title: OpenEDR Spawning Command Shell
id: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
status: experimental
description: |
    Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
    This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
    Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
author: '@kostastsale'
date: 2026-02-19
references:
    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
    - attack.execution
    - attack.t1059.003
    - attack.lateral-movement
    - attack.t1021.004
    - attack.command-and-control
    - attack.t1219
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        ParentImage|endswith: '\ITSMService.exe'
        Image|endswith: '\ssh-shellhost.exe'
        CommandLine|contains: '--pty'
    selection_cli_shell:
        CommandLine|contains:
            - 'bash'
            - 'cmd'
            - 'powershell'
            - 'pwsh'
    condition: all of selection_*
falsepositives:
    - Legitimate use of OpenEDR for remote command execution
level: medium

title: Osacompile Execution By Potentially Suspicious Applet/Osascript
id: a753a6af-3126-426d-8bd0-26ebbcb92254
status: test
description: Detects potential suspicious applet or osascript executing "osacompile".
references:
    - https://redcanary.com/blog/mac-application-bundles/
author: Sohan G (D4rkCiph3r), Red Canary (Idea)
date: 2023-04-03
tags:
    - attack.execution
    - attack.t1059.002
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        ParentImage|endswith:
            - '/applet'
            - '/osascript'
        CommandLine|contains: 'osacompile'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Outlook Security Settings Updated - Registry
id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
related:
    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # EnableUnsafeClientMailRules
      type: similar
status: test
description: Detects changes to the registry values related to outlook security settings
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md
    - https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
author: frack113
date: 2021-12-28
modified: 2026-01-09
tags:
    - attack.persistence
    - attack.t1137
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Office\'
            - '\Outlook\Security\'
    filter_main_outlook:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        Image|endswith: '\OUTLOOK.EXE'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrative activity
level: medium

title: PSScriptPolicyTest Creation By Uncommon Process
id: 1027d292-dd87-4a1a-8701-2abe04d7783c
status: test
description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
references:
    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '__PSScriptPolicyTest_'
    filter_main_powershell:
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_main_pwsh_preview:
        Image|contains:
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
        Image|endswith: '\pwsh.exe'
    filter_main_generic:
        Image:
            - 'C:\Windows\System32\dsac.exe'
            - 'C:\Windows\System32\sdiagnhost.exe'
            - 'C:\Windows\System32\ServerManager.exe'
            - 'C:\Windows\System32\wsmprovhost.exe'
            - 'C:\Windows\SysWOW64\sdiagnhost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: PUA - Mouse Lock Execution
id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
status: test
description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
references:
    - https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf
    - https://sourceforge.net/projects/mouselock/
author: Cian Heasley
date: 2020-08-13
modified: 2023-02-21
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1056.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Product|contains: 'Mouse Lock'
        - Company|contains: 'Misc314'
        - CommandLine|contains: 'Mouse Lock_'
    condition: selection
falsepositives:
    - Legitimate uses of Mouse Lock software
level: medium

title: PUA - Sysinternals Tools Execution - Registry
id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
    - id: 9841b233-8df8-4ad7-9133-b0b4402a9014
      type: obsolete
status: test
description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - '\Active Directory Explorer'
            - '\Handle'
            - '\LiveKd'
            - '\Process Explorer'
            - '\ProcDump'
            - '\PsExec'
            - '\PsLoglist'
            - '\PsPasswd'
            - '\SDelete'
            - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
        TargetObject|endswith: '\EulaAccepted'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml

title: PUA - TruffleHog Execution
id: 44030449-b0df-4c94-aae1-502359ab28ee
related:
    - id: d7a650c4-226c-451e-948f-cc490db506aa
      type: similar
status: experimental
description: |
    Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
    While it is a legitimate tool, intended for use in CI pipelines and security assessments,
    It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
    - https://github.com/trufflesecurity/trufflehog
    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1083
    - attack.t1552.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\trufflehog.exe'
    selection_cli_platform:
        CommandLine|contains:
            - ' docker --image '
            - ' Git '
            - ' GitHub '
            - ' Jira '
            - ' Slack '
            - ' Confluence '
            - ' SharePoint '
            - ' s3 '
            - ' gcs '
    selection_cli_verified:
        CommandLine|contains: ' --results=verified'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Legitimate use of TruffleHog by security teams or developers.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_trufflehog/info.yml

