title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d
status: experimental
description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
references:
    - https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/
    - https://x.com/Threatlabz/status/1879956781360976155
author: X__Junior
date: 2025-01-20
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: image_load
    product: windows
detection:
    selection_dll:
        ImageLoaded|endswith: '\clfs.sys'
    selection_folders_1:
        Image|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - '\Temporary Internet'
            - '\Windows\Temp\'
    selection_folders_2:
        - Image|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - Image|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - Image|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - Image|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: selection_dll and 1 of selection_folders_*
falsepositives:
    - Unknown
level: medium

title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process
id: 241d52b5-eee0-49d0-ac8a-8b9c15c7221c
status: test
description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
tags:
    - attack.execution
    - detection.threat-hunting
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\dfsvc.exe'
        Image|endswith: '\AppData\Local\Apps\2.0\'
    condition: selection
falsepositives:
    - False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production.
level: medium

title: ClickOnce Trust Prompt Tampering
id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb
status: test
description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
    - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior
author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-06-12
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\'
        TargetObject|endswith:
            - '\Internet'
            - '\LocalIntranet'
            - '\MyComputer'
            - '\TrustedSites'
            - '\UntrustedSites'
        Details: 'Enabled'
    condition: selection
falsepositives:
    - Legitimate internal requirements.
level: medium

title: Clipboard Access Via OSAScript
id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
related:
    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
      type: derived
status: test
description: Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts
references:
    - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2026-05-22
tags:
    - attack.collection
    - attack.execution
    - attack.t1115
    - attack.t1059.002
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/osascript'
        CommandLine|contains|all:
            - ' -e '
            - 'clipboard'
    filter_optional_opencode:
        # OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
        ParentImage|endswith: 'opencode'
        CommandLine|contains|all:
            - 'osascript'
            - ' -e '
            - 'set imageData to the clipboard'
            - 'set fileRef'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate clipboard utilities and automation scripts that read or write clipboard content
    - Developer tools and IDEs that use osascript for clipboard integration
level: medium

title: Clipboard Data Collection Via Pbpaste
id: d8af0da1-2959-40f9-a3e4-37a6aa1228b7
status: test
description: |
    Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout).
    The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands.
    It can also be used in shell scripts that may require clipboard content as input.
    Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information.
    Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
references:
    - https://www.loobins.io/binaries/pbpaste/
    - https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b
    - https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF
author: Daniel Cortez
date: 2024-07-30
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1115
    - detection.threat-hunting
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/pbpaste'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

title: Cloudflared Portable Execution
id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd
status: test
description: |
    Detects the execution of the "cloudflared" binary from a non standard location.
references:
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
    - https://github.com/cloudflare/cloudflared
    - https://www.intrinsec.com/akira_ransomware/
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
    - https://github.com/cloudflare/cloudflared/releases
author: Nasreddine Bencherchali (Nextron Systems)
tags:
    - attack.command-and-control
    - attack.t1090.001
date: 2023-12-20
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\cloudflared.exe'
    filter_main_admin_location:
        Image|contains:
            - ':\Program Files (x86)\cloudflared\'
            - ':\Program Files\cloudflared\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate usage of Cloudflared portable versions
level: medium

title: Cloudflared Quick Tunnel Execution
id: 222129f7-f4dc-4568-b0d2-22440a9639ba
related:
    - id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
      type: similar
    - id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
      type: similar
status: test
description: |
    Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.
    The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.
    The tool has been observed in use by threat groups including Akira ransomware.
references:
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
    - https://github.com/cloudflare/cloudflared
    - https://www.intrinsec.com/akira_ransomware/
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
author: Sajid Nawaz Khan
tags:
    - attack.command-and-control
    - attack.t1090.001
date: 2023-12-20
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\cloudflared.exe'
              - '\cloudflared-windows-386.exe'
              - '\cloudflared-windows-amd64.exe'
        - Hashes|contains:
              - 'SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29'
              - 'SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8'
              - 'SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039'
              - 'SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28'
              - 'SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7'
              - 'SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373'
              - 'SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670'
              - 'SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a'
              - 'SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0'
              - 'SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1'
              - 'SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2'
              - 'SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac'
              - 'SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f'
              - 'SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d'
              - 'SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499'
              - 'SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b'
              - 'SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f'
              - 'SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032'
              - 'SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234'
              - 'SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f'
              - 'SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058'
              - 'SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c'
              - 'SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f'
              - 'SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5'
              - 'SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3'
              - 'SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4'
              - 'SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c'
              - 'SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4'
              - 'SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f'
              - 'SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad'
              - 'SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7'
              - 'SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75'
              - 'SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6'
              - 'SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688'
              - 'SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f'
              - 'SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663'
              - 'SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77'
              - 'SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078'
    # Note:
    #   Accounts for the cloudflared binaries being renamed
    #   `tunnel` is optional, but has been included to reduce the possibility of parameter collision when not observed with known binary names
    selection_param:
        - CommandLine|contains|all:
              - '-url'
              - 'tunnel'
        - CommandLine|contains:
              - '.exe -url'
              - '.exe --url'
    selection_other:
        CommandLine|contains|all:
            - '-url'
            - '-no-autoupdate'
    condition: (selection_img and selection_param) or selection_other
falsepositives:
    - Legitimate usage of Cloudflare Quick Tunnel
level: medium

