key:
        CommandLine|contains:
            - GroupPolicyRefreshTimeDC
            - GroupPolicyRefreshTimeOffsetDC
            - GroupPolicyRefreshTime
            - GroupPolicyRefreshTimeOffset
            - EnableSmartScreen
            - ShellSmartScreenLevel
    condition: all of selection_*
falsepositives:
    - Legitimate use
level: medium

title: Modify Group Policy Settings - ScriptBlockLogging
id: b7216a7d-687e-4c8d-82b1-3080b2ad961f
related:
    - id: ada4b0c4-758b-46ac-9033-9004613a150d
      type: similar
status: test
description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
author: frack113
date: 2022-08-19
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_path:
        ScriptBlockText|contains: \SOFTWARE\Policies\Microsoft\Windows\System
    selection_key:
        ScriptBlockText|contains:
            - GroupPolicyRefreshTimeDC
            - GroupPolicyRefreshTimeOffsetDC
            - GroupPolicyRefreshTime
            - GroupPolicyRefreshTimeOffset
            - EnableSmartScreen
            - ShellSmartScreenLevel
    condition: all of selection_*
falsepositives:
    - Legitimate use
level: medium

title: Modify System Firewall
id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
related:
    - id: 53059bc0-1472-438b-956a-7508a94a91f0
      type: similar
status: test
description: |
    Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
    Detection rules that match only on the disabling of firewalls will miss this.
references:
    - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
    - https://blog.aquasec.com/container-security-tnt-container-attack
    - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking
author: IAI
date: 2023-03-06
modified: 2025-10-12
tags:
    - attack.defense-impairment
    - attack.t1686
logsource:
    product: linux
    service: auditd
detection:
    selection1:
        type: 'EXECVE'
        a0: 'iptables'
        a1|contains: 'DROP'
    selection2:
        type: 'EXECVE'
        a0: 'firewall-cmd'
        a1|contains: 'remove'
    selection3:
        type: 'EXECVE'
        a0: 'ufw'
        a1|contains: 'delete'
    selection4:
        type: 'EXECVE'
        a0: 'nft'
        a1|contains:
            - 'delete'
            - 'flush'
    condition: 1 of selection*
falsepositives:
    - Legitimate admin activity
level: medium

title: Modifying Crontab
id: af202fd3-7bff-4212-a25a-fb34606cfcbe
status: test
description: Detects suspicious modification of crontab file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Pawel Mazur
date: 2022-04-16
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.003
logsource:
    product: linux
    service: cron
detection:
    keywords:
        - 'REPLACE'
    condition: keywords
falsepositives:
    - Legitimate modification of crontab
level: medium

title: Monitoring For Persistence Via BITS
id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d
status: test
description: |
    BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.
    When the job runs on the system the command specified in the BITS job will be executed.
    This can be abused by actors to create a backdoor within the system and for persistence.
    It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
    - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
    - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
author: Sreeman
date: 2020-10-29
modified: 2024-01-25
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_cli_notify_1:
        CommandLine|contains: '/SetNotifyCmdLine'
    selection_cli_notify_2:
        CommandLine|contains:
            - '%COMSPEC%'
            - 'cmd.exe'
            - 'regsvr32.exe'
    selection_cli_add_1:
        CommandLine|contains: '/Addfile'
    selection_cli_add_2:
        CommandLine|contains:
            - 'http:'
            - 'https:'
            - 'ftp:'
            - 'ftps:'
    condition: selection_img and (all of selection_cli_notify_* or all of selection_cli_add_*)
falsepositives:
    - Unknown
level: medium

title: Mount Execution With Hidepid Parameter
id: ec52985a-d024-41e3-8ff6-14169039a0b3
status: test
description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
references:
    - https://blogs.blackberry.com/
    - https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-12
tags:
    - attack.credential-access
    - attack.stealth
    - attack.t1564
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/mount'
        CommandLine|contains|all:
            - 'hidepid=2'
            - ' -o '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: MsiExec Web Install
id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
related:
    - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
      type: similar
status: test
description: Detects suspicious msiexec process starts with web addresses as parameter
references:
    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
author: Florian Roth (Nextron Systems)
date: 2018-02-09
modified: 2022-01-07
tags:
    - attack.stealth
    - attack.t1218.007
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' msiexec'
            - '://'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

