title: ADExplorer Writing Complete AD Snapshot Into .dat File
id: 0a1255c5-d732-4b62-ac02-b5152d34fb83
related:
    - id: 9212f354-7775-4e28-9c9f-8f0a4544e664
      type: similar
status: experimental
description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
    - https://trustedsec.com/blog/adexplorer-on-engagements
author: Arnim Rupp (Nextron Systems), Thomas Patzke
date: 2025-07-09
tags:
    - attack.discovery
    - attack.t1087.002
    - attack.t1069.002
    - attack.t1482
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\ADExp.exe'
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
            - '\ADExplorer64a.exe'
        TargetFilename|endswith: '.dat'
    condition: selection
falsepositives:
    - Legitimate use of ADExplorer by administrators creating .dat snapshots
level: medium

title: ADS Zone.Identifier Deleted By Uncommon Application
id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
related:
    - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
      type: similar
status: test
description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
references:
    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
modified: 2025-07-04
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|endswith: ':Zone.Identifier'
    filter_main_generic:
        # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\explorer.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_optional_browsers_chrome:
        Image:
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_browsers_firefox:
        Image:
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_browsers_msedge:
        Image:
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other third party applications not listed.
level: medium

title: ADSI-Cache File Creation By Uncommon Tool
id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
status: test
description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
references:
    - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
    - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
    - https://github.com/fox-it/LDAPFragger
author: xknow @xknow_infosec, Tim Shelton
date: 2019-03-24
modified: 2023-10-18
tags:
    - attack.t1001.003
    - attack.command-and-control
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
        TargetFilename|endswith: '.sch'
    filter_main_generic:
        - Image|endswith:
              - ':\Program Files\Cylance\Desktop\CylanceSvc.exe'
              - ':\Windows\CCM\CcmExec.exe'
              - ':\windows\system32\dllhost.exe'
              - ':\Windows\system32\dsac.exe'
              - ':\Windows\system32\efsui.exe'
              - ':\windows\system32\mmc.exe'
              - ':\windows\system32\svchost.exe'
              - ':\Windows\System32\wbem\WmiPrvSE.exe'
              - ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
        - Image|contains:
              - ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
              - ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe
    filter_main_office:
        Image|contains|all:
            - ':\Program Files\'
            - '\Microsoft Office'
        Image|endswith: '\OUTLOOK.EXE'
    filter_optional_ldapwhoami:
        Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
    filter_optional_citrix:
        # Example:
        #   TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch
        Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
level: medium

title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
status: test
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
references:
    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020-10-06
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    contains_format_pretty_arg:
        CommandLine|contains:
            - 'format:pretty'
            - 'format:"pretty"'
            - 'format:"text"'
            - 'format:text'
    image_from_system_folder:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    contains_winrm:
        CommandLine|contains: 'winrm'
    condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
falsepositives:
    - Unlikely
level: medium

title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
related:
    - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
      type: derived
status: test
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
references:
    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020-10-06
modified: 2022-11-28
tags:
    - attack.stealth
    - attack.t1216
logsource:
    product: windows
    category: file_event
detection:
    system_files:
        TargetFilename|endswith:
            - 'WsmPty.xsl'
            - 'WsmTxt.xsl'
    in_system_folder:
        TargetFilename|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: system_files and not in_system_folder
falsepositives:
    - Unlikely
level: medium

title: Abusing Print Executable
id: bafac3d6-7de9-4dd9-8874-4a1194b493ed
status: test
description: Attackers can use print.exe for remote file copy
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Print/
    - https://twitter.com/Oddvarmoe/status/985518877076541440
author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
date: 2020-10-05
modified: 2022-07-07
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\print.exe'
        CommandLine|startswith: 'print'
        CommandLine|contains|all:
            - '/D'
            - '.exe'
    filter_print:
        CommandLine|contains: 'print.exe'
    condition: selection and not filter_print
falsepositives:
    - Unknown
level: medium

title: Access of Sudoers File Content
id: 0f79c4d2-4e1f-4683-9c36-b5469a665e06
status: test
description: Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
references:
    - https://github.com/sleventyeleven/linuxprivchecker/
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2025-06-04
tags:
    - attack.reconnaissance
    - attack.t1592.004
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/cat'
            - '/ed'
            - '/egrep'
            - '/emacs'
            - '/fgrep'
            - '/grep'
            - '/head'
            - '/less'
            - '/more'
            - '/nano'
            - '/tail'
        CommandLine|contains: ' /etc/sudoers'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

title: Activate Suppression of Windows Security Center Notifications
id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63
status: test
description: Detect set Notification_Suppress to 1 to disable the Windows security center notification
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration\Notification_Suppress'
        Details: DWORD (0x00000001)
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Add Debugger Entry To AeDebug For Persistence
id: 092af964-4233-4373-b4ba-d86ea2890288
status: test
description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
references:
    - https://persistence-info.github.io/Data/aedebug.html
    - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger'
        Details|endswith: '.dll'
    filter:
        Details: '"C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld -j 0x%p'
    condition: selection and not filter
falsepositives:
    - Legitimate use of the key to setup a debugger. Which is often the case on developers machines
level: medium

title: Add DisallowRun Execution to Registry
id: 275641a5-a492-45e2-a817-7c81e9d9d3e9
status: test
description: Detect set DisallowRun to 1 to prevent user running specific computer program
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Add Port Monitor Persistence in Registry
id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e
status: test
description: |
    Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
    A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
author: frack113
date: 2021-12-30
modified: 2024-03-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.010
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Control\Print\Monitors\'
        Details|endswith: '.dll'
    filter_optional_cutepdf:
        Image: 'C:\Windows\System32\spoolsv.exe'
        TargetObject|contains: '\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver'
        Details: 'cpwmon64_v40.dll'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_optional_monvnc:
        TargetObject|contains: '\Control\Print\Monitors\MONVNC\Driver'
    filter_optional_vnc:
        TargetObject|contains|all:
            - 'Control\Print\Environments\'
            - '\Drivers\'
            - '\VNC Printer'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_port_monitor/info.yml
simulation:
    - type: atomic-red-team
      name: Add Port Monitor persistence in Registry
      technique: T1547.010
      atomic_guid: d34ef297-f178-4462-871e-9ce618d44e50

title: Advanced IP Scanner - File Event
id: fed85bf9-e075-4280-9159-fbe8a023d6fa
related:
    - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
      type: derived
status: test
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
references:
    - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
    - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
    - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
    - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-11-29
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2'
    condition: selection
falsepositives:
    - Legitimate administrative use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml

title: Allow RDP Remote Assistance Feature
id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b
status: test
description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'System\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp'
        Details: DWORD (0x00000001)
    condition: selection
falsepositives:
    - Legitimate use of the feature (alerts should be investigated either way)
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml
simulation:
    - type: atomic-red-team
      name: Allow RDP Remote Assistance Feature
      technique: T1112
      atomic_guid: 86677d0e-0b5e-4a2b-b302-454175f9aa9e

title: Always Install Elevated Windows Installer
id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
status: test
description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020-10-13
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_user:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    selection_image_1:
        Image|contains|all:
            - '\Windows\Installer\'
            - 'msi'
        Image|endswith: 'tmp'
    selection_image_2:
        Image|endswith: '\msiexec.exe'
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    filter_installer:
        ParentImage: 'C:\Windows\System32\services.exe'
    filter_repair:
        - CommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
        - ParentCommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
    filter_sophos:
        ParentImage|startswith: 'C:\ProgramData\Sophos\'
    filter_avira:
        ParentImage|startswith: 'C:\ProgramData\Avira\'
    filter_avast:
        ParentImage|startswith:
            - 'C:\Program Files\Avast Software\'
            - 'C:\Program Files (x86)\Avast Software\'
    filter_google_update:
        ParentImage|startswith:
            - 'C:\Program Files\Google\Update\'
            - 'C:\Program Files (x86)\Google\Update\'
    condition: 1 of selection_image_* and selection_user and not 1 of filter_*
falsepositives:
    - System administrator usage
    - Anti virus products
    - WindowsApps located in "C:\Program Files\WindowsApps\"
level: medium

title: Amsi.DLL Loaded Via LOLBIN Process
id: 6ec86d9e-912e-4726-91a2-209359b999b9
status: test
description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
references:
    - Internal Research
    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
    - attack.defense-impairment
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\amsi.dll'
        Image|endswith:
            # TODO: Add more interesting processes
            - '\ExtExport.exe'
            - '\odbcconf.exe'
            # - '\regsvr32.exe' # legitimately calls amsi.dll
            - '\rundll32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Anydesk Temporary Artefact
id: 0b9ad457-2554-44c1-82c2-d56a99c42377
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
author: frack113
date: 2022-02-11
modified: 2024-07-20
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\AppData\Roaming\AnyDesk\user.conf'
            - '\AppData\Roaming\AnyDesk\system.conf'
    condition: selection
falsepositives:
    - Legitimate use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/info.yml

title: Arbitrary File Download Via GfxDownloadWrapper.EXE
id: eee00933-a761-4cd0-be70-c42fe91731e7
status: test
description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
references:
    - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-10-18
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\GfxDownloadWrapper.exe'
        CommandLine|contains:
            - 'http://'
            - 'https://'
    filter_main_known_urls:
        CommandLine|contains: 'https://gameplayapi.intel.com/'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Arbitrary File Download Via Squirrel.EXE
id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
related:
    - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
      type: similar
    - id: fa4b21c9-0057-4493-b289-2556416ae4d7
      type: obsolete
status: test
description: |
    Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
    - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2022-06-09
modified: 2023-11-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\squirrel.exe'
            - '\update.exe'
    selection_download_cli:
        CommandLine|contains:
            - ' --download '
            - ' --update '
            - ' --updateRollback='
    selection_download_http_keyword:
        CommandLine|contains: 'http'
    condition: all of selection_*
falsepositives:
    - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
level: medium

title: Arbitrary MSI Download Via Devinit.EXE
id: 90d50722-0483-4065-8e35-57efaadd354d
status: test
description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
references:
    - https://twitter.com/mrd0x/status/1460815932402679809
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-04-06
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' -t msi-install '
            - ' -i http'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Arbitrary Shell Command Execution Via Settingcontent-Ms
id: 24de4f3b-804c-4165-b442-5a06a2302c7e
status: test
description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
references:
    - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
author: Sreeman
date: 2020-03-13
modified: 2022-04-14
tags:
    - attack.t1204
    - attack.t1566.001
    - attack.execution
    - attack.initial-access
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '.SettingContent-ms'
    filter:
        CommandLine|contains: 'immersivecontrolpanel'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: AspNetCompiler Execution
id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
related:
    - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
      type: similar
    - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
      type: similar
    - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
      type: similar
status: test
description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
    - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: frack113
date: 2021-11-24
modified: 2025-02-24
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - ':\Windows\Microsoft.NET\Framework\'
            - ':\Windows\Microsoft.NET\Framework64\'
            - ':\Windows\Microsoft.NET\FrameworkArm\'
            - ':\Windows\Microsoft.NET\FrameworkArm64\'
        Image|endswith: '\aspnet_compiler.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Assembly DLL Creation Via AspNetCompiler
id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
related:
    - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
      type: similar
    - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
      type: similar
    - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
      type: similar
status: test
description: |
    Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
tags:
    - attack.execution
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\aspnet_compiler.exe'
        TargetFilename|contains|all:
            - '\Temporary ASP.NET Files\'
            - '\assembly\tmp\'
            - '.dll'
    condition: selection
falsepositives:
    - Legitimate assembly compilation using a build provider
level: medium

title: Assembly Loading Via CL_LoadAssembly.ps1
id: c57872c7-614f-4d7f-a40d-b78c8df2d30d
status: test
description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
references:
    - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
    - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-21
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
        CommandLine|contains:
            - 'LoadAssemblyFromPath '
            - 'LoadAssemblyFromNS '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Atbroker Registry Change
id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
status: test
description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
references:
    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
    - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
author: Mateusz Wydra, oscd.community
date: 2020-10-13
modified: 2023-01-19
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1218
    - attack.persistence
    - attack.t1547
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains:
            - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
            - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
    filter_atbroker:
        Image: 'C:\Windows\system32\atbroker.exe'
        TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
        Details: '(Empty)'
    filter_uninstallers:
        Image|startswith: 'C:\Windows\Installer\MSI'
        TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
    condition: selection and not 1 of filter_*
falsepositives:
    - Creation of non-default, legitimate at usage
level: medium

title: Audio Capture via PowerShell
id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
status: test
description: Detects audio capture via PowerShell Cmdlet.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
    - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
    - https://github.com/frgnca/AudioDeviceCmdlets
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-04-06
tags:
    - attack.collection
    - attack.t1123
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'WindowsAudioDevice-Powershell-Cmdlet'
            - 'Toggle-AudioDevice'
            - 'Get-AudioDevice '
            - 'Set-AudioDevice '
            - 'Write-AudioDevice '
    condition: selection
falsepositives:
    - Legitimate audio capture by legitimate user.
level: medium

title: Audio Capture via SoundRecorder
id: 83865853-59aa-449e-9600-74b9d89a6d6e
status: test
description: Detect attacker collecting audio via SoundRecorder application.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
    - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.collection
    - attack.t1123
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\SoundRecorder.exe'
        CommandLine|contains: '/FILE'
    condition: selection
falsepositives:
    - Legitimate audio capture by legitimate user.
level: medium

title: BPFtrace Unsafe Option Usage
id: f8341cb2-ee25-43fa-a975-d8a5a9714b39
status: test
description: Detects the usage of the unsafe bpftrace option
references:
    - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
    - https://bpftrace.org/
author: Andreas Hunkeler (@Karneades)
date: 2022-02-11
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: 'bpftrace'
        CommandLine|contains: '--unsafe'
    condition: selection
falsepositives:
    - Legitimate usage of the unsafe option
level: medium

title: Backup Files Deleted
id: 06125661-3814-4e03-bfa2-1e4411c60ac3
status: test
description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files
author: frack113
date: 2022-01-02
modified: 2023-02-15
tags:
    - attack.impact
    - attack.t1490
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wt.exe'
            - '\rundll32.exe'
            - '\regsvr32.exe'
        TargetFilename|endswith:
            - '.VHD'
            - '.bac'
            - '.bak'
            - '.wbcat'
            - '.bkf'
            - '.set'
            - '.win'
            - '.dsk'
    condition: selection
falsepositives:
    - Legitimate usage
level: medium

title: Browser Started with Remote Debugging
id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
related:
    - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
      type: derived
status: test
description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
references:
    - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf
    - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/
    - https://github.com/defaultnamehere/cookie_crimes/
    - https://github.com/wunderwuzzi23/firefox-cookiemonster
author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-27
modified: 2022-12-23
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1185
logsource:
    category: process_creation
    product: windows
detection:
    selection_chromium_based:
        # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
        CommandLine|contains: ' --remote-debugging-'
    selection_firefox:
        Image|endswith: '\firefox.exe'
        CommandLine|contains: ' -start-debugger-server'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: CLR DLL Loaded Via Office Applications
id: d13c43f0-f66b-4279-8b2c-5912077c1780
status: test
description: Detects CLR DLL being loaded by an Office Product
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\outlook.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|contains: '\clr.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: COM Hijacking via TreatAs
id: dc5c24af-6995-49b2-86eb-a9ff62199e82
status: test
description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
    - https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s
author: frack113
date: 2022-08-28
modified: 2025-07-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'TreatAs\(Default)'
    filter_office:
        Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_office2:
        Image:
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
    filter_svchost:
        # Example of target object by svchost
        # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
        # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
        Image: 'C:\Windows\system32\svchost.exe'
    filter_misexec:
        # This FP has been seen during installation/updates
        Image:
            - 'C:\Windows\system32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate use
level: medium

title: COM Object Execution via Xwizard.EXE
id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
status: test
description: |
    Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument.
    This utility can be abused in order to run custom COM object created in the registry.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
    - https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html
    - https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-07
modified: 2024-08-15
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine: 'RunWizard'
        CommandLine|re: '\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: CSExec Service File Creation
id: f0e2b768-5220-47dd-b891-d57b96fc0ec1
status: test
description: Detects default CSExec service filename which indicates CSExec service installation and execution
references:
    - https://github.com/malcomvetter/CSExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-04
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\csexecsvc.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1
related:
    - id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62
      type: similar
status: test
description: |
    This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
references:
    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
    - https://www.cve.org/CVERecord?id=CVE-2024-1709
    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress
date: 2024-02-21
tags:
    - attack.persistence
    - cve.2024-1708
    - detection.emerging-threats
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\ScreenConnect.Service.exe'
        TargetFilename|endswith:
            - 'ScreenConnect\\App_Extensions\\*.ashx'
            - 'ScreenConnect\\App_Extensions\\*.aspx'
    filter_main_legit_extension:
        TargetFilename|contains: 'ScreenConnect\App_Extensions\\*\\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - This will occur legitimately as well and will result in some benign activity.
level: medium