title: Cloudflared Tunnel Connections Cleanup
id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
status: test
description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
references:
    - https://github.com/cloudflare/cloudflared
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-21
tags:
    - attack.command-and-control
    - attack.t1102
    - attack.t1090
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' tunnel '
            - 'cleanup '
        CommandLine|contains:
            - '-config '
            - '-connector-id '
    condition: selection
falsepositives:
    - Legitimate usage of Cloudflared.
level: medium

title: Cloudflared Tunnel Execution
id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
status: test
description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
references:
    - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
    - https://github.com/cloudflare/cloudflared
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-20
tags:
    - attack.command-and-control
    - attack.t1102
    - attack.t1090
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' tunnel '
            - ' run '
        CommandLine|contains:
            - '-config '
            - '-credentials-contents '
            - '-credentials-file '
            - '-token '
    condition: selection
falsepositives:
    - Legitimate usage of Cloudflared tunnel.
level: medium

title: Cloudflared Tunnels Related DNS Requests
id: a1d9eec5-33b2-4177-8d24-27fe754d0812
related:
    - id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
      type: similar
status: test
description: |
    Detects DNS requests to Cloudflared tunnels domains.
    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-20
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1572
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|endswith:
            - '.v2.argotunnel.com'
            - 'protocol-v2.argotunnel.com'
            - 'trycloudflare.com'
            - 'update.argotunnel.com'
    condition: selection
falsepositives:
    - Legitimate use of cloudflare tunnels will also trigger this.
level: medium

title: Cmd Launched with Hidden Start Flags to Suspicious Targets
id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
status: experimental
description: |
    Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
    To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
    This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
references:
    - https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
    - https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
    - https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
tags:
    - attack.stealth
    - attack.t1564.003
author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cmd_hidden_start_1:
        CommandLine|contains|windash:
            - 'start '
            - 'start/b'
            - 'start/min'
    selection_cmd_hidden_start_2:
        CommandLine|contains|windash:
            - '/b '
            - '/b"'
            - '/min '
            - '/min"'
    selection_cli_uncommon_location:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Windows\Temp\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Documents\'
            - '\Downloads\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\'
            - '\Music\'
            - '\Photos\'
            - '\Temporary Internet\'
            - '\Users\Public\'
            - '\Videos\'
    selection_cli_susp_extension:
        CommandLine|contains:
            - '.bat'
            - '.cmd'
            - '.cpl'
            - '.hta'
            - '.js'
            - '.ps1'
            - '.scr'
            - '.vbe'
            - '.vbs'
    selection_cli_susp_pattern:
        CommandLine|contains:
            - ' -nop '
            - ' -sta '
            - '.downloadfile(' # PowerShell download command
            - '.downloadstring(' # PowerShell download command
            - '-noni '
            - '-w hidden '
    condition: all of selection_cmd_* and 1 of selection_cli_*
falsepositives:
    - Legitimate administrative scripts running from temporary folders.
    - Niche software updaters utilizing hidden batch files in ProgramData.
level: medium # Can be increased after an initial baseline and tuning
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml

title: Code Execution via Pcwutl.dll
id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
status: test
description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
references:
    - https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/
    - https://twitter.com/harr0ey/status/989617817849876488
author: Julia Fomina, oscd.community
date: 2020-10-05
modified: 2023-02-09
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'pcwutl'
            - 'LaunchApplication'
    condition: all of selection_*
falsepositives:
    - Use of Program Compatibility Troubleshooter Helper
level: medium

title: CodePage Modification Via MODE.COM To Russian Language
id: 12fbff88-16b5-4b42-9754-cd001a789fb3
related:
    - id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e
      type: derived
status: test
description: |
    Detects a CodePage modification using the "mode.com" utility to Russian language.
    This behavior has been used by threat actors behind Dharma ransomware.
references:
    - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode
    - https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
    - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-17
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    # VT Query: behavior:"mode con cp select=1251"
    # VT Query: behavior:"mode con cp select=866"
    selection_img:
        - Image|endswith: '\mode.com'
        - OriginalFileName: 'MODE.COM'
    selection_cli:
        CommandLine|contains|all:
            - ' con '
            - ' cp '
            - ' select='
        CommandLine|endswith:
            - '=1251' # ANSI Cyrillic; Cyrillic (Windows) - Observed ITW by Dharma ransomware
            - '=866' # OEM Russian; Cyrillic (DOS) - Observed ITW by other malware
    condition: all of selection_*
falsepositives:
    - Russian speaking people changing the CodePage
level: medium

