title: PsExec Service Child Process Execution as LOCAL SYSTEM
id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94
related:
    - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
      type: similar
status: test
description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
author: Florian Roth (Nextron Systems)
date: 2022-07-21
modified: 2023-02-28
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage: 'C:\Windows\PSEXESVC.exe'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection
falsepositives:
    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high

title: PsExec/PAExec Escalation to LOCAL SYSTEM
id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
related:
    - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags
      type: similar
status: test
description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-23
modified: 2024-03-05
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_sys: # Escalation to LOCAL_SYSTEM
        CommandLine|contains|windash:
            # Note that you don't need to add the ".exe" part when using psexec/paexec
            # The "-" can also be replaced with "/"
            # The order of args isn't important
            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
            - ' -s cmd'
            - ' -s -i cmd'
            - ' -i -s cmd'
            # Pwsh (For PowerShell 7)
            - ' -s pwsh'
            - ' -s -i pwsh'
            - ' -i -s pwsh'
            # PowerShell (For PowerShell 5)
            - ' -s powershell'
            - ' -s -i powershell'
            - ' -i -s powershell'
    selection_other:
        CommandLine|contains:
            - 'psexec'
            - 'paexec'
            - 'accepteula'
    condition: all of selection_*
falsepositives:
    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high

title: Python Function Execution Security Warning Disabled In Excel
id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
related:
    - id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
      type: similar
status: test
description: |
    Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
    Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
    - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: '@Kostastsale'
date: 2023-08-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\Microsoft\Office\'
            - '\Excel\Security'
            - 'PythonFunctionWarnings'
        CommandLine|contains: ' 0'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Python Function Execution Security Warning Disabled In Excel - Registry
id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
related:
    - id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
      type: similar
status: test
description: |
    Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
    Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
    - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2024-08-23
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Office\'
        TargetObject|endswith: '\Excel\Security\PythonFunctionWarnings'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Python One-Liners with Base64 Decoding - Linux
id: 55e862a8-dd9c-4651-807a-f21fcad56716
related:
    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
      type: similar
status: experimental
description: |
    Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
    Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
    - https://docs.python.org/3/library/base64.html
    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.006
    - attack.t1027.010
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|contains: '/python'
    selection_cli:
        CommandLine|contains|all:
            - 'import'
            - 'base64'
            - ' -c'
        CommandLine|contains:
            - '.decode'
            - 'b16decode'
            - 'b32decode'
            - 'b32hexdecode'
            - 'b64decode'
            - 'b85decode'
            - 'z85decode'
    condition: all of selection_*
falsepositives:
    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high

title: Python Reverse Shell Execution Via PTY And Socket Modules
id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
related:
    - id: c4042d54-110d-45dd-a0e1-05c47822c937
      type: similar
status: test
description: |
    Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
references:
    - https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-24
modified: 2024-11-04
tags:
    - attack.execution
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|contains: 'python'
        CommandLine|contains|all:
            - ' -c '
            - 'import'
            - 'pty'
            - 'socket'
            - 'spawn'
            - '.connect'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Python Spawning Pretty TTY on Windows
id: 480e7e51-e797-47e3-8d72-ebfce65b6d8d
related:
    - id: 899133d5-4d7c-4a7f-94ee-27355c879d90
      type: derived
status: test
description: Detects python spawning a pretty tty
references:
    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - 'python.exe' # no \ bc of e.g. ipython.exe
            - 'python3.exe'
            - 'python2.exe'
    selection_cli_1:
        CommandLine|contains|all:
            - 'import pty'
            - '.spawn('
    selection_cli_2:
        CommandLine|contains: 'from pty import spawn'
    condition: selection_img and 1 of selection_cli_*
falsepositives:
    - Unknown
level: high

title: Qakbot Regsvr32 Calc Pattern
id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
status: test
description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
references:
    - https://github.com/pr0xylife/Qakbot/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
modified: 2024-03-05
tags:
    - attack.execution
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\regsvr32.exe'
        CommandLine|contains|windash: ' -s'
        CommandLine|endswith: ' calc'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: RDP Sensitive Settings Changed
id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
related:
    - id: 171b67e1-74b4-460e-8d55-b331f3e32d67
      type: obsolete
    - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
      type: obsolete
    - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
      type: similar
status: test
description: |
    Detects tampering of RDP Terminal Service/Server sensitive settings.
    Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

    Below is a list of registry keys/values that are monitored by this rule:

    - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
    - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
    - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
    - fAllowUnsolicited: Allows unsolicited remote assistance offers.
    - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
    - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
    - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
    - SecurityLayer: Specifies the security layer used for RDP connections.
references:
    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contains description for most of the keys mentioned here (check it out if you want more information)
    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contains description for most of the keys mentioned here (check it out if you want more information)
    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
    - https://blog.sekoia.io/darkgate-internals/
    - https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
    - https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022-08-06
modified: 2025-11-22
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_shadow:
        TargetObject|contains:
            - '\Control\Terminal Server\'
            - '\Windows NT\Terminal Services\'
        TargetObject|endswith: '\Shadow'
        Details:
            - 'DWORD (0x00000001)' # Full Control with user’s permission
            - 'DWORD (0x00000002)' # Full Control without user’s permission
            - 'DWORD (0x00000003)' # View Session with user’s permission
            - 'DWORD (0x00000004)' # View Session without user’s permission
    selection_terminal_services_key:
        TargetObject|contains:
            - '\Control\Terminal Server\'
            - '\Windows NT\Terminal Services\'
        TargetObject|endswith:
            - '\DisableRemoteDesktopAntiAlias' # Disable anti-aliasing for remote desktop (DarkGate malware)
            - '\DisableSecuritySettings' # Disable security settings, allowing access to programs/entire desktop (DarkGate malware)
            - '\fAllowUnsolicited' # Allow unsolicited remote assistance offers
            - '\fAllowUnsolicitedFullControl'
        Details: 'DWORD (0x00000001)'
    selection_tamper_only:
        # Any changes to these keys should be suspicious and looked at
        TargetObject|contains:
            - '\Control\Terminal Server\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
            - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
            - '\services\TermService\Parameters\ServiceDll' # RDP hijacking
            - '\Terminal Server\WinStations\RDP-Tcp\SecurityLayer'
            - '\Windows NT\Terminal Services\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
    filter_main_securitylayer_tls:
        TargetObject|endswith: '\SecurityLayer'
        Details: 'DWORD (0x00000002)' # TLS Enabled
    condition: (selection_shadow or selection_terminal_services_key or selection_tamper_only) and not 1 of filter_main_*
falsepositives:
    - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: high

title: Raccine Uninstall
id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
status: test
description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
references:
    - https://github.com/Neo23x0/Raccine
author: Florian Roth (Nextron Systems)
date: 2021-01-21
modified: 2022-10-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains|all:
            - 'taskkill '
            - 'RaccineSettings.exe'
    selection2:
        CommandLine|contains|all:
            - 'reg.exe'
            - 'delete'
            - 'Raccine Tray'
    selection3:
        CommandLine|contains|all:
            - 'schtasks'
            - '/DELETE'
            - 'Raccine Rules Updater'
    condition: 1 of selection*
falsepositives:
    - Legitimate deinstallation by administrative staff
level: high

title: Rar Usage with Password and Compression Level
id: faa48cae-6b25-4f00-a094-08947fef582f
status: test
description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
references:
    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
    - https://ss64.com/bash/rar.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-03-16
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_password:
        CommandLine|contains: ' -hp'
    selection_other:
        CommandLine|contains:
            - ' -m'
            - ' a '
    condition: selection_password and selection_other
falsepositives:
    - Legitimate use of Winrar command line version
    - Other command line tools, that use these flags
level: high