title: Msiexec Quiet Installation
id: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5
status: test
description: |
    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
    Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
    - https://twitter.com/_st0pp3r_/status/1583914244344799235
author: frack113
date: 2022-01-16
modified: 2024-12-01
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msiexec.exe'
        - OriginalFileName: 'msiexec.exe'
    selection_cli:
        # Note that there is no space before and after the arguments because it's possible to write a commandline as such
        # Example: msiexec -q/i [MSI Package]
        CommandLine|contains|windash:
            - '-i'
            - '-package'
            - '-a'
            - '-j'
    selection_quiet:
        CommandLine|contains|windash: '-q'
    filter_user_temp:
        # The %temp% is a very common location for installers
        ParentImage|startswith: 'C:\Users\'
        ParentImage|contains: '\AppData\Local\Temp\'
    filter_system_temp:
        ParentImage|startswith: 'C:\Windows\Temp\'
    filter_ccm:
        ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe'
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - WindowsApps installing updates via the quiet flag
level: medium

title: Msxsl.EXE Execution
id: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0
status: test
description: |
    Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.
    Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-11-09
tags:
    - attack.stealth
    - attack.t1220
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msxsl.exe'
    condition: selection
falsepositives:
    - Msxsl is not installed by default and is deprecated, so unlikely on most systems.
# Note: If you levreage this utility please consider adding additional filters. As this is looking for "any" type of execition
level: medium

title: Multi Factor Authentication Disabled For User Account
id: b18454c8-0be3-41f7-86bc-9c614611b839
status: test
description: |
    Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled".
    Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
references:
    - https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/
author: Harjot Singh (@cyb3rjy0t)
date: 2024-08-21
tags:
    - attack.credential-access
    - attack.persistence
logsource:
    product: azure
    service: auditlogs
    definition: 'Requirements: The TargetResources array needs to be mapped accurately in order for this rule to work'
detection:
    selection:
        LoggedByService: 'Core Directory'
        Category: 'UserManagement'
        OperationName: 'Update user'
        TargetResources.ModifiedProperties.DisplayName: 'StrongAuthenticationRequirement'
        TargetResources.ModifiedProperties.NewValue|contains: "State\":0"
    condition: selection
falsepositives:
    - Legitimate authorized activity.
level: medium

title: Multifactor Authentication Denied
id: e40f4962-b02b-4192-9bfe-245f7ece1f99
status: test
description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
references:
    - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
author: AlertIQ
date: 2022-03-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
    - attack.t1621
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        AuthenticationRequirement: 'multiFactorAuthentication'
        Status|contains: 'MFA Denied'
    condition: selection
falsepositives:
    - Users actually login but miss-click into the Deny button when MFA prompt.
level: medium

title: Multifactor Authentication Interrupted
id: 5496ff55-42ec-4369-81cb-00f417029e25
status: test
description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
    - attack.t1621
logsource:
    product: azure
    service: signinlogs
detection:
    selection_50074:
        ResultType: 50074
        ResultDescription|contains: 'Strong Auth required'
    selection_500121:
        ResultType: 500121
        ResultDescription|contains: 'Authentication failed during strong authentication request'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: NTLM Brute Force
id: 9c8acf1a-cbf9-4db6-b63c-74baabe03e59
status: test
description: Detects common NTLM brute force device names
references:
    - https://www.varonis.com/blog/investigate-ntlm-brute-force
author: Jerry Shockley '@jsh0x'
date: 2022-02-02
tags:
    - attack.credential-access
    - attack.t1110
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8004
    devicename:
        WorkstationName:
            - 'Rdesktop'
            - 'Remmina'
            - 'Freerdp'
            - 'Windows7'
            - 'Windows8'
            - 'Windows2012'
            - 'Windows2016'
            - 'Windows2019'
    condition: selection and devicename
falsepositives:
    - Systems with names equal to the spoofed ones used by the brute force tools
level: medium

title: NTLMv1 Logon Between Client and Server
id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d
status: test
description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
references:
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml
author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2022-04-26
modified: 2023-06-06
tags:
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: "LsaSrv"
        EventID:
            - 6038
            - 6039
    condition: selection
falsepositives:
    - Environments that use NTLMv1
level: medium

title: NetSupport Manager Service Install
id: 2d510d8d-912b-45c5-b1df-36faa3d8c3f4
status: test
description: Detects NetSupport Manager service installation on the target system.
references:
    - http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-31
tags:
    - attack.persistence
logsource:
    product: windows
    service: system
detection:
    # Example:
    #   <EventData>
    #       <Data Name="ServiceName">Client32</Data>
    #       <Data Name="ImagePath">"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *</Data>
    #       <Data Name="ServiceType">user mode service</Data>
    #       <Data Name="StartType">auto start</Data>
    #       <Data Name="AccountName">LocalSystem</Data>
    #   </EventData>
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: '\NetSupport Manager\client32.exe'
        - ServiceName: 'Client32'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium

title: Netcat The Powershell Version
id: c5b20776-639a-49bf-94c7-84f912b91c15
related:
    - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
      type: derived
status: test
description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
    - https://nmap.org/ncat/
    - https://github.com/besimorhino/powercat
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
author: frack113
date: 2021-07-21
modified: 2023-10-27
tags:
    - attack.command-and-control
    - attack.execution
    - attack.t1095
    - attack.t1059.001
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains:
            - 'powercat '
            - 'powercat.ps1'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Netsh Allow Group Policy on Microsoft Defender Firewall
id: 347906f3-e207-4d18-ae5b-a9403d6bcdef
status: test
description: Adversaries may modify system firewalls in order to bypass controls limiting network usage
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
author: frack113
date: 2022-01-09
modified: 2023-02-14
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'advfirewall'
            - 'firewall'
            - 'set'
            - 'rule'
            - 'group='
            - 'new'
            - 'enable=Yes'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activity
level: medium

title: Network Communication Initiated To Portmap.IO Domain
id: 07837ab9-60e1-481f-a74d-c31fb496a94c
status: test
description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
references:
    - https://portmap.io/
    - https://github.com/rapid7/metasploit-framework/issues/11337
    - https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
author: Florian Roth (Nextron Systems)
date: 2024-05-31
tags:
    - attack.t1041
    - attack.command-and-control
    - attack.t1090.002
    - attack.exfiltration
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.portmap.io'
    condition: selection
falsepositives:
    - Legitimate use of portmap.io domains
level: medium

title: Network Connection Initiated By Regsvr32.EXE
id: c7e91a02-d771-4a6d-a700-42587e0b1095
status: test
description: Detects a network connection initiated by "Regsvr32.exe"
references:
    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
    - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2023-09-18
tags:
    - attack.execution
    - attack.stealth
    - attack.t1559.001
    - attack.t1218.010
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\regsvr32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Network Connection Initiated From Users\Public Folder
id: bcb03938-9f8b-487d-8d86-e480691e1d71
related:
    - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
      type: derived
status: test
description: |
    Detects a network connection initiated from a process located in the "C:\Users\Public" folder.
    Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone.
    Use this rule to hunt for potential suspicious or uncommon activity in your environement.
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2024-05-31
tags:
    - attack.command-and-control
    - attack.t1105
    - detection.threat-hunting
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|contains: ':\Users\Public\'
    filter_optional_ibm:
        Image|contains: ':\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location (Added by Tim Shelton - https://github.com/SigmaHQ/sigma/pull/3053/files)
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Likely from legitimate third party application that execute from the "Public" directory.
level: medium