title: Command Line Execution with Suspicious URL and AppData Strings
id: 1ac8666b-046f-4201-8aba-1951aaec03a3
status: test
description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
references:
    - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
    - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2021-11-27
tags:
    - attack.execution
    - attack.command-and-control
    - attack.t1059.003
    - attack.t1059.001
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - 'http' # captures both http and https
            - '://'
            - '%AppData%'
    condition: selection
falsepositives:
    - High
level: medium

title: Common Autorun Keys Modification
id: f59c3faf-50f3-464b-9f4c-1b67ab512d99
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
    - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
            - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'
            - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components'
            - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect'
            - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect'
            - '\SYSTEM\Setup\CmdLine'
            - '\Software\Microsoft\Ctf\LangBarAddin'
            - '\Software\Microsoft\Command Processor\Autorun'
            - '\SOFTWARE\Microsoft\Active Setup\Installed Components'
            - '\SOFTWARE\Classes\Protocols\Handler'
            - '\SOFTWARE\Classes\Protocols\Filter'
            - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)'
            - '\Environment\UserInitMprLogonScript'
            - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe'
            - '\Software\Microsoft\Internet Explorer\UrlSearchHooks'
            - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components'
            - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32'
            - '\Control Panel\Desktop\Scrnsave.exe'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
    filter_optional_msoffice:
        - TargetObject|contains:
              - '\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\'
              - '\ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\'
        - Details:
              - '{314111c7-a502-11d2-bbca-00c04f8ec294}'
              - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
              - '{42089D2D-912D-4018-9087-2B87803E93FB}'
              - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
              - '{807583E5-5146-11D5-A672-00B0D022E945}'
    filter_optional_chrome:
        TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}'
    filter_optional_edge:
        TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}'
    filter_optional_IE:
        TargetObject|contains: '\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}'
    filter_optional_integrator:
        Image:
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
    filter_optional_office:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Communication To Uncommon Destination Ports
id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
related:
    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
      type: similar
status: test
description: Detects programs that connect to uncommon destination ports
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2024-03-12
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1571
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 8080
            - 8888
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_optional_sys_directories:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
id: 917789e1-2c1f-4bf5-8c91-6f71a017f469
status: experimental
description: |
    Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password.
    This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
references:
    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.001
    - detection.emerging-threats
    - cve.2025-57788
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'qlogin'
            - '_+_PublicSharingUser_'
        # Detects the use of a GUID as the password, which is indicative of an exploit attempt
        CommandLine|re: '[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}'
    condition: selection
falsepositives:
    - Legitimate administrative scripts that use the `_+_PublicSharingUser_` account for valid purposes.
level: medium

title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
id: 9fbf5927-5261-4284-a71d-f681029ea574
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2026-06-05
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Description|contains: '7-Zip'
        - Image|endswith:
              - '\7z.exe'
              - '\7zr.exe'
              - '\7za.exe'
        - OriginalFileName:
              - '7z.exe'
              - '7za.exe'
              - '7zr.exe'
    selection_password:
        CommandLine|contains: ' -p'
    selection_action:
        CommandLine|contains:
            - ' a '
            - ' u '
    condition: all of selection_*
falsepositives:
    - Legitimate activity is expected since compressing files with a password is common.
level: medium

title: Compress Data and Lock With Password for Exfiltration With WINZIP
id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_winzip:
        CommandLine|contains:
            - 'winzip.exe'
            - 'winzip64.exe'
    selection_password:
        CommandLine|contains: '-s"'
    selection_other:
        CommandLine|contains:
            - ' -min '
            - ' -a '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Computer Discovery And Export Via Get-ADComputer Cmdlet
id: 435e10e4-992a-4281-96f3-38b11106adde
related:
    - id: db885529-903f-4c5d-9864-28fe199e6370
      type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
modified: 2022-11-17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains|all:
            - 'Get-ADComputer '
            - ' -Filter \*'
        CommandLine|contains:
            - ' > '
            - ' | Select '
            - 'Out-File'
            - 'Set-Content'
            - 'Add-Content'
    condition: all of selection_*
falsepositives:
    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium

title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
id: db885529-903f-4c5d-9864-28fe199e6370
related:
    - id: 435e10e4-992a-4281-96f3-38b11106adde
      type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-ADComputer '
            - ' -Filter \*'
        ScriptBlockText|contains:
            - ' | Select '
            - 'Out-File'
            - 'Set-Content'
            - 'Add-Content'
    condition: selection
falsepositives:
    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium

title: Computer Password Change Via Ksetup.EXE
id: de16d92c-c446-4d53-8938-10aeef41c8b6
status: test
description: Detects password change for the computer's domain account or host principal via "ksetup.exe"
references:
    - https://twitter.com/Oddvarmoe/status/1641712700605513729
    - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-06
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\ksetup.exe'
        - OriginalFileName: 'ksetup.exe'
    selection_cli:
        CommandLine|contains: ' /setcomputerpassword '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Computer System Reconnaissance Via Wmic.EXE
id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
status: test
description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
references:
    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-08
modified: 2023-02-14
tags:
    - attack.discovery
    - attack.execution
    - attack.t1047
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: 'computersystem'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Conhost Spawned By Uncommon Parent Process
id: cbb9e3d1-2386-4e59-912e-62f1484f7a89
status: test
description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
references:
    - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2025-03-06
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\conhost.exe'
        ParentImage|endswith:
            - '\explorer.exe'
            # - '\csrss.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
            # - '\ctfmon.exe'  # Seen several times in a testing environment
            # - '\dllhost.exe'  # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
            - '\lsass.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\services.exe'
            - '\smss.exe'
            - '\spoolsv.exe'
            - '\svchost.exe'
            - '\userinit.exe'
            # - '\wermgr.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
            - '\wininit.exe'
            - '\winlogon.exe'
    filter_main_svchost:
        ParentCommandLine|contains:
            - '-k apphost -s AppHostSvc'
            - '-k imgsvc'
            - '-k localService -p -s RemoteRegistry'
            - '-k LocalSystemNetworkRestricted -p -s NgcSvc'
            - '-k NetSvcs -p -s NcaSvc'
            - '-k netsvcs -p -s NetSetupSvc'
            - '-k netsvcs -p -s wlidsvc'
            - '-k NetworkService -p -s DoSvc'
            - '-k wsappx -p -s AppXSvc'
            - '-k wsappx -p -s ClipSVC'
            - '-k wusvcs -p -s WaaSMedicSvc'
    filter_optional_dropbox:
        ParentCommandLine|contains:
            - 'C:\Program Files (x86)\Dropbox\Client\'
            - 'C:\Program Files\Dropbox\Client\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Console CodePage Lookup Via CHCP
id: 7090adee-82e2-4269-bd59-80691e7c6338
status: test
description: Detects use of chcp to look up the system locale value as part of host discovery
references:
    - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
author: _pete_0, TheDFIRReport
date: 2022-02-21
modified: 2024-03-05
tags:
    - attack.discovery
    - attack.t1614.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\cmd.exe'
        ParentCommandLine|contains|windash:
            - ' -c '
            - ' -r '
            - ' -k '
        Image|endswith: '\chcp.com'
        CommandLine|endswith:
            - 'chcp'
            - 'chcp '
            - 'chcp  '
    condition: selection
falsepositives:
    - During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
    - Discord was seen using chcp to look up code pages
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml

title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
id: 74403157-20f5-415d-89a7-c505779585cf
status: test
description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-02-01
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains: 'ConvertTo-SecureString'
    condition: all of selection_*
falsepositives:
    - Legitimate use to pass password to different powershell commands
level: medium

title: Copy From Or To Admin Share Or Sysvol Folder
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: test
description: Detects a copy command or a copy utility execution to or from an Admin share or remote
references:
    - https://twitter.com/SBousseaden/status/1211636381086339073
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
    - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
date: 2019-12-30
modified: 2025-10-22
tags:
    - attack.lateral-movement
    - attack.collection
    - attack.exfiltration
    - attack.t1039
    - attack.t1048
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_target:
        CommandLine|contains:
            - '\\\\*\\*$' # example \\SVR_NAME\ADMIN$
            - '\Sysvol\'
    selection_other_tools:
        - Image|endswith:
              - '\robocopy.exe'
              - '\xcopy.exe'
        - OriginalFileName:
              - 'robocopy.exe'
              - 'XCOPY.EXE'
    selection_cmd_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cmd_cli:
        CommandLine|contains: 'copy'
    selection_pwsh_img:
        - Image|contains:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'powershell_ise.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_pwsh_cli:
        CommandLine|contains:
            - 'copy-item'
            - 'copy '
            - 'cpi '
            - ' cp '
            - 'move '
            - ' move-item'
            - ' mi '
            - ' mv '
    condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
falsepositives:
    - Administrative scripts
level: medium

title: Crash Dump Created By Operating System
id: 882fbe50-d8d7-4e29-ae80-0648a8556866
related:
    - id: 2ff692c2-4594-41ec-8fcb-46587de769e0
      type: similar
status: experimental
description: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
references:
    - https://www.sans.edu/cyber-research/from-crash-compromise-unlocking-potential-windows-crash-dumps-offensive-security/
    - https://jasonmull.com/articles/offensive/2025-05-12-windows-crash-dumps-offensive-security/
author: Jason Mull
date: 2025-05-12
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1003.002
    - attack.t1005
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Microsoft-Windows-WER-SystemErrorReporting'
        EventID: 1001
    condition: selection
level: medium

title: CrashControl CrashDump Disabled
id: 2ff692c2-4594-41ec-8fcb-46587de769e0
status: test
description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
references:
    - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
author: Tobias Michalski (Nextron Systems)
date: 2022-02-24
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.stealth
    - attack.defense-impairment
    - attack.t1564
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Legitimate disabling of crashdumps
level: medium