title: Raspberry Robin Initial Execution From External Drive
id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
related:
    - id: d52d2e87-eb03-4fac-961d-eb616da79788
      type: similar
status: test
description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
references:
    - https://redcanary.com/blog/raspberry-robin/
author: '@kostastsale'
date: 2022-05-06
tags:
    - attack.execution
    - attack.t1059.001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\cmd.exe'
        ParentCommandLine|contains: '/r'
        ParentCommandLine|endswith:
            - '.bin'
            - '.ico'
            - '.lnk'
            - '.lo'
            - '.sv'
            - '.usb'
    selection_child_img:
        Image|endswith: '\msiexec.exe'
        CommandLine|contains|windash: '/q'
    selection_child_http:
        CommandLine|contains:
            - 'http:'
            - 'https:'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Raspberry Robin Subsequent Execution of Commands
id: d52d2e87-eb03-4fac-961d-eb616da79788
related:
    - id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
      type: similar
status: test
description: Detects raspberry robin subsequent execution of commands.
references:
    - https://redcanary.com/blog/raspberry-robin/
author: '@kostastsale'
date: 2022-05-06
tags:
    - attack.execution
    - attack.t1059.001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\fodhelper.exe'
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
        CommandLine|contains|all:
            - 'odbcconf.exe'
            - 'regsvr'
            - 'shellexec_rundll'
        CommandLine|contains:
            - 'installdriver'
            - 'setfiledsndir'
            - 'vkipdse'
        CommandLine|endswith|windash:
            - '/a'
            - '/f'
            - '/s'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: RedMimicry Winnti Playbook Registry Manipulation
id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
status: test
description: Detects actions caused by the RedMimicry Winnti playbook
references:
    - https://redmimicry.com
author: Alexander Rausch
date: 2020-06-24
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
    condition: selection
falsepositives:
    - Unknown
level: high

title: Regedit as Trusted Installer
id: 883835a7-df45-43e4-bf1d-4268768afda4
status: test
description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
references:
    - https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\regedit.exe'
        ParentImage|endswith:
            - '\TrustedInstaller.exe'
            - '\ProcessHacker.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Registry Disable System Restore
id: 5de03871-5d46-4539-a82d-3aa992a69a83
related:
    - id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
      type: similar
status: test
description: Detects the modification of the registry to disable a system restore on the computer
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Policies\Microsoft\Windows NT\SystemRestore'
            - '\Microsoft\Windows NT\CurrentVersion\SystemRestore'
        TargetObject|endswith:
            - DisableConfig
            - DisableSR
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
simulation:
    - type: atomic-red-team
      name: Disable System Restore Through Registry
      technique: T1490
      atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f

title: Registry Modification for OCI DLL Redirection
id: c0e0bdec-3e3d-47aa-9974-05539c999c89
status: experimental
description: |
    Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
    Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
references:
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1112
    - attack.t1574.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_ocilib:
        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'
    filter_main_ocilib_file:
        # it is looking when oci.dll name is changed to something else like evil.dll
        Details|contains: 'oci.dll'
    selection_ocilibpath:
        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'
    filter_main_ocilibpath:
        # it is looking when oci.dll path is changed to something else like 'C:\Windows\Temp\'
        Details|contains: '%SystemRoot%\System32\'
    condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)
falsepositives:
    - Unlikely
level: high

title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: test
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
references:
    - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
author: Florian Roth (Nextron Systems), oscd.community
date: 2018-07-18
modified: 2023-12-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
        Details|contains:
            - ':\$Recycle.bin\'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Registry Persistence via Service in Safe Mode
id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
status: test
description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
author: frack113
date: 2022-04-04
modified: 2025-10-22
tags:
    - attack.stealth
    - attack.t1564.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Control\SafeBoot\Minimal\'
            - '\Control\SafeBoot\Network\'
        TargetObject|endswith: '\(Default)'
        Details: 'Service'
    filter_optional_sophos:
        Image: 'C:\WINDOWS\system32\msiexec.exe'
        TargetObject|endswith:
            - '\Control\SafeBoot\Minimal\SAVService\(Default)'
            - '\Control\SafeBoot\Network\SAVService\(Default)'
    filter_optional_mbamservice:
        Image|endswith: '\MBAMInstallerService.exe'
        TargetObject|endswith: '\MBAMService\(Default)'
        Details: 'Service'
    filter_optional_hexnode:
        Image: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
        TargetObject|endswith:
            - '\Control\SafeBoot\Minimal\Hexnode Updater\(Default)'
            - '\Control\SafeBoot\Network\Hexnode Updater\(Default)'
            - '\Control\SafeBoot\Minimal\Hexnode Agent\(Default)'
            - '\Control\SafeBoot\Network\Hexnode Agent\(Default)'
        Details: 'Service'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml
simulation:
    - type: atomic-red-team
      name: Windows Add Registry Value to Load Service in Safe Mode without Network
      technique: T1112
      atomic_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
    - type: atomic-red-team
      name: Windows Add Registry Value to Load Service in Safe Mode with Network
      technique: T1112
      atomic_guid: c173c948-65e5-499c-afbe-433722ed5bd4

title: Remote Access Tool - AnyDesk Silent Installation
id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
status: test
description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
references:
    - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
    - https://support.anydesk.com/Automatic_Deployment
author: Ján Trenčanský
date: 2021-08-06
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '--install'
            - '--start-with-win'
            - '--silent'
    condition: selection
falsepositives:
    - Legitimate deployment of AnyDesk
level: high

title: Remote Access Tool - ScreenConnect Server Web Shell Execution
id: b19146a3-25d4-41b4-928b-1e2a92641b1b
status: test
description: Detects potential web shell execution from the ScreenConnect server process.
references:
    - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
author: Jason Rathbun (Blackpoint Cyber)
date: 2024-02-26
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\ScreenConnect.Service.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\csc.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Remote XSL Execution Via Msxsl.EXE
id: 75d0a94e-6252-448d-a7be-d953dff527bb
status: test
description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
    - attack.stealth
    - attack.t1220
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msxsl.exe'
        CommandLine|contains: 'http'
    condition: selection
falsepositives:
    - Msxsl is not installed by default and is deprecated, so unlikely on most systems.
level: high

title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
related:
    - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
      type: similar
    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
      type: similar
    - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
      type: similar
status: test
description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113
date: 2021-07-13
modified: 2023-05-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Invoke-ATHRemoteFXvGPUDisablementCommand'
            - 'Invoke-ATHRemoteFXvGPUDisableme'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Removal Of AMSI Provider Registry Keys
id: 41d1058a-aea7-4952-9293-29eaaf516465
status: test
description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://seclists.org/fulldisclosure/2020/Mar/45
author: frack113
date: 2021-06-07
modified: 2025-10-07
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_delete
detection:
    selection:
        TargetObject|endswith:
            - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
            - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
    filter_main_defender:
        Image|startswith:
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\Program Files (x86)\Windows Defender\'
        Image|endswith: '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml
simulation:
    - type: atomic-red-team
      name: AMSI Bypass - Remove AMSI Provider Reg Key
      technique: T1562.001
      atomic_guid: 13f09b91-c953-438e-845b-b585e51cac9b

title: Renamed VsCode Code Tunnel Execution - File Indicator
id: d102b8f5-61dc-4e68-bd83-9a3187c67377
status: test
description: |
    Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
    - attack.command-and-control
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\code_tunnel.json'
    filter_main_legit_name:
        # Note: There might be other legitimate names for VsCode. Please add them if found
        Image|endswith:
            - '\code-tunnel.exe'
            - '\code.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: RestrictedAdminMode Registry Value Tampering
id: d6ce7ebd-260b-4323-9768-a9631c8d4db2
related:
    - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation
      type: similar
status: test
description: |
    Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
    RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
    This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
    - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
author: frack113
date: 2023-01-13
modified: 2024-08-23
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin'
    condition: selection
falsepositives:
    - Unknown
level: high

title: RestrictedAdminMode Registry Value Tampering - ProcCreation
id: 28ac00d6-22d9-4a3c-927f-bbd770104573
related:
    - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry
      type: similar
status: test
description: |
    Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
    RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
    This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
    - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: frack113
date: 2023-01-13
modified: 2025-08-28
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - '\System\CurrentControlSet\Control\Lsa'
            - 'DisableRestrictedAdmin'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Root Certificate Installed From Susp Locations
id: 5f6a601c-2ecb-498b-9c33-660362323afa
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
    - https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-01-16
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'Import-Certificate'
            - ' -FilePath '
            - 'Cert:\LocalMachine\Root'
        CommandLine|contains:
            - '\AppData\Local\Temp\'
            - ':\Windows\TEMP\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Perflogs\'
            - ':\Users\Public\'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Run PowerShell Script from ADS
id: 45a594aa-1fbd-4972-a809-ff5a99dd81b8
status: test
description: Detects PowerShell script execution from Alternate Data Stream (ADS)
references:
    - https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1
author: Sergey Soldatov, Kaspersky Lab, oscd.community
date: 2019-10-30
modified: 2022-07-14
tags:
    - attack.stealth
    - attack.t1564.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains|all:
            - 'Get-Content'
            - '-Stream'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Run PowerShell Script from Redirected Input Stream
id: c83bf4b5-cdf0-437c-90fa-43d734f7c476
status: test
description: Detects PowerShell script execution via input stream redirect
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml
    - https://twitter.com/Moriarty_Meng/status/984380793383370752
author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
date: 2020-10-17
modified: 2021-11-27
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|re: '\s-\s*<'
    condition: selection
falsepositives:
    - Unknown
level: high

title: RunDLL32 Spawning Explorer
id: caa06de8-fdef-4c91-826a-7f9e163eef4b
status: test
description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim, CD_ROM_
date: 2022-04-27
modified: 2022-05-25
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\rundll32.exe'
        Image|endswith: '\explorer.exe'
    filter:
        ParentCommandLine|contains: '\shell32.dll,Control_RunDLL'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: RunMRU Registry Key Deletion - Registry
id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
related:
    - id: c11aecef-9c37-45a6-9c07-bc0782f963fd
      type: similar
status: experimental
description: |
    Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
    In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
    Adversaries may delete this key to cover their tracks after executing commands.
references:
    - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-25
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    category: registry_delete
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/info.yml

title: Rundll32 Execution Without CommandLine Parameters
id: 1775e15e-b61b-4d14-a1a3-80981298085a
status: test
description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
references:
    - https://www.cobaltstrike.com/help-opsec
    - https://twitter.com/ber_m1ng/status/1397948048135778309
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2023-08-31
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|endswith:
            - '\rundll32.exe'
            - '\rundll32.exe"'
            - '\rundll32'
    filter:
        ParentImage|contains:
            - '\AppData\Local\'
            - '\Microsoft\Edge\'
    condition: selection and not filter
falsepositives:
    - Possible but rare
level: high

title: Rundll32 Execution Without Parameters
id: 5bb68627-3198-40ca-b458-49f973db8752
status: test
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
references:
    - https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-31
modified: 2023-02-28
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1570
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - 'rundll32.exe'
            - 'rundll32'
    condition: selection
falsepositives:
    - False positives may occur if a user called rundll32 from CLI with no options
level: high

title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
id: b64a026b-8deb-4c1d-92fd-98893209dff1
status: test
description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
author: frack113
date: 2021-12-28
modified: 2023-08-17
tags:
    - attack.initial-access
    - attack.persistence
    - attack.t1133
logsource:
    category: registry_set
    product: windows
detection:
    chrome_ext:
        TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'
        TargetObject|endswith: 'update_url'
    chrome_vpn:
        TargetObject|contains:
            - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
            - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN
            - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN
            - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN
            - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN
            - gjknjjomckknofjidppipffbpoekiipm # VPN Free
            - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN
            - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN
            - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN
            - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN
            - bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro
            - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free
            - jljopmgdobloagejpohpldgkiellmfnc # PP VPN
            - lochiccbgeohimldjooaakjllnafhaid # IP Unblock
            - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN
            - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN
            - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN
            - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy
            - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN
            - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER
            - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN
            - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy
            - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional
            - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN
            - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN
            - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN
            - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN
            - hipncndjamdcmphkgngojegjblibadbe # RusVPN
            - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN
            - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN
            - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN
            - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN
            - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy
            - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN
            - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN
            - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker
            - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN
            - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN
            - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome
            - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN
            - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN
            - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access
            - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC
            - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe
            - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN
            - kcndmbbelllkmioekdagahekgimemejo # VPN.AC
            - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN
            - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN
            - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn
            - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN
            - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN
            - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy
            - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN
            - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy
            - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN
            - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN
            - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN
            - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master
            - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites
            - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN
            - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN
            - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA
            - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT
            - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn
            - apcfdffemoinopelidncddjbhkiblecc # Soul VPN
            - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN
            - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy
            - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN
            - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN
            - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN
            - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN
            - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server
            - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy
            - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN
            - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN
            - eidnihaadmmancegllknfbliaijfmkgo # Push VPN
            - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN
            - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN
            - chioafkonnhbpajpengbalkececleldf # BullVPN
            - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN
            - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow
            - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN
            - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN
            - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN
            - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet
            - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN
            - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN
            - bnijmipndnicefcdbhgcjoognndbgkep # Veee
            - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser
            - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN
            - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN
            - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN
            - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic
            - almalgbpmcfpdaopimbdchdliminoign # Urban Shield
            - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN
            - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind
            - bniikohfmajhdcffljgfeiklcbgffppl # Upnet
            - lejgfmmlngaigdmmikblappdafcmkndb # uVPN
            - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN
            - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard
            - pooljnboifbodgifngpppfklhifechoe # GeoProxy
            - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN
            - aakchaleigkohafkfjfjbblobjifikek # ProxFlow
            - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp
            - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega
            - bfidboloedlamgdmenmlbipfnccokknp # PureVPN
    condition: all of chrome_*
falsepositives:
    - Unknown
level: high

title: SNAKE Malware Covert Store Registry Key
id: d0fa35db-0e92-400e-aa16-d32ae2521618
status: test
description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
references:
    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-11
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: 'SECURITY\Policy\Secrets\n'
    condition: selection
level: high

title: SNAKE Malware WerFault Persistence File Creation
id: 64827580-e4c3-4c64-97eb-c72325d45399
status: test
description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
references:
    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
modified: 2023-05-18
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\WinSxS\'
        TargetFilename|endswith: '\WerFault.exe'
    filter_main_system_location:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: SOURGUM Actor Behaviours
id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
status: test
description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
references:
    - https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
    - https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml
    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
author: MSTIC, FPT.EagleEye
date: 2021-06-15
modified: 2022-10-09
tags:
    - attack.t1546
    - attack.t1546.015
    - attack.persistence
    - attack.privilege-escalation
    - detection.emerging-threats
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|contains:
            - 'windows\system32\Physmem.sys'
            - 'Windows\system32\ime\SHARED\WimBootConfigurations.ini'
            - 'Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
            - 'Windows\system32\ime\IMETC\WimBootConfigurations.ini'
    registry_image:
        Image|contains:
            - 'windows\system32\filepath2'
            - 'windows\system32\ime'
        CommandLine|contains: 'reg add'
    registry_key:
        CommandLine|contains:
            - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32'
            - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32'
    condition: selection or all of registry_*
falsepositives:
    - Unknown
level: high

title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: TropChaud
date: 2022-12-19
modified: 2023-01-19
tags:
    - attack.credential-access
    - attack.t1539
    - attack.t1555.003
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_sql:
        - Product: SQLite
        - Image|endswith:
              - '\sqlite.exe'
              - '\sqlite3.exe'
    selection_chromium:
        CommandLine|contains:
            - '\User Data\' # Most common folder for user profile data among Chromium browsers
            - '\Opera Software\' # Opera
            - '\ChromiumViewer\' # Sleipnir (Fenrir)
    selection_data:
        CommandLine|contains:
            - 'Login Data' # Passwords
            - 'Cookies'
            - 'Web Data' # Credit cards, autofill data
            - 'History'
            - 'Bookmarks'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: SQLite Firefox Profile Data DB Access
id: 4833155a-4053-4c9c-a997-777fcea0baa7
status: test
description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows
    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: frack113
date: 2022-04-08
modified: 2023-01-19
tags:
    - attack.credential-access
    - attack.t1539
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_sql:
        - Product: SQLite
        - Image|endswith:
              - '\sqlite.exe'
              - '\sqlite3.exe'
    selection_firefox:
        CommandLine|contains:
            - 'cookies.sqlite'
            - 'places.sqlite' # Bookmarks, history
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Schtasks Creation Or Modification With SYSTEM Privileges
id: 89ca78fd-b37c-4310-b3d3-81a023f83936
status: test
description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
references:
    - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2025-02-15
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_root:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains:
            - ' /change '
            - ' /create '
    selection_run:
        CommandLine|contains: '/ru '
    selection_user:
        CommandLine|contains:
            - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
            - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
    filter_optional_teamviewer:
        # FP from test set in SIGMA
        # Cannot use ParentImage on all OSes for 4688 events
        # ParentImage|contains|all:
        #     - '\AppData\Local\Temp\'
        #     - 'TeamViewer_.exe'
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - '/TN TVInstallRestore'
            - '\TeamViewer_.exe'
    filter_optional_office:
        CommandLine|contains|all:
            # https://answers.microsoft.com/en-us/msoffice/forum/all/office-15-subscription-heartbeat-task-created-on/43ab5e53-a9fb-47c6-8c14-44889974b9ff
            - 'Subscription Heartbeat'
            - '\HeartbeatConfig.xml'
            - '\Microsoft Shared\OFFICE'
    filter_optional_avira:
        CommandLine|contains:
            - '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
            - ':\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe'
            - '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: ScreenConnect - SlashAndGrab Exploitation Indicators
id: 05164d17-8e11-4d7d-973e-9e4962436b87
status: test
description: |
    Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - TargetFilename|contains|all:
              - 'C:\Windows\Temp\ScreenConnect\'
              - '\LB3.exe'
        - TargetFilename|contains:
              - 'C:\mpyutd.msi'
              - 'C:\perflogs\RunSchedulerTaskOnce.ps1'
              - 'C:\ProgramData\1.msi'
              - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi'
              - 'C:\ProgramData\update.dat'
              - 'C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe'
              - 'C:\Windows\Help\Help\SentinelAgentCore.dll'
              - 'C:\Windows\Help\Help\SentinelUI.exe'
              - 'C:\Windows\spsrv.exe'
              - 'C:\Windows\Temp\svchost.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Script Event Consumer Spawning Process
id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
status: test
description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
references:
    - https://redcanary.com/blog/child-processes/
    - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
author: Sittikorn S
date: 2021-06-21
modified: 2022-07-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\scrcons.exe'
        Image|endswith:
            - '\svchost.exe'
            - '\dllhost.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\schtasks.exe'
            - '\regsvr32.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\msiexec.exe'
            - '\msbuild.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
    - id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.credential-access
    - attack.t1552
    - attack.execution
    - attack.collection
    - attack.t1005
    - attack.t1059.004
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentImage|endswith:
         # Add more script interpreters as needed
            - '/node'
            - '/bun'
    selection_child:
        - Image|endswith:
              - '/trufflehog'
              - '/gitleaks'
        - CommandLine|contains:
              - 'trufflehog'
              - 'gitleaks'
    condition: all of selection_*
falsepositives:
    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high

title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
    - id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.credential-access
    - attack.t1552
    - attack.collection
    - attack.execution
    - attack.t1005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
           # Add more script interpreters as needed
            - '\node.exe'
            - '\bun.exe'
    selection_child:
        - Image|endswith:
              - 'trufflehog.exe'
              - 'gitleaks.exe'
        - CommandLine|contains:
              - 'trufflehog'
              - 'gitleaks'
    condition: all of selection_*
falsepositives:
    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml

title: Sdiagnhost Calling Suspicious Child Process
id: f3d39c45-de1a-4486-a687-ab126124f744
status: test
description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
references:
    - https://twitter.com/nao_sec/status/1530196847679401984
    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
    - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
    - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
author: Nextron Systems, @Kostastsale
date: 2022-06-01
modified: 2024-08-23
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sdiagnhost.exe'
        Image|endswith:
            # Add more suspicious LOLBins
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
            - '\mshta.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\taskkill.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            # - '\csc.exe'   # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
            - '\calc.exe'  # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
    filter_main_cmd_bits:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'bits'
    filter_main_powershell_noprofile:
        Image|endswith: '\powershell.exe'
        CommandLine|endswith:
            - '-noprofile -'
            - '-noprofile'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set
id: 8839e550-52d7-4958-9f2f-e13c1e736838
related:
    - id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key
      type: similar
status: experimental
description: |
    Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.
    Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.
    Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
references:
    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1112
    - car.2022-03-001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)'
    condition: selection
falsepositives:
    - Highly Unlikely
level: high

title: Security Service Disabled Via Reg.EXE
id: 5e95028c-5229-4214-afae-d653d573d0ec
status: test
description: Detects execution of "reg.exe" to disable security services such as Windows Defender.
references:
    - https://twitter.com/JohnLaTwC/status/1415295021041979392
    - https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1
    - https://vms.drweb.fr/virus/?i=24144899
    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim
date: 2021-07-14
modified: 2023-06-05
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg_add:
        CommandLine|contains|all:
            - 'reg'
            - 'add'
    selection_cli_reg_start:
        CommandLine|contains|all:
            - 'd 4'
            - 'v Start'
        CommandLine|contains:
            - '\AppIDSvc'
            - '\MsMpSvc'
            - '\NisSrv'
            - '\SecurityHealthService'
            - '\Sense'
            - '\UsoSvc'
            - '\WdBoot'
            - '\WdFilter'
            - '\WdNisDrv'
            - '\WdNisSvc'
            - '\WinDefend'
            - '\wscsvc'
            - '\wuauserv'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Sensitive File Access Via Volume Shadow Copy Backup
id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
status: test
description: |
    Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
references:
    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
    - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2024-01-18
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        # copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1
        # There is an additional "\" to escape the special "?"
        CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
    selection_2:
        CommandLine|contains:
            - '\\NTDS.dit'
            - '\\SYSTEM'
            - '\\SECURITY'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Serpent Backdoor Payload Execution Via Scheduled Task
id: d5eb7432-fda4-4bba-a37f-ffa74d9ed639
status: test
description: |
    Detects post exploitation execution technique of the Serpent backdoor.
    According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
    It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
references:
    - https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
author: '@kostastsale'
date: 2022-03-21
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - attack.t1059.006
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains|all:
            - '[System/EventID='
            - '/create'
            - '/delete'
            - '/ec'
            - '/so'
            - '/tn run'
    condition: selection
falsepositives:
    - Unlikely
level: high