title: PUA - TruffleHog Execution - Linux
id: d7a650c4-226c-451e-948f-cc490db506aa
related:
    - id: 44030449-b0df-4c94-aae1-502359ab28ee
      type: similar
status: experimental
description: |
    Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
    While it is a legitimate tool, intended for use in CI pipelines and security assessments,
    It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
    - https://github.com/trufflesecurity/trufflehog
    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1083
    - attack.t1552.001
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/trufflehog'
    selection_cli_platform:
        CommandLine|contains:
            - ' docker --image '
            - ' Git '
            - ' GitHub '
            - ' Jira '
            - ' Slack '
            - ' Confluence '
            - ' SharePoint '
            - ' s3 '
            - ' gcs '
    selection_cli_verified:
        CommandLine|contains: ' --results=verified'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Legitimate use of TruffleHog by security teams or developers.
level: medium

title: Path To Screensaver Binary Modified
id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
status: test
description: Detects value modification of registry key containing path to binary used as screensaver.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
    - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020-10-11
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.002
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
    filter:
        Image|endswith:
            - '\rundll32.exe'
            - '\explorer.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate modification of screensaver
level: medium

title: Payload Decoded and Decrypted via Built-in Utilities
id: 234dc5df-40b5-49d1-bf53-0d44ce778eca
status: test
description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
    - attack.stealth
    - attack.t1059
    - attack.t1204
    - attack.execution
    - attack.t1140
    - attack.s0482
    - attack.s0402
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/openssl'
        CommandLine|contains|all:
            - '/Volumes/'
            - 'enc'
            - '-base64'
            - ' -d '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Periodic Backup For System Registry Hives Enabled
id: 973ef012-8f1a-4c40-93b4-7e659a5cd17f
status: test
description: |
    Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups.
    Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
references:
    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-01
tags:
    - attack.collection
    - attack.t1113
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control\Session Manager\Configuration Manager\EnablePeriodicBackup'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Legitimate need for RegBack feature by administrators.
level: medium

title: Persistence Via Disk Cleanup Handler - Autorun
id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc
status: test
description: |
    Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
    The disk cleanup manager is part of the operating system.
    It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
    Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
    Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
    Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
    - https://persistence-info.github.io/Data/diskcleanuphandler.html
    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    root:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
    selection_autorun:
        # Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean
        TargetObject|contains: '\Autorun'
        Details: 'DWORD (0x00000001)'
    selection_pre_after:
        TargetObject|contains:
            - '\CleanupString'
            - '\PreCleanupString'
        Details|contains:
            # Add more as you see fit
            - 'cmd'
            - 'powershell'
            - 'rundll32'
            - 'mshta'
            - 'cscript'
            - 'wscript'
            - 'wsl'
            - '\Users\Public\'
            - '\Windows\TEMP\'
            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
    condition: root and 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: Persistence Via New SIP Provider
id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1
status: test
description: Detects when an attacker register a new SIP provider for persistence and defense evasion
references:
    - https://persistence-info.github.io/Data/codesigning.html
    - https://github.com/gtworek/PSBits/tree/master/SIP
    - https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1553.003
logsource:
    category: registry_set
    product: windows
detection:
    selection_root:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Cryptography\Providers\'
            - '\SOFTWARE\Microsoft\Cryptography\OID\EncodingType'
            - '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\'
            - '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType'
    selection_dll:
        TargetObject|contains:
            - '\Dll'
            - '\$DLL'
    filter:
        Details:
            # Add more legitimate SIP providers according to your env
            - WINTRUST.DLL
            - mso.dll
    filter_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        TargetObject|contains: '\CryptSIPDll'
        Details: 'C:\Windows\System32\PsfSip.dll'
    condition: all of selection_* and not 1 of filter*
falsepositives:
    - Legitimate SIP being registered by the OS or different software.
level: medium

title: Persistence Via Sudoers.d Files
id: ddb26b76-4447-4807-871f-1b035b2bfa5d
status: test
description: |
    Detects the creation or modification of files within the "sudoers.d" directory on Linux systems.
    Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions.
    Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
references:
    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2026-03-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1548.003
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|startswith: '/etc/sudoers.d/'
    filter_main_dpkg:
        Image|endswith: '/usr/bin/dpkg'
        TargetFilename: '/etc/sudoers.d/README.dpkg-new'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Creation of legitimate files in sudoers.d folder as part of administrator work
level: medium

title: Persistence Via TypedPaths - CommandLine
id: ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba
status: test
description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
references:
    - https://twitter.com/dez_/status/1560101453150257154
    - https://forensafe.com/blogs/typedpaths.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
tags:
    - attack.persistence
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Pnscan Binary Data Transmission Activity
id: 97de11cd-4b67-4abf-9a8b-1020e670aa9e
status: test
description: |
    Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
    This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
author: David Burkett (@signalblur)
date: 2024-04-16
references:
    - https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
    - https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
    - https://regex101.com/r/RugQYK/1
    - https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        CommandLine|re: -(W|R)\s?(\s|"|')([0-9a-fA-F]{2}\s?){2,20}(\s|"|')
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Port Forwarding Activity Via SSH.EXE
id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
status: test
description: Detects port forwarding activity via SSH.exe
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2024-03-05
tags:
    - attack.command-and-control
    - attack.lateral-movement
    - attack.t1572
    - attack.t1021.001
    - attack.t1021.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\ssh.exe'
        CommandLine|contains|windash: ' -R '
    condition: selection
falsepositives:
    - Administrative activity using a remote port forwarding to a local port
level: medium

title: Potential AMSI Bypass Using NULL Bits
id: 92a974db-ab84-457f-9ec0-55db83d7a825
related:
    - id: fa2559c8-1197-471d-9cdd-05a0273d4522
      type: similar
status: test
description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
references:
    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-05-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - "if(0){{{0}}}' -f $(0 -as [char]) +"
            - "#<NULL>"
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential APT FIN7 Exploitation Activity
id: 6676896b-2cce-422d-82af-5a1abe65e241
status: test
description: |
    Detects potential APT FIN7 exploitation activity as reported by Google.
    In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
author: Alex Walston (@4ayymm)
date: 2024-07-29
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1059.003
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_notepad_plus:
        ParentImage|endswith: '\notepad++.exe'
        Image|endswith: '\cmd.exe'
    selection_rdpinit:
        ParentImage|endswith: '\rdpinit.exe'
        Image|endswith: '\notepad++.exe'
    condition: 1 of selection_*
falsepositives:
    - Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD)
level: medium

title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
status: test
description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
references:
    - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg
author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-02
modified: 2023-03-29
tags:
    - attack.stealth
    - attack.t1218.010
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'regsvr32'
            - '\AppData\Local\'
            - '.dll'
            - ',DllEntry'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential AVKkid.DLL Sideloading
id: 952ed57c-8f99-453d-aee0-53a49c22f95d
status: test
description: Detects potential DLL sideloading of "AVKkid.dll"
references:
    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\AVKkid.dll'
    filter_main_legit_path:
        Image|contains:
            - 'C:\Program Files (x86)\G DATA\'
            - 'C:\Program Files\G DATA\'
        Image|endswith: '\AVKKid.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\G DATA\'
            - 'C:\Program Files\G DATA\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential Amazon SSM Agent Hijacking
id: d20ee2f4-822c-4827-9e15-41500b1fff10
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-02
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\amazon-ssm-agent.exe'
        CommandLine|contains|all:
            - '-register '
            - '-code '
            - '-id '
            - '-region '
    condition: selection
falsepositives:
    - Legitimate activity of system administrators
level: medium

title: Potential Antivirus Software DLL Sideloading
id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
status: test
description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    # Bitdefender
    selection_bitdefender:
        ImageLoaded|endswith: '\log.dll'
    filter_log_dll_bitdefender:
        ImageLoaded|startswith:
            - 'C:\Program Files\Bitdefender Antivirus Free\'
            - 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
    filter_log_dll_dell_sar:
        Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
        ImageLoaded:
            - 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
            - 'C:\Program Files\Dell\SARemediation\audit\log.dll'
    filter_log_dll_canon:
        ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
    filter_log_dll_avast:
        ImageLoaded:
            - 'C:\Program Files\AVAST Software\Avast\log.dll'
            - 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
    filter_log_dll_avg:
        ImageLoaded:
            - 'C:\Program Files\AVG\Antivirus\log.dll'
            - 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
    # F-Secure
    selection_fsecure:
        ImageLoaded|endswith: '\qrt.dll'
    filter_fsecure:
        ImageLoaded|startswith:
            - 'C:\Program Files\F-Secure\Anti-Virus\'
            - 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
    # McAfee
    selection_mcafee:
        ImageLoaded|endswith:
            - '\ashldres.dll'
            - '\lockdown.dll'
            - '\vsodscpl.dll'
    filter_mcafee:
        ImageLoaded|startswith:
            - 'C:\Program Files\McAfee\'
            - 'C:\Program Files (x86)\McAfee\'
    # CyberArk
    selection_cyberark:
        ImageLoaded|endswith: '\vftrace.dll'
    filter_cyberark:
        ImageLoaded|startswith:
            - 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
            - 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
    # Avast
    selection_avast:
        ImageLoaded|endswith: '\wsc.dll'
    filter_wsc_dll_avast:
        ImageLoaded|startswith:
            - 'C:\program Files\AVAST Software\Avast\'
            - 'C:\program Files (x86)\AVAST Software\Avast\'
    filter_wsc_dll_avg:
        ImageLoaded|startswith:
            - 'C:\Program Files\AVG\Antivirus\'
            - 'C:\Program Files (x86)\AVG\Antivirus\'
    # ESET
    selection_eset_deslock:
        ImageLoaded|endswith: '\DLPPREM32.dll'
    filter_eset_deslock:
        ImageLoaded|startswith:
            - 'C:\program Files\ESET'
            - 'C:\program Files (x86)\ESET'
    # Trend Micro Titanium
    selection_titanium:
        ImageLoaded|endswith: '\tmdbglog.dll'
    filter_titanium:
        ImageLoaded|startswith:
            - 'C:\program Files\Trend Micro\Titanium\'
            - 'C:\program Files (x86)\Trend Micro\Titanium\'
    condition: (selection_bitdefender and not 1 of filter_log_dll_*)
               or (selection_fsecure and not filter_fsecure)
               or (selection_mcafee and not filter_mcafee)
               or (selection_cyberark and not filter_cyberark)
               or (selection_avast and not 1 of filter_wsc_dll_*)
               or (selection_titanium and not filter_titanium)
               or (selection_eset_deslock and not filter_eset_deslock)
falsepositives:
    - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
    - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
    - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
level: medium

title: Potential Application Whitelisting Bypass via Dnx.EXE
id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
status: test
description: |
    Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.
    Attackers might abuse this in order to bypass application whitelisting.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/
    - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
author: Beyu Denis, oscd.community
date: 2019-10-26
modified: 2024-04-24
tags:
    - attack.stealth
    - attack.t1218
    - attack.t1027.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\dnx.exe'
    condition: selection
falsepositives:
    - Legitimate use of dnx.exe by legitimate user
level: medium

title: Potential Binary Or Script Dropper Via PowerShell
id: 7047d730-036f-4f40-b9d8-1c63e36d5e62
status: test
description: Detects PowerShell creating a binary executable or a script file.
references:
    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-17
modified: 2025-07-04
tags:
    - attack.persistence
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
        TargetFilename|endswith:
            - '.bat'
            - '.chm'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.jar'
            - '.js'
            - '.ocx'
            - '.scr'
            - '.sys'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    filter_main_user_temp:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Local\Temp\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_main_other_temp:
        # Example: C:\Windows\Temp\0DA9758B-4649-4969-9409-5CBDF193FB53\TransmogProvider.dll
        TargetFilename|startswith:
            - 'C:\Windows\Temp\'
            - 'C:\Windows\SystemTemp\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_main_powershell_module:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\WindowsPowerShell\Modules\' # C:\Users\xxxx\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.12\lib\net47\PowerShellYamlSerializer.dll
        TargetFilename|endswith: '.dll'
    filter_main_nuget:
        TargetFilename|startswith: 'C:\Program Files\PackageManagement\ProviderAssemblies\nuget\'
        TargetFilename|endswith: '\Microsoft.PackageManagement.NuGetProvider.dll'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
level: medium

title: Potential CCleanerDU.DLL Sideloading
id: 1fbc0671-5596-4e17-8682-f020a0b995dc
status: test
description: Detects potential DLL sideloading of "CCleanerDU.dll"
references:
    - https://lab52.io/blog/2344-2/
author: X__Junior (Nextron Systems)
date: 2023-07-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\CCleanerDU.dll'
    filter_main_path:
        Image|startswith:
            - 'C:\Program Files\CCleaner\'
            - 'C:\Program Files (x86)\CCleaner\'
        Image|endswith:
            - '\CCleaner.exe'
            - '\CCleaner64.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium

title: Potential CCleanerReactivator.DLL Sideloading
id: 3735d5ac-d770-4da0-99ff-156b180bc600
status: test
description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
references:
    - https://lab52.io/blog/2344-2/
author: X__Junior
date: 2023-07-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\CCleanerReactivator.dll'
    filter_main_path:
        Image|startswith:
            - 'C:\Program Files\CCleaner\'
            - 'C:\Program Files (x86)\CCleaner\'
        Image|endswith: '\CCleanerReactivator.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium

title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
status: test
description: Detects COM object hijacking via TreatAs subkey
references:
    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Kutepov Anton, oscd.community
date: 2019-10-23
modified: 2025-10-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - 'HKU\'
            - 'Classes\CLSID\'
            - '\TreatAs'
    filter_main_svchost:
        # Example of target object by svchost
        # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs
        Image: 'C:\WINDOWS\system32\svchost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Maybe some system utilities in rare cases use linking keys for backward compatibility
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml
simulation:
    - type: atomic-red-team
      name: COM hijacking via TreatAs
      technique: T1546.015
      atomic_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9

title: Potential COM Objects Download Cradles Usage - Process Creation
id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
related:
    - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
      type: similar
status: test
description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
references:
    - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
author: frack113
date: 2022-12-25
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    product: windows
    category: process_creation
detection:
    selection_1:
        CommandLine|contains: '[Type]::GetTypeFromCLSID('
    selection_2:
        CommandLine|contains:
            - '0002DF01-0000-0000-C000-000000000046'
            - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
            - 'F5078F35-C551-11D3-89B9-0000F81FE221'
            - '88d96a0a-f192-11d4-a65f-0040963251e5'
            - 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
            - 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
            - '88d96a0b-f192-11d4-a65f-0040963251e5'
            - '2087c2f4-2cef-4953-a8ab-66779b670495'
            - '000209FF-0000-0000-C000-000000000046'
            - '00024500-0000-0000-C000-000000000046'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the library
level: medium

title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
id: 5660d8db-6e25-411f-b92f-094420168a5d
status: test
description: |
    Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.
    As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
references:
    - https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
    - https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
author: '@kostastsale'
date: 2022-04-25
tags:
    - attack.execution
    - attack.initial-access
    - attack.t1059.006
    - attack.t1190
    - cve.2022-22954
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\prunsrv.exe'
    selection_payload_pwsh:
        Image|endswith: '\powershell.exe'
    selection_payload_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: '/c powershell'
    condition: selection_parent and 1 of selection_payload_*
falsepositives:
    - Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process.
level: medium

title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
id: 92389a99-5215-43b0-a09f-e334453b2ed3
status: test
description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
references:
    - https://github.com/Wh04m1001/CVE-2023-36874
    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-23
tags:
    - attack.execution
    - cve.2023-36874
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: ':\ProgramData\Microsoft\Windows\WER\ReportArchive\'
        TargetFilename|endswith: '\Report.wer'
    filter_main_locations:
        TargetFilename|contains:
            # Note: This list is non exhaustive. Use this as a start for hunting for suspicious folder report
            - '\ReportArchive\AppCrash_'
            - '\ReportArchive\AppHang_'
            - '\ReportArchive\Critical_'
            - '\ReportArchive\Kernel_'
            - '\ReportArchive\NonCritical_'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential CVE-2023-36884 Exploitation Dropped File
id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38
status: test
description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
    - https://twitter.com/wdormann/status/1679184475677130755
    - https://twitter.com/r00tbsd/status/1679042071477338114/photo/1
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2023-07-13
tags:
    - attack.persistence
    - cve.2023-36884
    - detection.emerging-threats
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
        TargetFilename|endswith: '\file001.url'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
id: bcd95697-e3e7-4c6f-8584-8e3503e6929f
status: test
description: |
    Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.
    As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
references:
    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-3400
author: Andreas Braathen (mnemonic.io)
date: 2024-04-25
tags:
    - attack.execution
    - cve.2024-3400
    - detection.emerging-threats
logsource:
    product: paloalto
    service: globalprotect
    category: file_event
    definition: 'Requirements: file creation events need to be ingested from the Palo Alto GlobalProtect appliance'
detection:
    selection:
        TargetFilename|contains:
            - '{IFS}'
            - 'base64'
            - 'bash'
            - 'curl'
            - 'http'
        TargetFilename|startswith: '/opt/panlogs/tmp/device_telemetry/'
    condition: selection
falsepositives:
    - The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely.
level: medium

title: Potential CVE-2024-35250 Exploitation Activity
id: 17ce9373-2163-4a2c-90ba-f91e9ef7a8c1
status: experimental
description: |
    Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
references:
    - https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html
    - https://github.com/varwara/CVE-2024-35250
    - https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: '@eyezuhk Isaac Fernandes'
date: 2025-02-19
tags:
    - attack.privilege-escalation
    - attack.t1068
    - cve.2024-35250
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\ksproxy.ax'
    filter_main_system_paths:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_teams:
        Image|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
    filter_optional_zoom:
        Image|endswith: '\AppData\Roaming\Zoom\bin\Zoom.exe'
    filter_optional_firefox:
        Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
    filter_optional_chrome:
        Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
    filter_optional_opera:
        Image|endswith: '\AppData\Local\Programs\Opera\opera.exe'
    filter_optional_discord:
        Image|endswith: '\AppData\Local\Discord\app-*\Discord.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications that use Windows Stream Interface APIs.
    - Media applications that use DirectShow filters.
level: medium

title: Potential Chrome Frame Helper DLL Sideloading
id: 72ca7c75-bf85-45cd-aca7-255d360e423c
status: test
description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
references:
    - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-05-15
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\chrome_frame_helper.dll'
    filter_main_path:
        ImageLoaded|startswith:
            - 'C:\Program Files\Google\Chrome\Application\'
            - 'C:\Program Files (x86)\Google\Chrome\Application\'
    filter_optional_user_path:
        ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Potential Command Line Path Traversal Evasion Attempt
id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
status: test
description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
references:
    - https://twitter.com/hexacorn/status/1448037865435320323
    - https://twitter.com/Gal_B1t/status/1062971006078345217
author: Christian Burkard (Nextron Systems)
date: 2021-10-26
modified: 2023-03-29
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        Image|contains: '\Windows\'
        CommandLine|contains:
            - '\..\Windows\'
            - '\..\System32\'
            - '\..\..\'
    selection_2:
        CommandLine|contains: '.exe\..\'
    filter_optional_google_drive:
        CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
    filter_optional_citrix:
        CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Google Drive
    - Citrix
level: medium