title: CreateRemoteThread API and LoadLibrary
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
status: test
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
references:
    - https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-11
modified: 2024-01-22
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
    - detection.threat-hunting
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        StartModule|endswith: '\kernel32.dll'
        StartFunction: 'LoadLibraryA'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Created Files by Microsoft Sync Center
id: 409f8a98-4496-4aaa-818a-c931c0a8b832
status: test
description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2022-06-02
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - attack.t1218
    - attack.execution
logsource:
    product: windows
    category: file_event
detection:
    selection_mobsync:
        Image|endswith: '\mobsync.exe'
    filter_created_file:
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    condition: selection_mobsync and filter_created_file
falsepositives:
    - Unknown
level: medium

title: Creation Of An User Account
id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
    - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
    - https://access.redhat.com/articles/4409591#audit-record-types-2
    - https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07
author: Marie Euler, Pawel Mazur
date: 2020-05-18
modified: 2022-12-20
tags:
    - attack.t1136.001
    - attack.persistence
logsource:
    product: linux
    service: auditd
detection:
    selection_syscall_record_type:
        type: 'SYSCALL'
        exe|endswith: '/useradd'
    selection_add_user_record_type:
        type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos
    condition: 1 of selection_*
falsepositives:
    - Admin activity
level: medium

title: Creation Of Non-Existent System DLL
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
      type: similar
status: test
description: |
    Detects creation of specific system DLL files that are  usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
    Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
    Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
references:
    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
    - https://decoded.avast.io/martinchlumecky/png-steganography/
    - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
    - https://github.com/Wh04m1001/SysmonEoP
    - https://itm4n.github.io/cdpsvc-dll-hijacking/
    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
    - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
    - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
    - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
    - https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), fornotes
date: 2022-12-01
modified: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - ':\Windows\System32\axeonoffhelper.dll'
            - ':\Windows\System32\cdpsgshims.dll'
            - ':\Windows\System32\oci.dll'
            - ':\Windows\System32\offdmpsvc.dll'
            - ':\Windows\System32\shellchromeapi.dll'
            - ':\Windows\System32\TSMSISrv.dll'
            - ':\Windows\System32\TSVIPSrv.dll'
            - ':\Windows\System32\wbem\wbemcomn.dll'
            - ':\Windows\System32\WLBSCTRL.dll'
            - ':\Windows\System32\wow64log.dll'
            - ':\Windows\System32\WptsExtensions.dll'
            - '\SprintCSP.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml

title: Creation Of Pod In System Namespace
id: a80d927d-ac6e-443f-a867-e8d6e3897318
status: test
description: |
    Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
    System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
    Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
    Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        objectRef.namespace: kube-system
    condition: selection
falsepositives:
    - System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
level: medium

title: Creation Of a Suspicious ADS File Outside a Browser Download
id: 573df571-a223-43bc-846e-3f98da481eca
status: test
description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
references:
    - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
author: frack113
date: 2022-10-22
modified: 2023-06-12
tags:
    - attack.stealth
logsource:
    product: windows
    category: create_stream_hash
detection:
    selection:
        Contents|startswith: '[ZoneTransfer]  ZoneId=3'
        TargetFilename|endswith: ':Zone.Identifier'
        TargetFilename|contains:
            - '.exe'
            - '.scr'
            - '.bat'
            - '.cmd'
            - '.docx'
            - '.hta'
            - '.jse'
            - '.lnk'
            - '.pptx'
            - '.ps'
            - '.reg'
            - '.sct'
            - '.vb'
            - '.wsc'
            - '.wsf'
            - '.xlsx'
    filter_optional_brave:
        Image|endswith: '\brave.exe'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_opera:
        Image|endswith: '\opera.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|endswith: '\whale.exe'
    filter_optional_snipping_tool:
        Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.ScreenSketch_'
        Image|endswith: '\SnippingTool\SnippingTool.exe'
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains|all:
            - '\AppData\Local\Packages\Microsoft.ScreenSketch_'
            - '\TempState\Screenshot '
        TargetFilename|endswith: '.png:Zone.Identifier'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Other legitimate browsers not currently included in the filter (please add them)
    - Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)
level: medium

title: Creation of WerFault.exe/Wer.dll in Unusual Folder
id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
status: test
description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
references:
    - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
author: frack113
date: 2022-05-09
modified: 2026-05-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '\WerFault.exe'
            - '\wer.dll'
    filter_main_known_locations:
        TargetFilename|startswith:
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\UUS\' # covers both C:\Windows\UUS\arm64\ and C:\Windows\UUS\packages\
    filter_main_process:
        Image|endswith: '\wuaucltcore.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Creation of a Diagcab
id: 3d0ed417-3d94-4963-a562-4a92c940656a
status: test
description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
references:
    - https://threadreaderapp.com/thread/1533879688141086720.html
author: frack113
date: 2022-06-08
tags:
    - attack.resource-development
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.diagcab'
    condition: selection
falsepositives:
    - Legitimate microsoft diagcab
level: medium

title: CredUI.DLL Loaded By Uncommon Process
id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
status: test
description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
references:
    - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
    - https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
    - https://github.com/S12cybersecurity/RDPCredentialStealer
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2025-12-09
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1056.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        - ImageLoaded|endswith:
              - '\credui.dll'
              - '\wincredui.dll'
        - OriginalFileName:
              - 'credui.dll'
              - 'wincredui.dll'
    filter_main_generic:
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\SystemApps\'
    filter_main_full:
        Image:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
            - 'C:\Windows\regedit.exe' # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
    filter_optional_opera:
        Image|endswith: '\opera_autoupdate.exe'
    filter_optional_process_explorer:
        Image|endswith:
            - '\procexp64.exe'
            - '\procexp.exe'
    filter_optional_teams:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\Teams\'
        Image|endswith: '\Teams.exe'
    filter_optional_onedrive:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other legitimate processes loading those DLLs in your environment.
level: medium

title: Credential Manager Access By Uncommon Applications
id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
status: test
description: |
    Detects suspicious processes based on name and location that access the windows credential manager and vault.
    Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
references:
    - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-11
modified: 2024-07-29
tags:
    - attack.t1003
    - attack.credential-access
logsource:
    category: file_access
    product: windows
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection:
        FileName|contains:
            - '\AppData\Local\Microsoft\Credentials\'
            - '\AppData\Roaming\Microsoft\Credentials\'
            - '\AppData\Local\Microsoft\Vault\'
            - '\ProgramData\Microsoft\Vault\'
    filter_system_folders:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).
# Increase level after false positives filters are good enough
level: medium

title: Credentials from Password Stores - Keychain
id: b120b587-a4c2-4b94-875d-99c9807d6955
status: test
description: Detects passwords dumps from Keychain
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md
    - https://gist.github.com/Capybara/6228955
author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)
date: 2020-10-19
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1555.001
logsource:
    category: process_creation
    product: macos
detection:
    selection1:
        Image: '/usr/bin/security'
        CommandLine|contains:
            - 'find-certificate'
            - ' export '
    selection2:
        CommandLine|contains:
            - ' dump-keychain '
            - ' login-keychain '
    condition: 1 of selection*
falsepositives:
    - Legitimate administration activities
level: medium

title: Cscript/Wscript Potentially Suspicious Child Process
id: b6676963-0353-4f88-90f5-36c20d443c6a
status: test
description: |
    Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
    Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
references:
    - Internal Research
    - https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_30.10.2023.txt
    - https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt
author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
date: 2023-05-15
modified: 2024-01-02
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
    selection_cli_script_main:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    # Note: Add other combinations that are suspicious
    selection_cli_script_option_mshta:
        CommandLine|contains|all:
            - 'mshta'
            - 'http'
    selection_cli_script_option_other:
        CommandLine|contains:
            - 'rundll32'
            - 'regsvr32'
            - 'msiexec'
    selection_cli_standalone:
        Image|endswith: '\rundll32.exe'
    filter_main_rundll32_known_exports:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains:
            - 'UpdatePerUserSystemParameters'
            - 'PrintUIEntry'
            - 'ClearMyTracksByProcess'
    condition: selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*
falsepositives:
    - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.
level: medium

title: Curl Web Request With Potential Custom User-Agent
id: 85de1f22-d189-44e4-8239-dc276b45379b
status: test
description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
modified: 2025-12-11
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    # Example: This command line would trigger the rule
    # curl.exe -H "User-Agent: EvilAgent" http://malicious.example.com
    selection_img:
        - Image|endswith: '\curl.exe'
        - OriginalFileName: 'curl.exe'
    selection_header_flag_1:
        CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive
    selection_header_flag_2:
        CommandLine|contains: '--header'
    selection_user_agent:
        CommandLine|contains: 'User-Agent:'
    condition: selection_img and 1 of selection_header_* and selection_user_agent
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml

title: Curl.EXE Execution With Custom UserAgent
id: 3286d37a-00fd-41c2-a624-a672dcd34e60
status: test
description: Detects execution of curl.exe with custom useragent options
references:
    - https://curl.se/docs/manpage.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd
author: frack113
date: 2022-01-23
modified: 2023-02-21
tags:
    - attack.command-and-control
    - attack.t1071.001
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_curl:
        - Image|endswith: '\curl.exe'
        - Product: 'The curl executable'
    selection_opt:
        CommandLine|contains:
            - ' -A '
            - ' --user-agent '
    condition: all of selection_*
falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
level: medium

