title: Suspicious MacOS Firmware Activity
id: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099
status: test
description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
references:
    - https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml
    - https://www.manpagez.com/man/8/firmwarepasswd/
    - https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web
author: Austin Songer @austinsonger
date: 2021-09-30
modified: 2022-10-09
tags:
    - attack.impact
logsource:
    category: process_creation
    product: macos
detection:
    selection1:
        Image: '/usr/sbin/firmwarepasswd'
        CommandLine|contains:
            - 'setpasswd'
            - 'full'
            - 'delete'
            - 'check'
    condition: selection1
falsepositives:
    - Legitimate administration activities
level: medium

title: Suspicious MsiExec Embedding Parent
id: 4a2a2c3e-209f-4d01-b513-4155a540b469
status: test
description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
author: frack113
date: 2022-04-16
modified: 2022-07-14
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        ParentCommandLine|contains|all:
            - 'MsiExec.exe'
            - '-Embedding '
    filter_splunk_ufw:
        Image|endswith: ':\Windows\System32\cmd.exe'
        CommandLine|contains: 'C:\Program Files\SplunkUniversalForwarder\bin\'
    filter_vs:
        - CommandLine|contains: '\DismFoDInstall.cmd'
        - ParentCommandLine|contains|all:
              - '\MsiExec.exe -Embedding '
              - 'Global\MSI0000'
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: medium

title: Suspicious Msiexec Execute Arbitrary DLL
id: 6f4191bb-912b-48a8-9ce7-682769541e6d
status: test
description: |
    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
    Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
    - https://twitter.com/_st0pp3r_/status/1583914515996897281
author: frack113
date: 2022-01-16
modified: 2026-01-09
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msiexec.exe'
        CommandLine|contains|windash: ' /Y'
    filter_main_legit_path:
        CommandLine|contains:
            - '\MsiExec.exe" /Y "C:\Program Files\'
            - '\MsiExec.exe" /Y "C:\Program Files (x86)\'
            - '\MsiExec.exe" /Y "C:\Windows\System32\'
            - '\MsiExec.exe" /Y "C:\Windows\SysWOW64\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate script
level: medium

title: Suspicious Network Connection to IP Lookup Service APIs
id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
related:
    - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
      type: derived
status: test
description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
references:
    - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-24
modified: 2024-03-22
tags:
    - attack.discovery
    - attack.t1016
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        - DestinationHostname:
              - 'www.ip.cn'
              - 'l2.io'
        - DestinationHostname|contains:
              - 'api.2ip.ua'
              - 'api.bigdatacloud.net'
              - 'api.ipify.org'
              - 'bot.whatismyipaddress.com'
              - 'canireachthe.net'
              - 'checkip.amazonaws.com'
              - 'checkip.dyndns.org'
              - 'curlmyip.com'
              - 'db-ip.com'
              - 'edns.ip-api.com'
              - 'eth0.me'
              - 'freegeoip.app'
              - 'geoipy.com'
              - 'getip.pro'
              - 'icanhazip.com'
              - 'ident.me'
              - 'ifconfig.io'
              - 'ifconfig.me'
              - 'ip-api.com'
              - 'ip.360.cn'
              - 'ip.anysrc.net'
              - 'ip.taobao.com'
              - 'ip.tyk.nu'
              - 'ipaddressworld.com'
              - 'ipapi.co'
              - 'ipconfig.io'
              - 'ipecho.net'
              - 'ipinfo.io'
              - 'ipip.net'
              - 'ipof.in'
              - 'ipv4.icanhazip.com'
              - 'ipv4bot.whatismyipaddress.com'
              - 'ipv6-test.com'
              - 'ipwho.is'
              - 'jsonip.com'
              - 'myexternalip.com'
              - 'seeip.org'
              - 'wgetip.com'
              - 'whatismyip.akamai.com'
              - 'whois.pconline.com.cn'
              - 'wtfismyip.com'
    filter_optional_brave:
        Image|endswith: '\brave.exe'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_opera:
        Image|endswith: '\opera.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate use of the external websites for troubleshooting or network monitoring
level: medium

title: Suspicious New Instance Of An Office COM Object
id: 9bdaf1e9-fdef-443b-8081-4341b74a7e28
status: test
description: |
    Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.
    This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
references:
    - https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic
    - https://github.com/med0x2e/vba2clr
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-13
modified: 2023-12-19
tags:
    - attack.execution
    - detection.threat-hunting
    - attack.stealth
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\svchost.exe'
        Image|endswith:
            - '\eqnedt32.exe'
            - '\excel.exe'
            - '\msaccess.exe'
            - '\mspub.exe'
            - '\powerpnt.exe'
            - '\visio.exe'
            - '\winword.exe'
    condition: selection
falsepositives:
    - Legitimate usage of office automation via scripting
level: medium

title: Suspicious Non-Browser Network Communication With Telegram API
id: c3dbbc9f-ef1d-470a-a90a-d343448d5875
status: test
description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
tags:
    - attack.command-and-control
    - attack.exfiltration
    - attack.t1102
    - attack.t1567
    - attack.t1105
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: 'api.telegram.org'
    # Other browsers or apps known to use telegram should be added
    # TODO: Add full paths for default install locations
    filter_main_brave:
        Image|endswith: '\brave.exe'
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_main_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_main_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_main_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_main_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_main_opera:
        Image|endswith: '\opera.exe'
    filter_main_safari:
        Image|endswith: '\safari.exe'
    filter_main_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_main_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_main_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS  etc.
level: medium

title: Suspicious PROCEXP152.sys File Created In TMP
id: 3da70954-0f2c-4103-adff-b7440368f50e
status: test
description: |
  Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
  This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
references:
    - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2022-11-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\AppData\Local\Temp\'
        TargetFilename|endswith: 'PROCEXP152.sys'
    filter:
        Image|contains:
            - '\procexp64.exe'
            - '\procexp.exe'
            - '\procmon64.exe'
            - '\procmon.exe'
    condition: selection and not filter
falsepositives:
    - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
level: medium

title: Suspicious Package Installed - Linux
id: 700fb7e8-2981-401c-8430-be58e189e741
status: test
description: Detects installation of suspicious packages using system installation utilities
references:
    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2026-01-01
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    product: linux
    category: process_creation
detection:
    selection_tool_apt:
        Image|endswith:
            - '/apt'
            - '/apt-get'
        CommandLine|contains: 'install'
    selection_tool_yum:
        Image|endswith: '/yum'
        CommandLine|contains:
            - 'localinstall'
            - 'install'
    selection_tool_rpm:
        Image|endswith: '/rpm'
        CommandLine|contains: '-i'
    selection_tool_dpkg:
        Image|endswith: '/dpkg'
        CommandLine|contains:
            - '--install'
            - '-i'
    selection_keyword:
        CommandLine|contains:
            # Add more suspicious packages
            - 'nmap'
            - ' nc'
            - 'netcat'
            - 'wireshark'
            - 'tshark'
            - 'openconnect'
            - 'proxychains'
            - 'socat'
    condition: 1 of selection_tool_* and selection_keyword
falsepositives:
    - Legitimate administration activities
level: medium

title: Suspicious PowerShell In Registry Run Keys
id: 8d85cf08-bf97-4260-ba49-986a2a65129c
status: test
description: Detects potential PowerShell commands or code within registry run keys
references:
    - https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry
    - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: frack113, Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2025-07-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run' # Also covers "RunOnce" and "RunOnceEx"
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
        Details|contains:
            - 'powershell'
            - 'pwsh '
            - 'FromBase64String'
            - '.DownloadFile('
            - '.DownloadString('
            - ' -w hidden '
            - ' -w 1 '
            - '-windowstyle hidden'
            - '-window hidden'
            - ' -nop '
            - ' -encodedcommand '
            - '-ExecutionPolicy Bypass'
            - 'Invoke-Expression'
            - 'IEX ('
            - 'Invoke-Command'
            - 'ICM -'
            - 'Invoke-WebRequest'
            - 'IWR '
            - 'Invoke-RestMethod'
            - 'IRM '
            - ' -noni '
            - ' -noninteractive '
    condition: selection
falsepositives:
    - Legitimate admin or third party scripts. Baseline according to your environment
level: medium

title: Suspicious PowerShell Invocation From Script Engines
id: 95eadcb2-92e4-4ed1-9031-92547773a6db
status: test
description: Detects suspicious powershell invocations from interpreters or unusual programs
references:
    - https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2023-01-05
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_health_service:
        CurrentDirectory|contains: '\Health Service State\'
    condition: selection and not 1 of filter_*
falsepositives:
    - Microsoft Operations Manager (MOM)
    - Other scripts
level: medium

title: Suspicious PowerShell Invocations - Specific - ProcessCreation
id: 536e2947-3729-478c-9903-745aaffe60d2
related:
    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
      type: obsolete
    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
      type: similar
    - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
      type: similar
status: test
description: Detects suspicious PowerShell invocation command parameters
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-05
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_convert_b64:
        CommandLine|contains|all:
            - '-nop'
            - ' -w '
            - 'hidden'
            - ' -c '
            - '[Convert]::FromBase64String'
    selection_iex:
        CommandLine|contains|all:
            - ' -w '
            - 'hidden'
            - '-noni'
            - '-nop'
            - ' -c '
            - 'iex'
            - 'New-Object'
    selection_enc:
        CommandLine|contains|all:
            - ' -w '
            - 'hidden'
            - '-ep'
            - 'bypass'
            - '-Enc'
    selection_reg:
        CommandLine|contains|all:
            - 'powershell'
            - 'reg'
            - 'add'
            - '\software\'
    selection_webclient:
        CommandLine|contains|all:
            - 'bypass'
            - '-noprofile'
            - '-windowstyle'
            - 'hidden'
            - 'new-object'
            - 'system.net.webclient'
            - '.download'
    selection_iex_webclient:
        CommandLine|contains|all:
            - 'iex'
            - 'New-Object'
            - 'Net.WebClient'
            - '.Download'
    filter_chocolatey:
        CommandLine|contains:
            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
            - 'Write-ChocolateyWarning'
    condition: 1 of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

title: Suspicious Process Start Locations
id: 15b75071-74cc-47e0-b4c6-b43744a62a2b
status: test
description: Detects suspicious process run from unusual locations
references:
    - https://car.mitre.org/wiki/CAR-2013-05-002
author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2022-01-07
tags:
    - attack.stealth
    - attack.t1036
    - car.2013-05-002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|contains:
              - ':\RECYCLER\'
              - ':\SystemVolumeInformation\'
        - Image|startswith:
              - 'C:\Windows\Tasks\'
              - 'C:\Windows\debug\'
              - 'C:\Windows\fonts\'
              - 'C:\Windows\help\'
              - 'C:\Windows\drivers\'
              - 'C:\Windows\addins\'
              - 'C:\Windows\cursors\'
              - 'C:\Windows\system32\tasks\'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

title: Suspicious RASdial Activity
id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e
status: test
description: Detects suspicious process related to rasdial.exe
references:
    - https://twitter.com/subTee/status/891298217907830785
author: juju4
date: 2019-01-16
modified: 2021-11-27
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: 'rasdial.exe'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
id: c8a180d6-47a3-4345-a609-53f9c3d834fc
related:
    - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
      type: similar
status: test
description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-10
tags:
    - attack.discovery
    - attack.t1087.001
logsource:
    category: process_creation
    product: windows
detection:
    # Covers group and localgroup flags
    selection_cmdlet:
        CommandLine|contains: 'Get-LocalGroupMember '
    selection_group:
        CommandLine|contains:
            # Add more groups for other languages
            - 'domain admins'
            - ' administrator' # Typo without an 'S' so we catch both
            - ' administrateur' # Typo without an 'S' so we catch both
            - 'enterprise admins'
            - 'Exchange Trusted Subsystem'
            - 'Remote Desktop Users'
            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: medium

title: Suspicious Recursive Takeown
id: 554601fb-9b71-4bcc-abf4-21a611be4fde
status: test
description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility
author: frack113
date: 2022-01-30
modified: 2022-11-21
tags:
    - attack.defense-impairment
    - attack.t1222.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\takeown.exe'
        CommandLine|contains|all:
            - '/f '
            - '/r'
    condition: selection
falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
level: medium

title: Suspicious RunAs-Like Flag Combination
id: 50d66fb0-03f8-4da0-8add-84e77d12a020
status: test
description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
references:
    - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
author: Florian Roth (Nextron Systems)
date: 2022-11-11
tags:
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection_user:
        CommandLine|contains:
            - ' -u system '
            - ' --user system '
            - ' -u NT'
            - ' -u "NT'
            - " -u 'NT"
            - ' --system '
            - ' -u administrator '
    selection_command:
        CommandLine|contains:
            - ' -c cmd'
            - ' -c "cmd'
            - ' -c powershell'
            - ' -c "powershell'
            - ' --command cmd'
            - ' --command powershell'
            - ' -c whoami'
            - ' -c wscript'
            - ' -c cscript'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Suspicious Rundll32 Setupapi.dll Activity
id: 285b85b1-a555-4095-8652-a8a4106af63f
status: test
description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
references:
    - https://lolbas-project.github.io/lolbas/Libraries/Setupapi/
    - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
    - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
    - https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20
author: Konstantin Grishchenko, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\runonce.exe'
        ParentImage|endswith: '\rundll32.exe'
        ParentCommandLine|contains|all:
            - 'setupapi.dll'
            - 'InstallHinfSection'
    condition: selection
falsepositives:
    - Scripts and administrative tools that use INF files for driver installation with setupapi.dll
level: medium

title: Suspicious Runscripthelper.exe
id: eca49c87-8a75-4f13-9c73-a5a29e845f03
status: test
description: Detects execution of powershell scripts via Runscripthelper.exe
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2022-07-11
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\Runscripthelper.exe'
        CommandLine|contains: 'surfacecheck'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious SYSVOL Domain Group Policy Access
id: 05f3c945-dcc8-4393-9f3d-af65077a8f86
status: test
description: Detects Access to Domain Group Policies stored in SYSVOL
references:
    - https://adsecurity.org/?p=2288
    - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
author: Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2018-04-09
modified: 2022-01-07
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\SYSVOL\'
            - '\policies\'
    condition: selection
falsepositives:
    - Administrative activity
level: medium

title: Suspicious Scan Loop Network
id: f8ad2e2c-40b6-4117-84d7-20b89896ab23
status: test
description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
    - https://ss64.com/nt/for.html
    - https://ss64.com/ps/foreach-object.html
author: frack113
date: 2022-03-12
tags:
    - attack.execution
    - attack.t1059
    - attack.discovery
    - attack.t1018
logsource:
    category: process_creation
    product: windows
detection:
    selection_loop:
        CommandLine|contains:
            - 'for '
            - 'foreach '
    selection_tools:
        CommandLine|contains:
            - 'nslookup'
            - 'ping'
    condition: all of selection_*
falsepositives:
    - Legitimate script
level: medium

title: Suspicious Scheduled Task Name As GUID
id: ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b
status: test
description: Detects creation of a scheduled task with a GUID like name
references:
    - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-31
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains: '/Create '
    selection_tn:
        CommandLine|contains:
            # Can start with single or double quote
            - '/TN "{'
            - "/TN '{"
            - "/TN {"
    selection_end:
        CommandLine|contains:
            # Ending of the name to avoid possible FP in the rest of the commandline
            - '}"'
            - "}'"
            - '} '
    condition: all of selection_*
falsepositives:
    - Legitimate software naming their tasks as GUIDs
level: medium

title: Suspicious ScreenSave Change by Reg.exe
id: 0fc35fc3-efe6-4898-8a37-0b233339524f
status: test
description: |
    Adversaries may establish persistence by executing malicious content triggered by user inactivity.
    Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
    - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
author: frack113
date: 2021-08-19
modified: 2022-06-02
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg:
        Image|endswith: '\reg.exe'
        CommandLine|contains:
            - 'HKEY_CURRENT_USER\Control Panel\Desktop'
            - 'HKCU\Control Panel\Desktop'
    selection_option_1: # /force Active ScreenSaveActive
        CommandLine|contains|all:
            - '/v ScreenSaveActive'
            - '/t REG_SZ'
            - '/d 1'
            - '/f'
    selection_option_2: # /force  set ScreenSaveTimeout
        CommandLine|contains|all:
            - '/v ScreenSaveTimeout'
            - '/t REG_SZ'
            - '/d '
            - '/f'
    selection_option_3: # /force set ScreenSaverIsSecure
        CommandLine|contains|all:
            - '/v ScreenSaverIsSecure'
            - '/t REG_SZ'
            - '/d 0'
            - '/f'
    selection_option_4: # /force set a .scr
        CommandLine|contains|all:
            - '/v SCRNSAVE.EXE'
            - '/t REG_SZ'
            - '/d '
            - '.scr'
            - '/f'
    condition: selection_reg and 1 of selection_option_*
falsepositives:
    - GPO
level: medium

title: Suspicious Screensaver Binary File Creation
id: 97aa2e88-555c-450d-85a6-229bcd87efb8
status: test
description: |
    Adversaries may establish persistence by executing malicious content triggered by user inactivity.
    Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
author: frack113
date: 2021-12-29
modified: 2022-11-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.scr'
    filter_generic:
        Image|endswith:
            - '\Kindle.exe'
            - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection
    filter_tiworker:
        # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
        Image|endswith: '\TiWorker.exe'
        TargetFilename|endswith: '\uwfservicingscr.scr'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

title: Suspicious Service Installed
id: f2485272-a156-4773-82d7-1d178bc4905b
status: test
description: |
  Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.
  Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
references:
    - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject:
            - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
            - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
    filter:
        Image|endswith:
            # Please add the full paths that you use in your environment to tighten the rule
            - '\procexp64.exe'
            - '\procexp.exe'
            - '\procmon64.exe'
            - '\procmon.exe'
            - '\handle.exe'
            - '\handle64.exe'
        Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS'
    condition: selection and not filter
falsepositives:
    - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
level: medium

title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
id: 2d9403d5-7927-46b7-8216-37ab7c9ec5e3
status: test
description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
author: Sittikorn S
date: 2020-05-31
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1221
    - detection.emerging-threats
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|startswith: 'HKCR\ms-msdt\'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious Shell Open Command Registry Modification
id: 9e8894c0-0ae0-11ef-9d85-1f2942bec57c
status: experimental
description: |
    Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
    Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
    and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
references:
    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1548.002
    - attack.t1546.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\shell\open\command\'
        Details|contains:
            - '\$Recycle.Bin\'
            - '\AppData\Local\Temp\'
            - '\Contacts\'
            - '\Music\'
            - '\PerfLogs\'
            - '\Photos\'
            - '\Pictures\'
            - '\Users\Public\'
            - '\Videos\'
            - '\Windows\Temp\'
            - '%AppData%'
            - '%LocalAppData%'
            - '%Temp%'
            - '%tmp%'
    condition: selection
falsepositives:
    - Legitimate software installations or updates that modify the shell open command registry keys to these locations.
level: medium

title: Suspicious SysAidServer Child
id: 60bfeac3-0d35-4302-8efb-1dd16f715bc6
status: test
description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
references:
    - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
author: Florian Roth (Nextron Systems)
date: 2022-08-26
tags:
    - attack.lateral-movement
    - attack.t1210
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentCommandLine|contains: 'SysAidServer'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious Usage of For Loop with Recursive Directory Search in CMD
id: 2782fbd8-b662-4eb5-9962-5bfbfb671e7b
status: experimental
description: |
    Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
    This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
    This behavior has been observed in various malicious lnk files.
references:
    - https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2025-11-12
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.003
    - attack.t1027.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_tokens:
        CommandLine|contains|all:
            - 'for /f'
            - 'tokens='
            - 'in ('
            - 'dir'
    selection_tokens_parent:
        ParentCommandLine|contains|all:
            - 'for /f'
            - 'tokens='
            - 'in ('
            - 'dir'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: Suspicious VBoxDrvInst.exe Parameters
id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
status: test
description: |
  Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
  This allows to create values in the registry and install drivers.
  For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
    - https://twitter.com/pabraeken/status/993497996179492864
author: Konstantin Grishchenko, oscd.community
date: 2020-10-06
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\VBoxDrvInst.exe'
        CommandLine|contains|all:
            - 'driver'
            - 'executeinf'
    condition: selection
falsepositives:
    - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
level: medium

title: Suspicious Vsls-Agent Command With AgentExtensionPath Load
id: 43103702-5886-11ed-9b6a-0242ac120002
status: test
description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
references:
    - https://twitter.com/bohops/status/1583916360404729857
author: bohops
date: 2022-10-30
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\vsls-agent.exe'
        CommandLine|contains: '--agentExtensionPath'
    filter:
        CommandLine|contains: 'Microsoft.VisualStudio.LiveShare.Agent.'
    condition: selection and not filter
falsepositives:
    - False positives depend on custom use of vsls-agent.exe
level: medium

title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
id: 48917adc-a28e-4f5d-b729-11e75da8941f
status: test
description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
references:
    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
    - https://redcanary.com/threat-detection-report/threats/qbot/
author: frack113
date: 2022-02-13
modified: 2023-02-04
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains:
            - 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
            - 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
        CommandLine|contains|all:
            - 'ADD '
            - '/t '
            - 'REG_DWORD '
            - '/v '
            - '/d '
            - '0'
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Suspicious WindowsTerminal Child Processes
id: 8de89e52-f6e1-4b5b-afd1-41ecfa300d48
status: test
description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
references:
    - https://persistence-info.github.io/Data/windowsterminalprofile.html
    - https://twitter.com/nas_bench/status/1550836225652686848
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-25
modified: 2023-02-14
tags:
    - attack.execution
    - attack.persistence
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\WindowsTerminal.exe'
            - '\wt.exe'
    selection_susp:
        - Image|endswith:
              # Add more LOLBINS
              - '\rundll32.exe'
              - '\regsvr32.exe'
              - '\certutil.exe'
              - '\cscript.exe'
              - '\wscript.exe'
              - '\csc.exe'
        - Image|contains:
              # Add more suspicious paths
              - 'C:\Users\Public\'
              - '\Downloads\'
              - '\Desktop\'
              - '\AppData\Local\Temp\'
              - '\Windows\TEMP\'
        - CommandLine|contains:
              # Add more suspicious commandline
              - ' iex '
              - ' icm'
              - 'Invoke-'
              - 'Import-Module '
              - 'ipmo '
              - 'DownloadString('
              - ' /c '
              - ' /k '
              - ' /r '
    filter_builtin_visual_studio_shell:
        CommandLine|contains|all:
            - 'Import-Module'
            - 'Microsoft.VisualStudio.DevShell.dll'
            - 'Enter-VsDevShell'
    filter_open_settings:
        CommandLine|contains|all:
            - '\AppData\Local\Packages\Microsoft.WindowsTerminal_'
            - '\LocalState\settings.json'
    filter_vsdevcmd:
        CommandLine|contains|all:
            - 'C:\Program Files\Microsoft Visual Studio\'
            - '\Common7\Tools\VsDevCmd.bat'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Other legitimate "Windows Terminal" profiles
level: medium

title: Suspicious X509Enrollment - Process Creation
id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
related:
    - id: 504d63cb-0dba-4d02-8531-e72981aace2c
      type: similar
status: test
description: Detect use of X509Enrollment
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
    - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
author: frack113
date: 2022-12-23
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'X509Enrollment.CBinaryConverter'
            - '884e2002-217d-11da-b2a4-000e7bbb2b09'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium

title: Suspicious ZipExec Execution
id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132
status: test
description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
references:
    - https://twitter.com/SBousseaden/status/1451237393017839616
    - https://github.com/Tylous/ZipExec
author: frack113
date: 2021-11-07
modified: 2022-12-25
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    run:
        CommandLine|contains|all:
            - '/generic:Microsoft_Windows_Shell_ZipFolder:filename='
            - '.zip'
            - '/pass:'
            - '/user:'
    delete:
        CommandLine|contains|all:
            - '/delete'
            - 'Microsoft_Windows_Shell_ZipFolder:filename='
            - '.zip'
    condition: run or delete
falsepositives:
    - Unknown
level: medium

title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
status: test
description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: frack113
date: 2021-07-16
modified: 2022-06-22
tags:
    - attack.stealth
    - attack.t1218
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\SyncAppvPublishingServer.vbs'
            - ';'  # at a minimum, a semi-colon is required
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Sysprep on AppData Folder
id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e
status: test
description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
references:
    - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
    - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
author: Florian Roth (Nextron Systems)
date: 2018-06-22
modified: 2021-11-27
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\sysprep.exe'
        CommandLine|contains: '\AppData\'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