title: Cab File Extraction Via Wusa.EXE
id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
related:
    - id: c74c0390-3e20-41fd-a69a-128f0275a5ea
      type: derived
status: test
description: |
    Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported.
references:
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-04
modified: 2024-08-15
tags:
    - attack.execution
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\wusa.exe'
        CommandLine|contains: '/extract:'
    condition: selection
falsepositives:
    - The "extract" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)
level: medium

title: Certificate Exported Via PowerShell
id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
related:
    - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
      type: similar
status: test
description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
references:
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
    - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-18
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1552.004
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Export-PfxCertificate '
            - 'Export-Certificate '
    condition: selection
falsepositives:
    - Legitimate certificate exports by administrators. Additional filters might be required.
level: medium

title: Changing Existing Service ImagePath Value Via Reg.EXE
id: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
    Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
author: frack113
date: 2021-12-30
modified: 2024-03-13
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - 'add '
            - 'SYSTEM\CurrentControlSet\Services\'
            - ' ImagePath '
    selection_value:
        CommandLine|contains|windash: ' -d '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Chmod Targeting Sensitive Directories
id: 6419afd1-3742-47a5-a7e6-b50386cd15f8
status: test
description: |
    Detects chmod targeting files in sensitive directory paths on Linux systems.
    Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.
references:
    - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-03
modified: 2026-03-18
tags:
    - attack.defense-impairment
    - attack.t1222.002
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/chmod'
        CommandLine|contains:
            - '/tmp/'
            - '/.Library/'
            - '/etc/'
            - '/opt/'
    filter_main_update_shells:
        CommandLine|contains: 'chmod --reference=/etc/shells'
        ParentCommandLine|endswith: '/update-shells'
    filter_main_postinst:
        CommandLine|contains: '/etc/'
        ParentCommandLine|contains|all:
            - '/var/lib/dpkg/info/'
            - '.postinst configure'
    filter_main_apt_key:
        CommandLine|startswith: 'chmod 700 /tmp/apt-key-gpghome.'
    filter_main_mkinitramfs:
        CommandLine|startswith: 'chmod 755 /var/tmp/mkinitramfs'
    filter_main_landscape:
        CommandLine: 'chmod 0775 /etc/landscape/'
    filter_main_ubuntu_apparmor:
        CommandLine: 'chmod 644 /etc/apparmor.d/tunables/home.d/ubuntu'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some false positives are to be expected. Apply additional filters as needed before pushing to production.
level: medium

title: Chromium Browser Instance Executed With Custom Extension
id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
related:
    - id: 27ba3207-dd30-4812-abbf-5d20c57d474e
      type: similar
status: test
description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
references:
    - https://redcanary.com/blog/chromeloader/
    - https://emkc.org/s/RJjuLa
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Aedan Russell, frack113, X__Junior (Nextron Systems)
date: 2022-06-19
modified: 2023-11-28
tags:
    - attack.persistence
    - attack.t1176.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
        CommandLine|contains: '--load-extension='
    condition: selection
falsepositives:
    - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml

title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d
status: experimental
description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
references:
    - https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/
    - https://x.com/Threatlabz/status/1879956781360976155
author: X__Junior
date: 2025-01-20
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: image_load
    product: windows
detection:
    selection_dll:
        ImageLoaded|endswith: '\clfs.sys'
    selection_folders_1:
        Image|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - '\Temporary Internet'
            - '\Windows\Temp\'
    selection_folders_2:
        - Image|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - Image|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - Image|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - Image|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: selection_dll and 1 of selection_folders_*
falsepositives:
    - Unknown
level: medium

title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process
id: 241d52b5-eee0-49d0-ac8a-8b9c15c7221c
status: test
description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
tags:
    - attack.execution
    - detection.threat-hunting
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\dfsvc.exe'
        Image|endswith: '\AppData\Local\Apps\2.0\'
    condition: selection
falsepositives:
    - False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production.
level: medium

title: ClickOnce Trust Prompt Tampering
id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb
status: test
description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
    - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior
author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-06-12
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\'
        TargetObject|endswith:
            - '\Internet'
            - '\LocalIntranet'
            - '\MyComputer'
            - '\TrustedSites'
            - '\UntrustedSites'
        Details: 'Enabled'
    condition: selection
falsepositives:
    - Legitimate internal requirements.
level: medium