title: CurrentControlSet Autorun Keys Modification
id: f674e36a-4b91-431e-8aef-f8a96c2aca35
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    system_control_base:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
    system_control_keys:
        TargetObject|contains:
            - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
            - '\Terminal Server\Wds\rdpwd\StartupPrograms'
            - '\SecurityProviders\SecurityProviders'
            - '\SafeBoot\AlternateShell'
            - '\Print\Providers'
            - '\Print\Monitors'
            - '\NetworkProvider\Order'
            - '\Lsa\Notification Packages'
            - '\Lsa\Authentication Packages'
            - '\BootVerificationProgram\ImagePath'
    filter_empty:
        Details: '(Empty)'
    filter_cutepdf:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
        Details:
            - 'cpwmon64_v40.dll'
            - 'CutePDF Writer'
    filter_onenote:
        Image: C:\Windows\System32\spoolsv.exe
        TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
    filter_realvnc:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
        Details: 'VNCpm.dll'
    condition: all of system_control_* and not 1 of filter_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: CurrentVersion Autorun Keys Modification
id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
    - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_current_version_base:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
    selection_current_version_keys:
        TargetObject|contains:
            - '\ShellServiceObjectDelayLoad'
            - '\Run\'
            - '\RunOnce\'
            - '\RunOnceEx\'
            - '\RunServices\'
            - '\RunServicesOnce\'
            - '\Policies\System\Shell'
            - '\Policies\Explorer\Run'
            - '\Group Policy\Scripts\Startup'
            - '\Group Policy\Scripts\Shutdown'
            - '\Group Policy\Scripts\Logon'
            - '\Group Policy\Scripts\Logoff'
            - '\Explorer\ShellServiceObjects'
            - '\Explorer\ShellIconOverlayIdentifiers'
            - '\Explorer\ShellExecuteHooks'
            - '\Explorer\SharedTaskScheduler'
            - '\Explorer\Browser Helper Objects'
            - '\Authentication\PLAP Providers'
            - '\Authentication\Credential Providers'
            - '\Authentication\Credential Provider Filters'
    filter_main_generic_all:
        - Details: '(Empty)'
        - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
        - Image|endswith:
              - '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
              - '\AppData\Roaming\Spotify\Spotify.exe'
              - '\AppData\Local\WebEx\WebexHost.exe'
        - Image:
              - 'C:\WINDOWS\system32\devicecensus.exe'
              - 'C:\Windows\system32\winsat.exe'
              - 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
              - 'C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
              - 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe'
              - 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe'
              - 'C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
              - 'C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
              - 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
              - 'C:\Program Files\Everything\Everything.exe'
              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
    filter_main_null:
        Details: null
    filter_main_logonui:
        Image: 'C:\Windows\system32\LogonUI.exe'
        TargetObject|contains:
            - '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\'  # PIN
            - '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\'  # fingerprint
            - '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\'  # facial recognizion
            - '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\'  # Trusted Signal (Phone proximity, Network location)
    filter_main_edge:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
            - 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
    filter_main_defender:
        Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
    filter_main_teams:
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
        Details|contains: '\Microsoft\Teams\Update.exe --processStart '
    filter_main_ctfmon:
        Image: 'C:\Windows\system32\userinit.exe'
        Details: 'ctfmon.exe /n'
    filter_optional_dropbox:
        Image: 'C:\Windows\system32\regsvr32.exe'
        TargetObject|contains: 'DropboxExt'
        Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'
    filter_optional_opera_1:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'
        Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'
    filter_optional_opera_2:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable'
        Details:
            - 'C:\Program Files\Opera\launcher.exe'
            - 'C:\Program Files (x86)\Opera\launcher.exe'
    filter_optional_itunes:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper'
        Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
    filter_optional_zoom:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair'
        Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
    filter_optional_greenshot:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot'
        Details: 'C:\Program Files\Greenshot\Greenshot.exe'
    filter_optional_googledrive1:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS'
        Details|startswith: 'C:\Program Files\Google\Drive File Stream\'
        Details|contains: '\GoogleDriveFS.exe'
    filter_optional_googledrive2:
        TargetObject|contains: 'GoogleDrive'
        Details:
            - '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
            - '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
            - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
            - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
    filter_optional_onedrive:
        Details|startswith:
            - 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
            - 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
        Details|contains: '\AppData\Local\Microsoft\OneDrive\'
    filter_optional_python:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{'
        Details|contains|all:
            - '\AppData\Local\Package Cache\{'
            - '}\python-'
        Details|endswith: '.exe" /burn.runonce'
    filter_optional_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files (x86)\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_optional_teams:
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
        Details|contains: '\Microsoft\Teams\Update.exe --processStart'
    filter_optional_AVG_setup:
        Image|contains:
            - 'C:\Program Files\AVG\Antivirus\Setup\'
            - 'C:\Program Files (x86)\AVG\Antivirus\Setup\'
            - '\instup.exe'
        Details:
            - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
            - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
            - '{472083B0-C522-11CF-8763-00608CC02F24}'
            - '{472083B1-C522-11CF-8763-00608CC02F24}'
    filter_optional_Avast:
        Image|contains:
            - 'C:\Program Files\Avast Software\Avast\Setup\'
            - 'C:\Program Files (x86)\Avast Software\Avast\Setup\'
            - '\instup.exe'
        Details:
            - '"C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui'
            - '"C:\Program Files (x86)\Avast Software\Avast\AvLaunch.exe" /gui'
    filter_optional_AVG_avgtoolsvc:
        Image:
            - 'C:\Program Files\AVG\Antivirus\avgToolsSvc.exe'
            - 'C:\Program Files (x86)\AVG\Antivirus\avgToolsSvc.exe'
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\'
        Details: 'Binary Data'
    filter_optional_aurora_dashboard:
        Image|endswith:
            - '\aurora-agent-64.exe'
            - '\aurora-agent.exe'
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard'
        Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
    filter_optional_everything:
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
        Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
    filter_optional_discord:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Discord'
        Details|endswith: '\Discord\Update.exe --processStart Discord.exe'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: CurrentVersion NT Autorun Keys Modification
id: cbf93e5d-ca6c-4722-8bea-e9119007c248
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_nt_current_version_base:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    selection_nt_current_version:
        TargetObject|contains:
            - '\Winlogon\VmApplet'
            - '\Winlogon\Userinit'
            - '\Winlogon\Taskman'
            - '\Winlogon\Shell'
            - '\Winlogon\GpExtensions'
            - '\Winlogon\AppSetup'
            - '\Winlogon\AlternateShells\AvailableShells'
            - '\Windows\IconServiceLib'
            - '\Windows\Appinit_Dlls'
            - '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
            - '\Font Drivers'
            - '\Drivers32'
            - '\Windows\Run'
            - '\Windows\Load'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
    filter_main_legitimate_subkey:  # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
        TargetObject|contains: '\Image File Execution Options\'
        TargetObject|endswith:
            - '\DisableExceptionChainValidation'
            - '\MitigationOptions'
    filter_main_security_extension_dc:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetObject|contains:
            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
            - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
        Details:
            - 'DWORD (0x00000001)'
            - 'DWORD (0x00000009)'
            - 'DWORD (0x000003c0)'
    filter_main_runtimebroker:
        Image: 'C:\Windows\System32\RuntimeBroker.exe'
        TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
    filter_optional_edge:
        Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
        Image|endswith: '\MicrosoftEdgeUpdate.exe'
    filter_optional_avguard:
        Image|startswith:
            - 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
            - 'C:\Program Files\Avira\Antivirus\avguard.exe'
        TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
        TargetObject|endswith:
            - '\userinit\UseAsDefault'
            - '\shell\UseAsDefault'
        Details:
            - 'explorer.exe'
            - 'C:\Windows\system32\userinit.exe,'
    filter_optional_msoffice:
        - TargetObject|contains:
              - '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
              - '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
        - Image:
              - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
              - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
    filter_optional_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_optional_ngen:
        Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
        Image|endswith: '\ngen.exe'
    filter_optional_onedrive:
        Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
        Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
        Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: DCERPC SMB Spoolss Named Pipe
id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
references:
    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
    - https://dirkjanm.io/a-different-way-of-abusing-zerologon/
    - https://twitter.com/_dirkjan/status/1309214379003588608
author: OTR (Open Threat Research)
date: 2018-11-28
modified: 2022-08-11
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName: spoolss
    condition: selection
falsepositives:
    - 'Domain Controllers acting as printer servers too? :)'
level: medium

title: DLL Call by Ordinal Via Rundll32.EXE
id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
status: stable
description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
references:
    - https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
    - https://github.com/Neo23x0/DLLRunner
    - https://twitter.com/cyb3rops/status/1186631731543236608
    - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
author: Florian Roth (Nextron Systems)
date: 2019-10-22
modified: 2024-07-16
tags:
    - attack.stealth
    - attack.t1218.011
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains:
            - ',#'
            - ', #'
            - '.dll #'  # Sysmon removes , in its log
            - '.ocx #'  # HermeticWizard
    filter_optional_edge:
        CommandLine|contains|all:
            - 'EDGEHTML.dll'
            - '#141'
    filter_optional_vsbuild_dll:
        ParentImage|contains:
            - '\Msbuild\Current\Bin\'
            - '\VC\Tools\MSVC\'
            - '\Tracker.exe'
        CommandLine|contains:
            - '\FileTracker32.dll,#1'
            - '\FileTracker32.dll",#1'
            - '\FileTracker64.dll,#1'
            - '\FileTracker64.dll",#1'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment.
    - Windows control panel elements have been identified as source (mmc).
level: medium

title: DLL Execution Via Register-cimprovider.exe
id: a2910908-e86f-4687-aeba-76a5f996e652
status: test
description: Detects using register-cimprovider.exe to execute arbitrary dll file.
references:
    - https://twitter.com/PhilipTsukerman/status/992021361106268161
    - https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/
author: Ivan Dyachkov, Yulia Fomina, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\register-cimprovider.exe'
        CommandLine|contains|all:
            - '-path'
            - 'dll'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: DLL Execution via Rasautou.exe
id: cd3d1298-eb3b-476c-ac67-12847de55813
status: test
description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
    - https://github.com/fireeye/DueDLLigence
    - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
author: Julia Fomina, oscd.community
date: 2020-10-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: process_creation
    definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
detection:
    selection_img:
        - Image|endswith: '\rasautou.exe'
        - OriginalFileName: 'rasdlui.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' -d '
            - ' -p '
    condition: all of selection*
falsepositives:
    - Unlikely
level: medium