title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
related:
    - id: e043f529-8514-4205-8ab0-7f7d2927b400
      type: derived
status: test
description: |
    Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
references:
    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
modified: 2024-07-16
tags:
    - attack.command-and-control
    - attack.t1102
    - attack.t1102.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: 'azurewebsites.net'
    # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
    # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_main_chrome_appdata:
        Image|startswith: 'C:\Users\'
        Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
    filter_main_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_main_firefox_appdata:
        Image|startswith: 'C:\Users\'
        Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
    filter_main_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_main_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_main_safari:
        Image|contains:
            - 'C:\Program Files (x86)\Safari\'
            - 'C:\Program Files\Safari\'
        Image|endswith: '\safari.exe'
    filter_main_defender:
        Image|contains:
            - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        Image|endswith:
            - '\MsMpEng.exe' # Microsoft Defender executable
            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
    filter_main_prtg:
        # Paessler's PRTG Network Monitor
        Image|endswith:
            - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
            - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
    filter_main_brave:
        Image|startswith: 'C:\Program Files\BraveSoftware\'
        Image|endswith: '\brave.exe'
    filter_main_maxthon:
        Image|contains: '\AppData\Local\Maxthon\'
        Image|endswith: '\maxthon.exe'
    filter_main_opera:
        Image|contains: '\AppData\Local\Programs\Opera\'
        Image|endswith: '\opera.exe'
    filter_main_seamonkey:
        Image|startswith:
            - 'C:\Program Files\SeaMonkey\'
            - 'C:\Program Files (x86)\SeaMonkey\'
        Image|endswith: '\seamonkey.exe'
    filter_main_vivaldi:
        Image|contains: '\AppData\Local\Vivaldi\'
        Image|endswith: '\vivaldi.exe'
    filter_main_whale:
        Image|startswith:
            - 'C:\Program Files\Naver\Naver Whale\'
            - 'C:\Program Files (x86)\Naver\Naver Whale\'
        Image|endswith: '\whale.exe'
    # Note: The TOR browser shouldn't be something you allow in your corporate network.
    # filter_main_tor:
    #     Image|contains: '\Tor Browser\'
    filter_main_whaterfox:
        Image|startswith:
            - 'C:\Program Files\Waterfox\'
            - 'C:\Program Files (x86)\Waterfox\'
        Image|endswith: '\Waterfox.exe'
    filter_main_slimbrowser:
        Image|startswith:
            - 'C:\Program Files\SlimBrowser\'
            - 'C:\Program Files (x86)\SlimBrowser\'
        Image|endswith: '\slimbrowser.exe'
    filter_main_flock:
        Image|contains: '\AppData\Local\Flock\'
        Image|endswith: '\Flock.exe'
    filter_main_phoebe:
        Image|contains: '\AppData\Local\Phoebe\'
        Image|endswith: '\Phoebe.exe'
    filter_main_falkon:
        Image|startswith:
            - 'C:\Program Files\Falkon\'
            - 'C:\Program Files (x86)\Falkon\'
        Image|endswith: '\falkon.exe'
    filter_main_qtweb:
        Image|startswith:
            - 'C:\Program Files (x86)\QtWeb\'
            - 'C:\Program Files\QtWeb\'
        Image|endswith: '\QtWeb.exe'
    filter_main_avant:
        Image|startswith:
            - 'C:\Program Files (x86)\Avant Browser\'
            - 'C:\Program Files\Avant Browser\'
        Image|endswith: '\avant.exe'
    filter_main_discord:
        Image|contains: '\AppData\Local\Discord\'
        Image|endswith: '\Discord.exe'
    filter_main_null:
        Image: null
    filter_main_empty:
        Image: ''
    # filter_optional_qlik:
    #     Image|endswith: '\Engine.exe' # Process from qlik.com app
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Network Connection Initiated To BTunnels Domains
id: 9e02c8ec-02b9-43e8-81eb-34a475ba7965
status: test
description: |
    Detects network connections to BTunnels domains initiated by a process on the system.
    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/
author: Kamran Saifullah
date: 2024-09-13
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.btunnel.co.in'
    condition: selection
falsepositives:
    - Legitimate use of BTunnels will also trigger this.
level: medium

title: Network Connection Initiated To Cloudflared Tunnels Domains
id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
related:
    - id: a1d9eec5-33b2-4177-8d24-27fe754d0812
      type: derived
status: test
description: |
    Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
    - Internal Research
author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-27
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - '.v2.argotunnel.com'
            - 'protocol-v2.argotunnel.com'
            - 'trycloudflare.com'
            - 'update.argotunnel.com'
    condition: selection
falsepositives:
    - Legitimate use of cloudflare tunnels will also trigger this.
level: medium

title: Network Connection Initiated To DevTunnels Domain
id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
related:
    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
      type: similar
    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
      type: similar
    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
      type: similar
status: test
description: |
    Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
    - https://cydefops.com/devtunnels-unleashed
author: Kamran Saifullah
date: 2023-11-20
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567.001
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.devtunnels.ms'
    condition: selection
falsepositives:
    - Legitimate use of Devtunnels will also trigger this.
level: medium

title: Network Connection Initiated To Visual Studio Code Tunnels Domain
id: 4b657234-038e-4ad5-997c-4be42340bce4
related:
    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
      type: similar
    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
      type: similar
    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
      type: similar
status: test
description: |
    Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://cydefops.com/vscode-data-exfiltration
author: Kamran Saifullah
date: 2023-11-20
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.tunnels.api.visualstudio.com'
    condition: selection
falsepositives:
    - Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium

title: New AWS Lambda Function URL Configuration Created
id: ec541962-c05a-4420-b9ea-84de072d18f4
status: experimental
description: |
    Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.
    This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
references:
    - https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html
    - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc
    - https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
author: Ivan Saakov
date: 2024-12-19
tags:
    - attack.initial-access
    - attack.privilege-escalation
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: lambda.amazonaws.com
        eventName: 'CreateFunctionUrlConfig'
    condition: selection
falsepositives:
    - Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium