title: Suspicious DotNET CLR Usage Log Artifact
id: e0b06658-7d1d-4cd3-bf15-03467507ff7c
related:
    - id: 4508a70e-97ef-4300-b62b-ff27992990ea
      type: derived
    - id: e4b63079-6198-405c-abd7-3fe8b0ce3263
      type: obsolete
status: test
description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
references:
    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
    - https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml
    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
author: frack113, omkar72, oscd.community, Wojciech Lesicki
date: 2022-11-18
modified: 2023-02-23
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: file_event
    product: windows
    definition: 'Requirements: UsageLogs folder must be monitored by the sysmon configuration'
detection:
    selection:
        TargetFilename|endswith:
            - '\UsageLogs\cmstp.exe.log'
            - '\UsageLogs\cscript.exe.log'
            - '\UsageLogs\mshta.exe.log'
            - '\UsageLogs\msxsl.exe.log'
            - '\UsageLogs\regsvr32.exe.log'
            - '\UsageLogs\rundll32.exe.log'
            - '\UsageLogs\svchost.exe.log'
            - '\UsageLogs\wscript.exe.log'
            - '\UsageLogs\wmic.exe.log'
    filter_main_rundll32:
        # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity
        ParentImage|endswith: '\MsiExec.exe'
        ParentCommandLine|contains: ' -Embedding'
        Image|endswith: '\rundll32.exe'
        CommandLine|contains|all:
            - 'Temp'
            - 'zzzzInvokeManagedCustomActionOutOfProc'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
level: high

title: Suspicious Double Extension File Execution
id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
related:
    - id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c # ParentImage/ParentCommandLine
      type: similar
status: stable
description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
references:
    - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
    - https://twitter.com/blackorbird/status/1140519090961825792
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
date: 2019-06-26
modified: 2025-05-30
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '      .exe'
            - '______.exe'
            - '.doc.exe'
            - '.doc.js'
            - '.docx.exe'
            - '.docx.js'
            - '.gif.exe'
            - '.jpeg.exe'
            - '.jpg.exe'
            - '.mkv.exe'
            - '.mov.exe'
            - '.mp3.exe'
            - '.mp4.exe'
            - '.pdf.exe'
            - '.pdf.js'
            - '.png.exe'
            - '.ppt.exe'
            - '.ppt.js'
            - '.pptx.exe'
            - '.pptx.js'
            - '.rtf.exe'
            - '.rtf.js'
            - '.svg.exe'
            - '.txt.exe'
            - '.txt.js'
            - '.xls.exe'
            - '.xls.js'
            - '.xlsx.exe'
            - '.xlsx.js'
            - '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
        CommandLine|contains:
            - '      .exe'
            - '______.exe'
            - '.doc.exe'
            - '.doc.js'
            - '.docx.exe'
            - '.docx.js'
            - '.gif.exe'
            - '.jpeg.exe'
            - '.jpg.exe'
            - '.mkv.exe'
            - '.mov.exe'
            - '.mp3.exe'
            - '.mp4.exe'
            - '.pdf.exe'
            - '.pdf.js'
            - '.png.exe'
            - '.ppt.exe'
            - '.ppt.js'
            - '.pptx.exe'
            - '.pptx.js'
            - '.rtf.exe'
            - '.rtf.js'
            - '.svg.exe'
            - '.txt.exe'
            - '.txt.js'
            - '.xls.exe'
            - '.xls.js'
            - '.xlsx.exe'
            - '.xlsx.js'
            - '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Double Extension Files
id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
related:
    - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
      type: derived
    - id: 3215aa19-f060-4332-86d5-5602511f3ca8
      type: similar
status: test
description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
references:
    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
    - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
    - https://twitter.com/malwrhunterteam/status/1235135745611960321
    - https://twitter.com/luc4m/status/1073181154126254080
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-06-19
modified: 2026-03-31
tags:
    - attack.stealth
    - attack.t1036.007
logsource:
    category: file_event
    product: windows
detection:
    selection_gen:
        TargetFilename|endswith:
            - '.exe'
            - '.iso'
            - '.rar'
            - '.svg'
            - '.zip'
            # - '.lnk'  # legitimate links can happen just anywhere
        TargetFilename|contains:
            - '.doc.'
            - '.docx.'
            - '.gif.'
            - '.jpeg.'
            - '.jpg.'
            - '.mp3.'
            - '.mp4.'
            - '.pdf.'
            - '.png.'
            - '.ppt.'
            - '.pptx.'
            - '.rtf.'
            - '.svg.'
            - '.txt.'
            - '.xls.'
            - '.xlsx.'
    selection_exe:
        TargetFilename|endswith:
            - '.rar.exe'
            - '.zip.exe'
    # Note: If you wanna keep using the ".lnk" extension. You might uncomment this filter and add additional locations
    # filter_main_lnk:
    #     TargetFilename|contains:
    #         - '\AppData\Roaming\Microsoft\Office\Recent\'
    #         - '\AppData\Roaming\Microsoft\Windows\Recent\'
    filter_icons_linux:
        TargetFilename|startswith: '/usr/share/icons/'
    condition: 1 of selection_* and not 1 of filter_*
falsepositives:
    - Unlikely
level: high

title: Suspicious Download and Execute Pattern via Curl/Wget
id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
status: experimental
description: |
    Detects suspicious use of command-line tools such as curl or wget to download remote
    content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
    immediate execution, indicating potential malicious activity. This pattern is commonly used
    by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
references:
    - https://gtfobins.github.io/gtfobins/wget/
    - https://gtfobins.github.io/gtfobins/curl/
author: Aayush Gupta
date: 2025-06-17
tags:
    - attack.execution
    - attack.t1059.004
    - attack.t1203
logsource:
    category: process_creation
    product: linux
detection:
    selection_downloader:
        CommandLine|contains:
            - '/curl'
            - '/wget'
    selection_tmp:
        CommandLine|contains:
            - '/tmp/'
            - '/dev/shm/'
    selection_executor:
        CommandLine|contains: 'sh -c'
    condition: all of selection_*
falsepositives:
    - System update scripts using temporary files
    - Installer scripts or automated provisioning tools
level: high