title: System Information Discovery Using Ioreg
id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
status: test
description: |
    Detects the use of "ioreg" which will show I/O Kit registry information.
    This process is used for system information discovery.
    It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
references:
    - https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
    - https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
    - https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
    - https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
modified: 2024-01-02
tags:
    - attack.discovery
    - attack.t1082
logsource:
    product: macos
    category: process_creation
detection:
    # Examples:
    #   /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
    #   /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver
    #   /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'
    #   ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); }
    selection_img:
        - Image|endswith: '/ioreg'
        - CommandLine|contains: 'ioreg'
    selection_cmd1:
        CommandLine|contains:
            - '-l'
            - '-c'
    selection_cmd2:
        CommandLine|contains:
            - 'AppleAHCIDiskDriver'
            - 'IOPlatformExpertDevice'
            - 'Oracle'
            - 'Parallels'
            - 'USB Vendor Name'
            - 'VirtualBox'
            - 'VMware'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activities
level: medium

title: System Information Discovery Using System_Profiler
id: 4809c683-059b-4935-879d-36835986f8cf
status: test
description: |
    Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
    This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
references:
    - https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
    - https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
    - https://ss64.com/mac/system_profiler.html
    - https://objective-see.org/blog/blog_0x62.html
    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
    - https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
date: 2024-01-02
tags:
    - attack.discovery
    - attack.stealth
    - attack.t1082
    - attack.t1497.001
logsource:
    product: macos
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '/system_profiler'
        - CommandLine|contains: 'system_profiler'
    selection_cmd:
        # Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list
        CommandLine|contains:
            - 'SPApplicationsDataType'
            - 'SPHardwareDataType'
            - 'SPNetworkDataType'
            - 'SPUSBDataType'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activities
level: medium

title: System Information Discovery Using sw_vers
id: 5de06a6f-673a-4fc0-8d48-bcfe3837b033
status: test
description: Detects the use of "sw_vers" for system information discovery
references:
    - https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
    - https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
    - https://ss64.com/osx/sw_vers.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
    - attack.discovery
    - attack.t1082
logsource:
    product: macos
    category: process_creation
detection:
    # VT Query: 'behavior_processes:"sw_vers" and (behavior_processes:"-productVersion" or behavior_processes:"-productName" or behavior_processes:"-buildVersion") tag:dmg p:5+'
    selection_image:
        Image|endswith: '/sw_vers'
    selection_options:
        CommandLine|contains:
            - '-buildVersion'
            - '-productName'
            - '-productVersion'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activities
level: medium

title: System Information Discovery Via Sysctl - MacOS
id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
status: test
description: |
    Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
    This process is primarily used to detect and avoid virtualization and analysis environments.
references:
    - https://www.loobins.io/binaries/sysctl/#
    - https://evasions.checkpoint.com/techniques/macos.html
    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
    - https://objective-see.org/blog/blog_0x1E.html
    - https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
    - https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
author: Pratinav Chandra
date: 2024-05-27
tags:
    - attack.stealth
    - attack.t1497.001
    - attack.discovery
    - attack.t1082
logsource:
    product: macos
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '/sysctl'
        - CommandLine|contains: 'sysctl'
    selection_cmd:
        CommandLine|contains:
            - 'hw.'
            - 'kern.'
            - 'machdep.'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activities
level: medium

title: System Integrity Protection (SIP) Disabled
id: 3603f18a-ec15-43a1-9af2-d196c8a7fec6
status: test
description: |
    Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
references:
    - https://ss64.com/osx/csrutil.html
    - https://objective-see.org/blog/blog_0x6D.html
    - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
    - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-02
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    product: macos
    category: process_creation
detection:
    # VT Query: behavior_processes:"csrutil status" p:5+ type:mac
    selection:
        Image|endswith: '/csrutil'
        CommandLine|contains: 'disable'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: System Scripts Autorun Keys Modification
id: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    scripts_base:
        TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts'
    scripts:
        TargetObject|contains:
            - '\Startup'
            - '\Shutdown'
            - '\Logon'
            - '\Logoff'
    filter:
        Details: '(Empty)'
    condition: scripts_base and scripts and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Tap Installer Execution
id: 99793437-3e16-439b-be0f-078782cf953d
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
references:
    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2023-12-11
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\tapinstall.exe'
    filter_optional_avast:
        Image|contains:
            - ':\Program Files\Avast Software\SecureLine VPN\'
            - ':\Program Files (x86)\Avast Software\SecureLine VPN\'
    filter_optional_openvpn:
        Image|contains: ':\Program Files\OpenVPN Connect\drivers\tap\'
    filter_optional_protonvpn:
        Image|contains: ':\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate OpenVPN TAP installation
level: medium

title: TeamViewer Remote Session
id: 162ab1e4-6874-4564-853c-53ec3ab8be01
status: test
description: Detects the creation of log files during a TeamViewer remote session
references:
    - https://www.teamviewer.com/en-us/
author: Florian Roth (Nextron Systems)
date: 2022-01-30
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection1:
        TargetFilename|endswith:
            - '\TeamViewer\RemotePrinting\tvprint.db'
            - '\TeamViewer\TVNetwork.log'
    selection2:
        TargetFilename|contains|all:
            - '\TeamViewer'
            - '_Logfile.log'
    condition: 1 of selection*
falsepositives:
    - Legitimate uses of TeamViewer in an organisation
level: medium

title: Terminate Linux Process Via Kill
id: 64c41342-6b27-523b-5d3f-c265f3efcdb3
status: test
description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
references:
    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
    - https://www.cyberciti.biz/faq/how-force-kill-process-linux/
    - https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/
author: Tuan Le (NCSGroup)
date: 2023-03-16
modified: 2024-12-12
tags:
    - attack.defense-impairment
    - attack.t1685
    - detection.threat-hunting
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/kill'
            - '/killall'
            - '/pkill'
            - '/xkill'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Third Party Software DLL Sideloading
id: f9df325d-d7bc-4a32-8a1a-2cc61dcefc63
status: test
description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    # Lenovo
    selection_lenovo:
        ImageLoaded|endswith: '\commfunc.dll'
    filter_lenovo:
        - ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
        - ImageLoaded|startswith:
              - 'C:\Program Files\Lenovo\Communications Utility\'
              - 'C:\Program Files (x86)\Lenovo\Communications Utility\'
    # Toshiba
    selection_toshiba:
        ImageLoaded|endswith: '\tosbtkbd.dll'
    filter_toshiba:
        ImageLoaded|startswith:
            - 'C:\Program Files\Toshiba\Bluetooth Toshiba Stack\'
            - 'C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\'
    # Zoom (FP with System32)
    # selection_zoom:
    #     ImageLoaded|endswith: '\version.dll'
    # filter_zoom:
    #     ImageLoaded|startswith: 'C:\Users\'
    #     ImageLoaded|contains: '\AppData\Roaming\Zoom\bin\'
    condition: (selection_lenovo and not filter_lenovo) or (selection_toshiba and not filter_toshiba)
falsepositives:
    - Unknown
level: medium

title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
id: 452df256-da78-427a-866f-49fa04417d74
status: test
description: |
    Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
    An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
    - https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: macos
detection:
    selection_img:
        - Image|endswith: '/tmutil'
        - CommandLine|contains: 'tmutil'
    selection_cmd:
        CommandLine|contains: 'delete'
    condition: all of selection_*
falsepositives:
    - Legitimate activities
level: medium

title: Time Machine Backup Disabled Via Tmutil - MacOS
id: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
status: test
description: |
    Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
    An attacker can use this to prevent backups from occurring.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
    - https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: macos
detection:
    selection_img:
        - Image|endswith: '/tmutil'
        - CommandLine|contains: 'tmutil'
    selection_cmd:
        CommandLine|contains: 'disable'
    condition: all of selection_*
falsepositives:
    - Legitimate administrator activity
level: medium

title: Tomcat WebServer Logs Deleted
id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8
status: test
description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
references:
    - Internal Research
    - https://linuxhint.com/view-tomcat-logs-windows/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-16
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - '\Tomcat'
            - '\logs\'
        TargetFilename|contains:
            - 'catalina.'
            - '_access_log.'
            - 'localhost.'
    condition: selection
falsepositives:
    - During uninstallation of the tomcat server
    - During log rotation
level: medium

title: Touch Suspicious Service File
id: 31545105-3444-4584-bebf-c466353230d2
status: test
description: Detects usage of the "touch" process in service file.
references:
    - https://blogs.blackberry.com/
    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-11
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/touch'
        CommandLine|contains: ' -t '
        CommandLine|endswith: '.service'
    condition: selection
falsepositives:
    - Admin changing date of files.
level: medium