title: Potential CommandLine Obfuscation Using Unicode Characters
id: e0552b19-5a83-4222-b141-b36184bb8d79
related:
    - id: 584bca0f-3608-4402-80fd-4075ff6072e3
      type: similar
    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
      type: similar
    - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
      type: obsolete
status: test
description: |
    Detects potential CommandLine obfuscation using unicode characters.
    Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
references:
    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
author: frack113, Florian Roth (Nextron Systems)
date: 2022-01-15
modified: 2024-09-05
tags:
    - attack.stealth
    - attack.t1027
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # spacing modifier letters that get auto-replaced
            - 'ˣ' # 0x02E3
            - '˪' # 0x02EA
            - 'ˢ' # 0x02E2
            # Forward slash alternatives
            - '∕' # 0x22FF
            - '⁄' # 0x206F
            # Hyphen alternatives
            - '―' # 0x2015
            - '—' # 0x2014
            # Whitespace that don't work as path separator
            - ' ' # 0x00A0
            # Other
            - '¯'
            - '®'
            - '¶'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Commandline Obfuscation Using Escape Characters
id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
status: test
description: Detects potential commandline obfuscation using known escape characters
references:
    - https://twitter.com/vysecurity/status/885545634958385153
    - https://twitter.com/Hexacorn/status/885553465417756673 # Dead link
    - https://twitter.com/Hexacorn/status/885570278637678592 # Dead link
    - https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques
    - https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
author: juju4
date: 2018-12-11
modified: 2023-03-03
tags:
    - attack.stealth
    - attack.t1140
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # - <TAB>   # no TAB modifier in sigmac yet, so this matches <TAB> (or TAB in elasticsearch backends without DSL queries)
            - 'h^t^t^p'
            - 'h"t"t"p'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Credential Dumping Attempt Using New NetworkProvider - REG
id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
related:
    - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
      type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
    - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-08-17
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\System\CurrentControlSet\Services\'
            - '\NetworkProvider'
    filter:
        TargetObject|contains:
            - '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
            - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
            - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
            # - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
    filter_valid_procs:
        Image: C:\Windows\System32\poqexec.exe
    condition: selection and not 1 of filter*
falsepositives:
    - Other legitimate network providers used and not filtred in this rule
level: medium

title: Potential DLL File Download Via PowerShell Invoke-WebRequest
id: 0f0450f3-8b47-441e-a31b-15a91dc243e2
status: test
description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
references:
    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: Florian Roth (Nextron Systems), Hieu Tran
date: 2023-03-13
modified: 2025-07-18
tags:
    - attack.command-and-control
    - attack.execution
    - attack.t1059.001
    - attack.t1105
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Invoke-RestMethod '
            - 'Invoke-WebRequest '
            - 'IRM '
            - 'IWR '
        CommandLine|contains|all:
            - 'http'
            - 'OutFile'
            - '.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential DLL Sideloading Of DBGCORE.DLL
id: 9ca2bf31-0570-44d8-a543-534c47c33ed7
status: test
description: Detects DLL sideloading of "dbgcore.dll"
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-10-25
modified: 2025-10-06
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\dbgcore.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemTemp\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    filter_optional_steam:
        ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
    filter_optional_opera:
        # C:\\Users\\User\\AppData\\Local\\Temp\\.opera\\Opera Installer Temp\\opera_package_202311051506321\\assistant\\dbgcore.dll
        ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package'
        ImageLoaded|endswith: '\assistant\dbgcore.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium

title: Potential DLL Sideloading Of DBGHELP.DLL
id: 6414b5cd-b19d-447e-bb5e-9f03940b5784
status: test
description: Detects potential DLL sideloading of "dbghelp.dll"
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-10-25
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\dbghelp.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemTemp\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    filter_optional_anaconda:
        ImageLoaded|endswith:
            - '\Anaconda3\Lib\site-packages\vtrace\platforms\windll\amd64\dbghelp.dll'
            - '\Anaconda3\Lib\site-packages\vtrace\platforms\windll\i386\dbghelp.dll'
    filter_optional_epicgames:
        ImageLoaded|endswith:
            - '\Epic Games\Launcher\Engine\Binaries\ThirdParty\DbgHelp\dbghelp.dll'
            - '\Epic Games\MagicLegends\x86\dbghelp.dll'
    filter_optional_opera:
        ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package'
        ImageLoaded|endswith: '\assistant\dbghelp.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium

title: Potential DLL Sideloading Of DbgModel.DLL
id: fef394cd-f44d-4040-9b18-95d92fe278c0
status: test
description: Detects potential DLL sideloading of "DbgModel.dll"
references:
    - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html
author: Gary Lobermier
date: 2024-07-11
modified: 2024-07-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith: '\dbgmodel.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    filter_optional_windbg:
        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.WinDbg_'
    filter_optional_windows_kits:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Windows Kits\'
            - 'C:\Program Files\Windows Kits\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium

title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e
status: test
description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\gup.exe'
        ImageLoaded|endswith: '\libcurl.dll'
    filter_main_notepad_plusplus:
        Image|endswith: '\Notepad++\updater\GUP.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential DLL Sideloading Of MpSvc.DLL
id: 5ba243e5-8165-4cf7-8c69-e1d3669654c1
status: test
description: Detects potential DLL sideloading of "MpSvc.dll".
references:
    - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema
date: 2024-07-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith: '\MpSvc.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Program Files\Windows Defender\'
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule.
level: medium

title: Potential DLL Sideloading Of MsCorSvc.DLL
id: cdb15e19-c2d0-432a-928e-e49c8c60dcf2
status: test
description: Detects potential DLL sideloading of "mscorsvc.dll".
references:
    - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
author: Wietze Beukema
date: 2024-07-11
modified: 2025-02-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith: '\mscorsvc.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Windows\Microsoft.NET\Framework\'
            - 'C:\Windows\Microsoft.NET\Framework64\'
            - 'C:\Windows\Microsoft.NET\FrameworkArm\'
            - 'C:\Windows\Microsoft.NET\FrameworkArm64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule.
level: medium

title: Potential DLL Sideloading Using Coregen.exe
id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171
status: test
description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/
author: frack113
date: 2022-12-31
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1218
    - attack.t1055
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\coregen.exe'
    filter_main_legit_paths:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Microsoft Silverlight\'
            - 'C:\Program Files\Microsoft Silverlight\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential DLL Sideloading Via ClassicExplorer32.dll
id: caa02837-f659-466f-bca6-48bde2826ab4
status: test
description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
references:
    - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
    - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
author: frack113
date: 2022-12-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection_classicexplorer:
        ImageLoaded|endswith: '\ClassicExplorer32.dll'
    filter_classicexplorer:
        ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
    condition: selection_classicexplorer and not filter_classicexplorer
falsepositives:
    - Unknown
level: medium

title: Potential DLL Sideloading Via JsSchHlp
id: 68654bf0-4412-43d5-bfe8-5eaa393cd939
status: test
description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
references:
    - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/
    - http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp
author: frack113
date: 2022-12-14
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\JSESPR.dll'
    filter:
        ImageLoaded|startswith: 'C:\Program Files\Common Files\Justsystem\JsSchHlp\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Potential Data Exfiltration Via Curl.EXE
id: 00bca14a-df4e-4649-9054-3f2aa676bc04
status: test
description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
references:
    - https://twitter.com/d1r4c/status/1279042657508081664
    - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
    - https://curl.se/docs/manpage.html
author: Florian Roth (Nextron Systems), Cedric MAURUGEON (Update)
date: 2020-07-03
modified: 2023-05-02
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1105
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\curl.exe'
        - Product: 'The curl executable'
    selection_cli:
        - CommandLine|contains:
              - ' --form' # Also covers the "--form-string"
              - ' --upload-file '
              - ' --data '
              - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
        - CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
    filter_optional_localhost:
        CommandLine|contains:
            - '://localhost'
            - '://127.0.0.1'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Scripts created by developers and admins
level: medium