title: Suspicious Download from Office Domain
id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1
status: test
description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
references:
    - https://twitter.com/an0n_r0/status/1474698356635193346?s=12
    - https://twitter.com/mrd0x/status/1475085452784844803?s=12
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-27
modified: 2022-08-02
tags:
    - attack.command-and-control
    - attack.resource-development
    - attack.t1105
    - attack.t1608
logsource:
    product: windows
    category: process_creation
detection:
    selection_download:
        - Image|endswith:
              - '\curl.exe'
              - '\wget.exe'
        - CommandLine|contains:
              - 'Invoke-WebRequest'
              - 'iwr '
              - 'curl '
              - 'wget '
              - 'Start-BitsTransfer'
              - '.DownloadFile('
              - '.DownloadString('
    selection_domains:
        CommandLine|contains:
            - 'https://attachment.outlook.live.net/owa/'
            - 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'
    condition: all of selection_*
falsepositives:
    - Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
level: high

title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
related:
    - id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
      type: similar
status: test
description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
references:
    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
    - https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0
author: pH-T (Nextron Systems)
date: 2022-03-01
modified: 2023-04-06
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # ::("L"+"oad")
            - 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'
            - 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'
            - '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'
            # ::("Lo"+"ad")
            - 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'
            - 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'
            - '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'
            # ::("Loa"+"d")
            - 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'
            - 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'
            - '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'
            # ::('L'+'oad')
            - 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'
            - 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'
            - '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'
            # ::('Lo'+'ad')
            - 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'
            - 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'
            - '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'
            # ::('Loa'+'d')
            - 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'
            - 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'
            - '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Suspicious Environment Variable Has Been Registered
id: 966315ef-c5e1-4767-ba25-fce9c8de3660
status: test
description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
references:
    - https://infosec.exchange/@sbousseaden/109542254124022664
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-20
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.stealth
logsource:
    product: windows
    category: registry_set
detection:
    selection_main:
        TargetObject|contains: '\Environment\'
    selection_details:
        - Details:
              - 'powershell'
              - 'pwsh'
        - Details|contains:
              # Add more suspicious strings in env variables below
              - '\AppData\Local\Temp\'
              - 'C:\Users\Public\'
              # Base64 MZ Header
              - 'TVqQAAMAAAAEAAAA' # MZ..........
              - 'TVpQAAIAAAAEAA8A'
              - 'TVqAAAEAAAAEABAA'
              - 'TVoAAAAAAAAAAAAA'
              - 'TVpTAQEAAAAEAAAA'
              # Base64 Invoke- (UTF-8)
              - 'SW52b2tlL'
              - 'ludm9rZS'
              - 'JbnZva2Ut'
              # Base64 Invoke- (UTF-16LE)
              - 'SQBuAHYAbwBrAGUALQ'
              - 'kAbgB2AG8AawBlAC0A'
              - 'JAG4AdgBvAGsAZQAtA'
        - Details|startswith:  # https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
              - 'SUVY'
              - 'SQBFAF'
              - 'SQBuAH'
              - 'cwBhA'
              - 'aWV4'
              - 'aQBlA'
              - 'R2V0'
              - 'dmFy'
              - 'dgBhA'
              - 'dXNpbm'
              - 'H4sIA'
              - 'Y21k'
              - 'cABhAH'
              - 'Qzpc'
              - 'Yzpc'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious Executable File Creation
id: 74babdd6-a758-4549-9632-26535279e654
status: test
description: |
    Detect creation of suspicious executable file names.
    Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
references:
    - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
    - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
author: frack113
date: 2022-09-05
modified: 2023-12-11
tags:
    - attack.stealth
    - attack.t1564
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - ':\$Recycle.Bin.exe'
            - ':\Documents and Settings.exe'
            - ':\MSOCache.exe'
            - ':\PerfLogs.exe'
            - ':\Recovery.exe'
            - '.bat.exe'
            - '.sys.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Execution From Outlook Temporary Folder
id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
status: test
description: Detects a suspicious program execution in Outlook temp folder
author: Florian Roth (Nextron Systems)
references:
    - Internal Research
date: 2019-10-01
modified: 2022-10-09
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains: '\Temporary Internet Files\Content.Outlook\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Execution Location Of Wermgr.EXE
id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
related:
    - id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
      type: similar
status: test
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
references:
    - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
    - https://www.echotrail.io/insights/search/wermgr.exe
    - https://github.com/binderlabs/DirCreate2System
author: Florian Roth (Nextron Systems)
date: 2022-10-14
modified: 2023-08-23
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\wermgr.exe'
    filter_main_legit_location:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
id: f50f3c09-557d-492d-81db-9064a8d4e211
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
    - id: 8023f872-3f1d-4301-a384-801889917ab4
      type: similar
status: test
description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            # Please add new values while respecting the alphabetical order
            - '\Active Directory Explorer'
            - '\Handle'
            - '\LiveKd'
            - '\ProcDump'
            - '\Process Explorer'
            - '\PsExec'
            - '\PsLoggedon'
            - '\PsLoglist'
            - '\PsPasswd'
            - '\PsPing'
            - '\PsService'
            - '\SDelete'
        TargetObject|endswith: '\EulaAccepted'
    filter:
        Image|endswith:
            # Please add new values while respecting the alphabetical order
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
            - '\handle.exe'
            - '\handle64.exe'
            - '\livekd.exe'
            - '\livekd64.exe'
            - '\procdump.exe'
            - '\procdump64.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\PsExec.exe'
            - '\PsExec64.exe'
            - '\PsLoggedon.exe'
            - '\PsLoggedon64.exe'
            - '\psloglist.exe'
            - '\psloglist64.exe'
            - '\pspasswd.exe'
            - '\pspasswd64.exe'
            - '\PsPing.exe'
            - '\PsPing64.exe'
            - '\PsService.exe'
            - '\PsService64.exe'
            - '\sdelete.exe'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml

title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
related:
    - id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
      type: similar
    - id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
      type: similar
status: experimental
description: |
    Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
    ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
    The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
references:
    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
    - https://mrd0x.com/filefix-clickfix-alternative/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
modified: 2025-11-26
tags:
    - attack.execution
    - attack.stealth
    - attack.t1204.004
    - attack.t1027.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_explorer:
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains: '#'
    selection_space_variation:
        CommandLine|contains:
            - '            ' # En Quad (U+2000)
            - '            ' # Em Quad (U+2001)
            - '            ' # En Space (U+2002)
            - '            ' # Em Space (U+2003)
            - '            ' # Three-Per-Em Space (U+2004)
            - '            ' # Four-Per-Em Space (U+2005)
            - '            ' # Six-Per-Em Space (U+2006)
            - '            ' # Figure Space (U+2007)
            - '            ' # Punctuation Space (U+2008)
            - '            ' # Thin Space (U+2009)
            - '            ' # Hair Space (U+200A)
            - '            ' # No-Break Space (U+00A0)
            - '            ' # Normal space (0x20)
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious File Created Via OneNote Application
id: fcc6d700-68d9-4241-9a1a-06874d621b06
status: test
description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
references:
    - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
    - https://twitter.com/MaD_c4t/status/1623414582382567424
    - https://labs.withsecure.com/publications/detecting-onenote-abuse
    - https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/
    - https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-09
modified: 2023-02-27
tags:
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\onenote.exe'
            - '\onenotem.exe'
            - '\onenoteim.exe'
        TargetFilename|contains: '\AppData\Local\Temp\OneNote\'
        TargetFilename|endswith:
            # TODO: Add more suspicious extensions
            - '.bat'
            - '.chm'
            - '.cmd'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.htm'
            - '.html'
            - '.js'
            - '.lnk'
            - '.ps1'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    condition: selection
falsepositives:
    - False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.
    - Occasional FPs might occur if OneNote is used internally to share different embedded documents
level: high

title: Suspicious File Created by ArcSOC.exe
id: e890acee-d488-420e-8f20-d9b19b3c3d43
status: experimental
description: |
    Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
    server, creates a file with suspicious file type, indicating that it may be an executable, script file,
    or otherwise unusual.
references:
    - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
    - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.initial-access
    - attack.execution
    - attack.stealth
    - attack.t1127
    - attack.t1105
    - attack.t1133
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\ArcSOC.exe'
        TargetFilename|endswith:
            - '.ahk'
            - '.aspx'
            - '.au3'
            - '.bat'
            - '.cmd'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.js'
            - '.ps1'
            - '.py'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Suspicious File Created in Outlook Temporary Directory
id: fabb0e80-030c-4e3e-a104-d09676991ac3
related:
    - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
      type: obsolete
status: experimental
description: |
    Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
    This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
references:
    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
    - https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
    - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-22
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    product: windows
    category: file_event
detection:
    selection_extension:
        TargetFilename|endswith:
            - '.cpl'
            - '.hta'
            - '.iso'
            - '.rdp'
            - '.svg'
            - '.vba'
            - '.vbe'
            - '.vbs'
    selection_location:
        - TargetFilename|contains:
              - '\AppData\Local\Packages\Microsoft.Outlook_'
              - '\AppData\Local\Microsoft\Olk\Attachments\'
        - TargetFilename|contains|all:
              - '\AppData\Local\Microsoft\Windows\'
              - '\Content.Outlook\'
    condition: all of selection_*
falsepositives:
    - Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
level: high

title: Suspicious File Creation Activity From Fake Recycle.Bin Folder
id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
related:
    - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
      type: derived
status: test
description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
references:
    - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
    - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
author: X__Junior (Nextron Systems)
date: 2023-07-12
modified: 2023-12-11
tags:
    - attack.persistence
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - Image|contains:
              # e.g. C:\$RECYCLER.BIN
              - 'RECYCLERS.BIN\'
              - 'RECYCLER.BIN\'
        - TargetFilename|contains:
              # e.g. C:\$RECYCLER.BIN
              - 'RECYCLERS.BIN\'
              - 'RECYCLER.BIN\'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml

title: Suspicious File Creation In Uncommon AppData Folder
id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
status: test
description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-23
tags:
    - attack.execution
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\'
        TargetFilename|endswith:
            # Add more as needed
            - '.bat'
            - '.cmd'
            - '.cpl'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.iso'
            - '.lnk'
            - '.msi'
            - '.ps1'
            - '.psm1'
            - '.scr'
            - '.vbe'
            - '.vbs'
    filter_main:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains:
            - '\AppData\Local\'
            - '\AppData\LocalLow\'
            - '\AppData\Roaming\'
    condition: selection and not filter_main
falsepositives:
    - Unlikely
level: high

title: Suspicious File Write to SharePoint Layouts Directory
id: 1f0489be-b496-4ddf-b3a9-5900f2044e9c
status: experimental
description: |
    Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
    This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
references:
    - https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
    - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-24
tags:
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\w3wp.exe'
        TargetFilename|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
            - 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
        TargetFilename|contains:
            - '\15\TEMPLATE\LAYOUTS\'
            - '\16\TEMPLATE\LAYOUTS\'
        TargetFilename|endswith:
            - '.asax'
            - '.ascx'
            - '.ashx'
            - '.asmx'
            - '.asp'
            - '.aspx'
            - '.bat'
            - '.cmd'
            - '.cer'
            - '.config'
            - '.hta'
            - '.js'
            - '.jsp'
            - '.jspx'
            - '.php'
            - '.ps1'
            - '.vbs'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious FileFix Execution Pattern
id: b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
related:
    - id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
      type: similar
    - id: 4be03877-d5b6-4520-85c9-a5911c0a656c
      type: obsolete
status: experimental
description: |
    Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
    This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
    which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
    The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
references:
    - https://mrd0x.com/filefix-clickfix-alternative/
    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ # phishing lure directly asking users to open file explorer and paste command
    - https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/
author: 0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-24
tags:
    - attack.execution
    - attack.t1204.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_exec_parent:
        # This is case where phishing pages trick users to paste commands in browser file upload dialog
        ParentImage|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
        CommandLine|contains: '#'
    selection_cli_lolbin:
        CommandLine|contains:
            - '%comspec%'
            - 'bitsadmin'
            - 'certutil'
            - 'cmd'
            - 'cscript'
            - 'curl'
            - 'finger'
            - 'mshta'
            - 'powershell'
            - 'pwsh'
            - 'regsvr32'
            - 'rundll32'
            - 'schtasks'
            - 'wget'
            - 'wscript'
    selection_cli_captcha:
        CommandLine|contains:
            - 'account'
            - 'anti-bot'
            - 'botcheck'
            - 'captcha'
            - 'challenge'
            - 'confirmation'
            - 'fraud'
            - 'human'
            - 'identification'
            - 'identificator'
            - 'identity'
            - 'robot'
            - 'validation'
            - 'verification'
            - 'verify'
    condition: selection_exec_parent and 1 of selection_cli_*
falsepositives:
    - Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools
level: high

title: Suspicious Filename with Embedded Base64 Commands
id: 179b3686-6271-4d87-807d-17d843a8af73
status: experimental
description: |
    Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
    These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
references:
    - https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.004
    - attack.t1027
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|contains:
            - '{echo'
            - '{base64,-d}'
    condition: selection
falsepositives:
    - Legitimate files with similar naming patterns (very unlikely).
level: high

title: Suspicious GUP Usage
id: 0a4f6091-223b-41f6-8743-f322ec84930b
status: test
description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
references:
    - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
author: Florian Roth (Nextron Systems)
date: 2019-02-06
modified: 2022-08-13
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\GUP.exe'
    filter_programfiles:
        Image|endswith:
            - '\Program Files\Notepad++\updater\GUP.exe'
            - '\Program Files (x86)\Notepad++\updater\GUP.exe'
    filter_user:
        Image|contains: '\Users\'
        Image|endswith:
            - '\AppData\Local\Notepad++\updater\GUP.exe'
            - '\AppData\Roaming\Notepad++\updater\GUP.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Execution of tools named GUP.exe and located in folders different than Notepad++\updater
level: high

title: Suspicious Get-Variable.exe Creation
id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
status: test
description: |
    Get-Variable is a valid PowerShell cmdlet
    WindowsApps is by default in the path where PowerShell is executed.
    So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
references:
    - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
    - https://www.joesandbox.com/analysis/465533/0/html
author: frack113
date: 2022-04-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.stealth
    - attack.t1546
    - attack.t1027
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious GrpConv Execution
id: f14e169e-9978-4c69-acb3-1cff8200bc36
status: test
description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
references:
    - https://twitter.com/0gtweet/status/1526833181831200770
author: Florian Roth (Nextron Systems)
date: 2022-05-19
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'grpconv.exe -o'
            - 'grpconv -o'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious HWP Sub Processes
id: 023394c4-29d5-46ab-92b8-6a534c6f447b
status: test
description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
references:
    - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
    - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
    - https://twitter.com/cyberwar_15/status/1187287262054076416
    - https://blog.alyac.co.kr/1901
    - https://en.wikipedia.org/wiki/Hangul_(word_processor)
author: Florian Roth (Nextron Systems)
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.initial-access
    - attack.t1566.001
    - attack.execution
    - attack.t1203
    - attack.t1059.003
    - attack.g0032
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\Hwp.exe'
        Image|endswith: '\gbb.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious IIS Module Registration
id: 043c4b8b-3a54-4780-9682-081cb6b8185c
status: test
description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
references:
    - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems), Microsoft (idea)
date: 2022-08-04
modified: 2023-01-23
tags:
    - attack.persistence
    - attack.t1505.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\w3wp.exe'
    selection_cli_1:
        CommandLine|contains: 'appcmd.exe add module'
    selection_cli_2:
        CommandLine|contains: ' system.enterpriseservices.internal.publish'
        Image|endswith: '\powershell.exe'
    selection_cli_3:
        CommandLine|contains|all:
            - 'gacutil'
            - ' /I'
    condition: selection_parent and 1 of selection_cli_*
falsepositives:
    - Administrative activity
level: high

title: Suspicious Interactive PowerShell as SYSTEM
id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
status: test
description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2022-08-13
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename:
            - 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'
            - 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive'
    condition: selection
falsepositives:
    - Administrative activity
    - PowerShell scripts running as SYSTEM user
level: high

title: Suspicious Invocation of Shell via AWK - Linux
id: 8c1a5675-cb85-452f-a298-b01b22a51856
status: test
description: |
    Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
    This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
    - https://gtfobins.github.io/gtfobins/awk/#shell
    - https://gtfobins.github.io/gtfobins/gawk/#shell
    - https://gtfobins.github.io/gtfobins/nawk/#shell
    - https://gtfobins.github.io/gtfobins/mawk/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith:
            - '/awk'
            - '/gawk'
            - '/mawk'
            - '/nawk'
        CommandLine|contains: 'BEGIN {system'
    selection_cli:
        CommandLine|contains:
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/zsh'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious Invocation of Shell via Rsync
id: 297241f3-8108-4b3a-8c15-2dda9f844594
status: experimental
description: |
    Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
    - https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
    - https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
author: Florian Roth
date: 2025-01-18
tags:
    - attack.execution
    - attack.t1059
    - attack.t1203
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        ParentImage|endswith:
            - '/rsync'
            - '/rsyncd'
        Image|endswith:
            - '/ash'
            - '/bash'
            - '/csh'
            - '/dash'
            - '/ksh'
            - '/sh'
            - '/tcsh'
            - '/zsh'
    filter_main_expected:
        CommandLine|contains: ' -e '
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Suspicious Java Children Processes
id: d292e0af-9a18-420c-9525-ec0ac3936892
status: test
description: Detects java process spawning suspicious children
references:
    - https://www.tecmint.com/different-types-of-linux-shells/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-03
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        ParentImage|endswith: '/java'
        CommandLine|contains:
            - '/bin/sh'
            - 'bash'
            - 'dash'
            - 'ksh'
            - 'zsh'
            - 'csh'
            - 'fish'
            - 'curl'
            - 'wget'
            - 'python'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Kernel Dump Using Dtrace
id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
status: test
description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
references:
    - https://twitter.com/0gtweet/status/1474899714290208777?s=12
    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
author: Florian Roth (Nextron Systems)
date: 2021-12-28
tags:
    - attack.discovery
    - attack.t1082
logsource:
    product: windows
    category: process_creation
detection:
    selection_plain:
        Image|endswith: '\dtrace.exe'
        CommandLine|contains: 'lkd(0)'
    selection_obfuscated:
        CommandLine|contains|all:
            - 'syscall:::return'
            - 'lkd('
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml

title: Suspicious LNK Command-Line Padding with Whitespace Characters
id: dd8756e7-a3a0-4768-b47e-8f545d1a751c
status: experimental
description: |
    Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
    Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
    The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
    This rule flags suspicious use of such padding observed in real-world attacks.
references:
    - https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
    - https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
    - https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-19
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - ParentImage|endswith: '\explorer.exe'
        - ParentCommandLine|contains: '.lnk'
    selection_cmd:
        - CommandLine|contains:
              - '                 '  # Padding of SPACE (0x20)
            # - '	'  # Horizontal Tab (0x9)
              - '\u0009'
              - '\u000A' # Line Feed
              - '\u0011'
              - '\u0012'
              - '\u0013'
              - '\u000B' # Vertical Tab
              - '\u000C'  # \x0C
              - '\u000D'  # \x0D
        - CommandLine|re: '\n\n\n\n\n\n' # In some cases \u000[ABCD] are represented as a newline in the eventlog
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
related:
    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
      type: similar
status: experimental
description: |
    Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
    These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
references:
    - https://blog.axelarator.net/hunting-for-edr-freeze/
    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1003
    - attack.t1685
logsource:
    category: image_load
    product: windows
detection:
    selection_img:
        Image|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Public\'
            - '\$Recycle.Bin\'
            - '\Contacts\'
            # - '\Desktop\'
            - '\Documents\'
            # - '\Downloads\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
            #  - '\AppData\Local\Temp\' some installers may load from here
    selection_dll:
        ImageLoaded|endswith:
            - '\dbgcore.dll'
            - '\dbghelp.dll'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml

title: Suspicious MSExchangeMailboxReplication ASPX Write
id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
status: test
description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
references:
    - https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
tags:
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\MSExchangeMailboxReplication.exe'
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Microsoft Office Child Process - MacOS
id: 69483748-1525-4a6c-95ca-90dc8d431b68
status: test
description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
references:
    - https://redcanary.com/blog/applescript/
    - https://objective-see.org/blog/blog_0x4B.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2023-02-04
tags:
    - attack.execution
    - attack.persistence
    - attack.t1059.002
    - attack.t1137.002
    - attack.t1204.002
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        ParentImage|contains:
            - 'Microsoft Word'
            - 'Microsoft Excel'
            - 'Microsoft PowerPoint'
            - 'Microsoft OneNote'
        Image|endswith:
            - '/bash'
            - '/curl'
            - '/dash'
            - '/fish'
            - '/osacompile'
            - '/osascript'
            - '/sh'
            - '/zsh'
            - '/python'
            - '/python3'
            - '/wget'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Modification Of Scheduled Tasks
id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
related:
    - id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog
      type: similar
status: test
description: |
    Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
    Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
    Instead they modify the task after creation to include their malicious payload
references:
    - Internal Research
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2022-11-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_schtasks:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - ' /Change '
            - ' /TN '
    selection_susp_locations:
        CommandLine|contains:
            - '\AppData\Local\Temp'
            - '\AppData\Roaming\'
            - '\Users\Public\'
            - '\WINDOWS\Temp\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Temporary Internet'
            - 'C:\ProgramData\'
            - 'C:\Perflogs\'
            - '%ProgramData%'
            - '%appdata%'
            - '%comspec%'
            - '%localappdata%'
    selection_susp_images:
        CommandLine|contains:
            - 'regsvr32'
            - 'rundll32'
            - 'cmd /c '
            - 'cmd /k '
            - 'cmd /r '
            - 'cmd.exe /c '
            - 'cmd.exe /k '
            - 'cmd.exe /r '
            - 'powershell'
            - 'mshta'
            - 'wscript'
            - 'cscript'
            - 'certutil'
            - 'bitsadmin'
            - 'bash.exe'
            - 'bash '
            - 'scrcons'
            - 'wmic '
            - 'wmic.exe'
            - 'forfiles'
            - 'scriptrunner'
            - 'hh.exe'
            - 'hh '
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious New Service Creation
id: 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8
related:
    - id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
      type: derived
status: test
description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-14
modified: 2022-11-18
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc:
        Image|endswith: '\sc.exe'
        CommandLine|contains|all:
            - 'create'
            - 'binPath='
    selection_posh:
        CommandLine|contains|all:
            - 'New-Service'
            - '-BinaryPathName'
    susp_binpath:
        CommandLine|contains:
            # Add more suspicious commands or binaries
            - 'powershell'
            - 'mshta'
            - 'wscript'
            - 'cscript'
            - 'svchost'
            - 'dllhost'
            - 'cmd '
            - 'cmd.exe /c'
            - 'cmd.exe /k'
            - 'cmd.exe /r'
            - 'rundll32'
            # Add more suspicious paths
            - 'C:\Users\Public'
            - '\Downloads\'
            - '\Desktop\'
            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
            - 'C:\Windows\TEMP\'
            - '\AppData\Local\Temp'
    condition: 1 of selection* and susp_binpath
falsepositives:
    - Unlikely
level: high

title: Suspicious Nohup Execution
id: 457df417-8b9d-4912-85f3-9dbda39c3645
related:
    - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
      type: derived
status: test
description: Detects execution of binaries located in potentially suspicious locations via "nohup"
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
    - attack.execution
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/nohup'
        CommandLine|contains: '/tmp/'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Obfuscated PowerShell Code
id: 8d01b53f-456f-48ee-90f6-bc28e67d4e35
status: test
description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
references:
    - https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/
author: Florian Roth (Nextron Systems)
date: 2022-07-11
modified: 2023-02-14
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            #  -bxor 0x
            - 'IAAtAGIAeABvAHIAIAAwAHgA'
            - 'AALQBiAHgAbwByACAAMAB4A'
            - 'gAC0AYgB4AG8AcgAgADAAeA'
            # .Invoke() |
            - 'AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg'
            - 'AuAEkAbgB2AG8AawBlACgAKQAgAHwAI'
            - 'ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC'
            # {1}{0}" -f
            # {0}{3}" -f
            # {2}{0}" -f
            - 'AHsAMQB9AHsAMAB9ACIAIAAtAGYAI'
            - 'B7ADEAfQB7ADAAfQAiACAALQBmAC'
            - 'AewAxAH0AewAwAH0AIgAgAC0AZgAg'
            - 'AHsAMAB9AHsAMwB9ACIAIAAtAGYAI'
            - 'B7ADAAfQB7ADMAfQAiACAALQBmAC'
            - 'AewAwAH0AewAzAH0AIgAgAC0AZgAg'
            - 'AHsAMgB9AHsAMAB9ACIAIAAtAGYAI'
            - 'B7ADIAfQB7ADAAfQAiACAALQBmAC'
            - 'AewAyAH0AewAwAH0AIgAgAC0AZgAg'
            # {1}{0}' -f
            # {0}{3}' -f
            # {2}{0}' -f
            - 'AHsAMQB9AHsAMAB9ACcAIAAtAGYAI'
            - 'B7ADEAfQB7ADAAfQAnACAALQBmAC'
            - 'AewAxAH0AewAwAH0AJwAgAC0AZgAg'
            - 'AHsAMAB9AHsAMwB9ACcAIAAtAGYAI'
            - 'B7ADAAfQB7ADMAfQAnACAALQBmAC'
            - 'AewAwAH0AewAzAH0AJwAgAC0AZgAg'
            - 'AHsAMgB9AHsAMAB9ACcAIAAtAGYAI'
            - 'B7ADIAfQB7ADAAfQAnACAALQBmAC'
            - 'AewAyAH0AewAwAH0AJwAgAC0AZgAg'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Outlook Child Process
id: 208748f7-881d-47ac-a29c-07ea84bf691d
related:
    - id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes
      type: derived
    - id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process
      type: derived
status: test
description: Detects a suspicious process spawning from an Outlook process.
references:
    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team
date: 2022-02-28
modified: 2023-02-04
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\OUTLOOK.EXE'
        Image|endswith:
            - '\AppVLP.exe'
            - '\bash.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\forfiles.exe'
            - '\hh.exe'
            - '\mftrace.exe'
            - '\msbuild.exe'        # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
            - '\msdt.exe'           # CVE-2022-30190
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\schtasks.exe'
            - '\scrcons.exe'
            - '\scriptrunner.exe'
            - '\sh.exe'
            - '\svchost.exe'        # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
            - '\wmic.exe'           # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
            - '\wscript.exe'
            # Several FPs with rundll32.exe
            # We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely
            # - '\rundll32.exe'
            # filter_outlook_photoviewer:  # https://twitter.com/Luke_Hamp/status/1495919717760237568
            #   ParentImage|endswith: '\OUTLOOK.EXE'
            #   Image|endswith: '\rundll32.exe'
            #   CommandLine|contains: '\PhotoViewer.dll'
            # filter_outlook_printattachments:  # https://twitter.com/KickaKamil/status/1496238278659485696
            #   ParentImage|endswith: '\OUTLOOK.EXE'
            #   Image|endswith: '\rundll32.exe'
            #   CommandLine|contains|all:
            #     - 'shell32.dll,Control_RunDLL'
            #     - '\SYSTEM32\SPOOL\DRIVERS\'
    condition: selection # and not 1 of filter*
falsepositives:
    - Unknown
level: high

title: Suspicious Outlook Macro Created
id: 117d3d3a-755c-4a61-b23e-9171146d094c
related:
    - id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
      type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
    - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
    filter:
        Image|endswith: '\outlook.exe'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high

title: Suspicious Parent Double Extension File Execution
id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c
related:
    - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine
      type: derived
status: test
description: Detect execution of suspicious double extension files in ParentCommandLine
references:
    - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-06
modified: 2023-02-28
tags:
    - attack.stealth
    - attack.t1036.007
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - ParentImage|endswith:
              - '.doc.lnk'
              - '.docx.lnk'
              - '.xls.lnk'
              - '.xlsx.lnk'
              - '.ppt.lnk'
              - '.pptx.lnk'
              - '.rtf.lnk'
              - '.pdf.lnk'
              - '.txt.lnk'
              - '.doc.js'
              - '.docx.js'
              - '.xls.js'
              - '.xlsx.js'
              - '.ppt.js'
              - '.pptx.js'
              - '.rtf.js'
              - '.pdf.js'
              - '.txt.js'
        - ParentCommandLine|contains:
              - '.doc.lnk'
              - '.docx.lnk'
              - '.xls.lnk'
              - '.xlsx.lnk'
              - '.ppt.lnk'
              - '.pptx.lnk'
              - '.rtf.lnk'
              - '.pdf.lnk'
              - '.txt.lnk'
              - '.doc.js'
              - '.docx.js'
              - '.xls.js'
              - '.xlsx.js'
              - '.ppt.js'
              - '.pptx.js'
              - '.rtf.js'
              - '.pdf.js'
              - '.txt.js'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Path In Keyboard Layout IME File Registry Value
id: 9d8f9bb8-01af-4e15-a3a2-349071530530
related:
    - id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1
      type: derived
status: test
description: |
    Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
    Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
    IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
references:
    - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
author: X__Junior (Nextron Systems)
date: 2023-11-21
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection_registry:
        TargetObject|contains|all:
            - '\Control\Keyboard Layouts\'
            - 'Ime File'
    selection_folders_1:
        Details|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
            - '\Temporary Internet'
    selection_folders_2:
        - Details|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Contacts\'
    condition: selection_registry and 1 of selection_folders_*
falsepositives:
    - Unknown
level: high

title: Suspicious Ping/Del Command Combination
id: 54786ddc-5b8a-11ed-9b6a-0242ac120002
status: test
description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
references:
    - https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack
    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
    - https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Ilya Krestinichev
date: 2022-11-03
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
    # Example: "C:\Windows\System32\cmd.exe"  /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
    selection_count:
        CommandLine|contains|windash: ' -n '
    selection_nul:
        CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
    selection_del_param:
        CommandLine|contains|windash:
            - ' -f '
            - ' -q '
    selection_all:
        CommandLine|contains|all:
            - 'ping' # Covers "ping" and "ping.exe"
            - 'del '
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious PowerShell Download and Execute Pattern
id: e6c54d94-498c-4562-a37c-b469d8e9a275
related:
    - id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
      type: derived
status: test
description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
references:
    - https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70
    - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
author: Florian Roth (Nextron Systems)
date: 2022-02-28
modified: 2022-03-01
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: # make sure that your backend applies the strings case-insensitive
            - 'IEX ((New-Object Net.WebClient).DownloadString'
            - 'IEX (New-Object Net.WebClient).DownloadString'
            - 'IEX((New-Object Net.WebClient).DownloadString'
            - 'IEX(New-Object Net.WebClient).DownloadString'
            - ' -command (New-Object System.Net.WebClient).DownloadFile('
            - ' -c (New-Object System.Net.WebClient).DownloadFile('
    condition: selection
falsepositives:
    - Software installers that pull packages from remote systems and execute them
level: high

title: Suspicious PowerShell IEX Execution Patterns
id: 09576804-7a05-458e-a817-eb718ca91f54
status: test
description: Detects suspicious ways to run Invoke-Execution using IEX alias
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-24
modified: 2022-11-28
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_combined_1:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - ' | iex;'
            - ' | iex '
            - ' | iex}'
            - ' | IEX ;'
            - ' | IEX -Error'
            - ' | IEX (new'
            - ');IEX '
    selection_combined_2:
        CommandLine|contains:
            - '::FromBase64String'
            - '.GetString([System.Convert]::'
    selection_standalone:
        CommandLine|contains:
            - ')|iex;$'
            - ');iex($'
            - ');iex $'
            - ' | IEX | '
            - ' | iex\"'
    condition: all of selection_combined_* or selection_standalone
falsepositives:
    - Legitimate scripts that use IEX
level: high

title: Suspicious PowerShell Parameter Substring
id: 36210e0d-5b19-485d-a087-c096088885f0
status: test
description: Detects suspicious PowerShell invocation with a parameter substring
references:
    - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
date: 2019-01-16
modified: 2022-07-14
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - ' -windowstyle h '
            - ' -windowstyl h'
            - ' -windowsty h'
            - ' -windowst h'
            - ' -windows h'
            - ' -windo h'
            - ' -wind h'
            - ' -win h'
            - ' -wi h'
            - ' -win h '
            - ' -win hi '
            - ' -win hid '
            - ' -win hidd '
            - ' -win hidde '
            - ' -NoPr '
            - ' -NoPro '
            - ' -NoProf '
            - ' -NoProfi '
            - ' -NoProfil '
            - ' -nonin '
            - ' -nonint '
            - ' -noninte '
            - ' -noninter '
            - ' -nonintera '
            - ' -noninterac '
            - ' -noninteract '
            - ' -noninteracti '
            - ' -noninteractiv '
            - ' -ec '
            - ' -encodedComman '
            - ' -encodedComma '
            - ' -encodedComm '
            - ' -encodedCom '
            - ' -encodedCo '
            - ' -encodedC '
            - ' -encoded '
            - ' -encode '
            - ' -encod '
            - ' -enco '
            - ' -en '
            - ' -executionpolic '
            - ' -executionpoli '
            - ' -executionpol '
            - ' -executionpo '
            - ' -executionp '
            - ' -execution bypass'
            - ' -executio bypass'
            - ' -executi bypass'
            - ' -execut bypass'
            - ' -execu bypass'
            - ' -exec bypass'
            - ' -exe bypass'
            - ' -ex bypass'
            - ' -ep bypass'
            - ' /windowstyle h '
            - ' /windowstyl h'
            - ' /windowsty h'
            - ' /windowst h'
            - ' /windows h'
            - ' /windo h'
            - ' /wind h'
            - ' /win h'
            - ' /wi h'
            - ' /win h '
            - ' /win hi '
            - ' /win hid '
            - ' /win hidd '
            - ' /win hidde '
            - ' /NoPr '
            - ' /NoPro '
            - ' /NoProf '
            - ' /NoProfi '
            - ' /NoProfil '
            - ' /nonin '
            - ' /nonint '
            - ' /noninte '
            - ' /noninter '
            - ' /nonintera '
            - ' /noninterac '
            - ' /noninteract '
            - ' /noninteracti '
            - ' /noninteractiv '
            - ' /ec '
            - ' /encodedComman '
            - ' /encodedComma '
            - ' /encodedComm '
            - ' /encodedCom '
            - ' /encodedCo '
            - ' /encodedC '
            - ' /encoded '
            - ' /encode '
            - ' /encod '
            - ' /enco '
            - ' /en '
            - ' /executionpolic '
            - ' /executionpoli '
            - ' /executionpol '
            - ' /executionpo '
            - ' /executionp '
            - ' /execution bypass'
            - ' /executio bypass'
            - ' /executi bypass'
            - ' /execut bypass'
            - ' /execu bypass'
            - ' /exec bypass'
            - ' /exe bypass'
            - ' /ex bypass'
            - ' /ep bypass'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Printer Driver Empty Manufacturer
id: e0813366-0407-449a-9869-a2db1119dc41
status: test
description: Detects a suspicious printer driver installation with an empty Manufacturer value
references:
    - https://twitter.com/SBousseaden/status/1410545674773467140
author: Florian Roth (Nextron Systems)
date: 2020-07-01
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574
    - cve.2021-1675
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\Control\Print\Environments\Windows x64\Drivers'
            - '\Manufacturer'
        Details: '(Empty)'
    filter_cutepdf:
        TargetObject|contains: '\CutePDF Writer v4.0\'
    filter_vnc:
        TargetObject|contains:
            - '\VNC Printer (PS)\'
            - '\VNC Printer (UD)\'
    filter_pdf24:
        TargetObject|contains: '\Version-3\PDF24\'
    condition: selection and not 1 of filter_*
falsepositives:
    - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
level: high

title: Suspicious PrinterPorts Creation (CVE-2020-1048)
id: cc08d590-8b90-413a-aff6-31d1a99678d7
status: test
description: Detects new commands that add new printer port which point to suspicious file
references:
    - https://windows-internals.com/printdemon-cve-2020-1048/
author: EagleEye Team, Florian Roth
date: 2020-05-13
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.execution
    - attack.t1059.001
    - cve.2020-1048
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains: 'Add-PrinterPort -Name'
    selection2:
        CommandLine|contains:
            - '.exe'
            - '.dll'
            - '.bat'
    selection3:
        CommandLine|contains: 'Generic / Text Only'
    condition: (selection1 and selection2) or selection3
falsepositives:
    - New printer port install on host
level: high

title: Suspicious Process By Web Server Process
id: 8202070f-edeb-4d31-a010-a26c72ac5600
status: test
description: |
    Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
references:
    - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-11-26
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1505.003
    - attack.t1190
logsource:
    category: process_creation
    product: windows
detection:
    selection_webserver_image:
        ParentImage|endswith:
            - '\caddy.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\php.exe'
            - '\tomcat.exe'
            - '\UMWorkerProcess.exe'  # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
            - '\w3wp.exe'
            - '\ws_TomcatService.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentCommandLine|contains:
            - 'CATALINA_HOME'
            - 'catalina.home'
            - 'catalina.jar'
    selection_anomaly_children:
        Image|endswith:
            - '\arp.exe'
            - '\at.exe'
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\certutil.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\dsget.exe'
            - '\hostname.exe'
            - '\nbtstat.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\netdom.exe'
            - '\netsh.exe'
            - '\nltest.exe'
            - '\ntdsutil.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\qprocess.exe'
            - '\query.exe'
            - '\qwinsta.exe'
            - '\reg.exe'
            - '\rundll32.exe'
            - '\sc.exe'
            - '\sh.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            - '\wusa.exe'
    filter_main_fp_1:
        ParentImage|endswith: '\java.exe'
        CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
    filter_main_fp_2:
        ParentImage|endswith: '\java.exe'
        CommandLine|contains|all:
            - 'sc query'
            - 'ADManager Plus'
    condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
falsepositives:
    - Particular web applications may spawn a shell process legitimately
level: high

title: Suspicious Process Created Via Wmic.EXE
id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
related:
    - id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic
      type: derived
status: test
description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
references:
    - https://thedfirreport.com/2020/10/08/ryuks-return/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-12
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'process '
            - 'call '
            - 'create '
        CommandLine|contains:
            # Add more susupicious paths and binaries as you see fit in your env
            - 'rundll32'
            - 'bitsadmin'
            - 'regsvr32'
            - 'cmd.exe /c '
            - 'cmd.exe /k '
            - 'cmd.exe /r '
            - 'cmd /c '
            - 'cmd /k '
            - 'cmd /r '
            - 'powershell'
            - 'pwsh'
            - 'certutil'
            - 'cscript'
            - 'wscript'
            - 'mshta'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - '\AppData\Local\'
            - '%temp%'
            - '%tmp%'
            - '%ProgramData%'
            - '%appdata%'
            - '%comspec%'
            - '%localappdata%'
    condition: selection
falsepositives:
    - Unknown
level: high