title: Clipboard Access Via OSAScript
id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
related:
    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
      type: derived
status: test
description: Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts
references:
    - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2026-05-22
tags:
    - attack.collection
    - attack.execution
    - attack.t1115
    - attack.t1059.002
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/osascript'
        CommandLine|contains|all:
            - ' -e '
            - 'clipboard'
    filter_optional_opencode:
        # OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
        ParentImage|endswith: 'opencode'
        CommandLine|contains|all:
            - 'osascript'
            - ' -e '
            - 'set imageData to the clipboard'
            - 'set fileRef'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate clipboard utilities and automation scripts that read or write clipboard content
    - Developer tools and IDEs that use osascript for clipboard integration
level: medium

title: Clipboard Data Collection Via Pbpaste
id: d8af0da1-2959-40f9-a3e4-37a6aa1228b7
status: test
description: |
    Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout).
    The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands.
    It can also be used in shell scripts that may require clipboard content as input.
    Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information.
    Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
references:
    - https://www.loobins.io/binaries/pbpaste/
    - https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b
    - https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF
author: Daniel Cortez
date: 2024-07-30
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1115
    - detection.threat-hunting
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/pbpaste'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

title: Cloudflared Portable Execution
id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd
status: test
description: |
    Detects the execution of the "cloudflared" binary from a non standard location.
references:
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
    - https://github.com/cloudflare/cloudflared
    - https://www.intrinsec.com/akira_ransomware/
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
    - https://github.com/cloudflare/cloudflared/releases
author: Nasreddine Bencherchali (Nextron Systems)
tags:
    - attack.command-and-control
    - attack.t1090.001
date: 2023-12-20
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\cloudflared.exe'
    filter_main_admin_location:
        Image|contains:
            - ':\Program Files (x86)\cloudflared\'
            - ':\Program Files\cloudflared\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate usage of Cloudflared portable versions
level: medium

title: Cloudflared Tunnel Connections Cleanup
id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
status: test
description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
references:
    - https://github.com/cloudflare/cloudflared
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-21
tags:
    - attack.command-and-control
    - attack.t1102
    - attack.t1090
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' tunnel '
            - 'cleanup '
        CommandLine|contains:
            - '-config '
            - '-connector-id '
    condition: selection
falsepositives:
    - Legitimate usage of Cloudflared.
level: medium

title: Cloudflared Tunnel Execution
id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
status: test
description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
references:
    - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
    - https://github.com/cloudflare/cloudflared
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-20
tags:
    - attack.command-and-control
    - attack.t1102
    - attack.t1090
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' tunnel '
            - ' run '
        CommandLine|contains:
            - '-config '
            - '-credentials-contents '
            - '-credentials-file '
            - '-token '
    condition: selection
falsepositives:
    - Legitimate usage of Cloudflared tunnel.
level: medium

title: Command Line Execution with Suspicious URL and AppData Strings
id: 1ac8666b-046f-4201-8aba-1951aaec03a3
status: test
description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
references:
    - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
    - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2021-11-27
tags:
    - attack.execution
    - attack.command-and-control
    - attack.t1059.003
    - attack.t1059.001
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - 'http' # captures both http and https
            - '://'
            - '%AppData%'
    condition: selection
falsepositives:
    - High
level: medium

title: Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
id: 917789e1-2c1f-4bf5-8c91-6f71a017f469
status: experimental
description: |
    Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password.
    This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
references:
    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.001
    - detection.emerging-threats
    - cve.2025-57788
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'qlogin'
            - '_+_PublicSharingUser_'
        # Detects the use of a GUID as the password, which is indicative of an exploit attempt
        CommandLine|re: '[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}'
    condition: selection
falsepositives:
    - Legitimate administrative scripts that use the `_+_PublicSharingUser_` account for valid purposes.
level: medium

title: Compress Data and Lock With Password for Exfiltration With WINZIP
id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_winzip:
        CommandLine|contains:
            - 'winzip.exe'
            - 'winzip64.exe'
    selection_password:
        CommandLine|contains: '-s"'
    selection_other:
        CommandLine|contains:
            - ' -min '
            - ' -a '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium