title: Uncommon File Created In Office Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: test
description: Detects the creation of a file with an uncommon extension in an Office application startup folder
references:
    - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
    - http://addbalance.com/word/startup.htm
    - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
    - https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-05
modified: 2023-12-13
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    product: windows
    category: file_event
detection:
    selection_word_paths:
        - TargetFilename|contains: '\Microsoft\Word\STARTUP'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\STARTUP'
    filter_exclude_word_ext:
        TargetFilename|endswith:
            - '.docb' # Word binary document introduced in Microsoft Office 2007
            - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
            - '.docx' # Word document
            - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
            - '.mdb' # MS Access DB
            - '.mdw' # MS Access DB
            - '.pdf' # PDF documents
            - '.wll' # Word add-in
            - '.wwl' # Word add-in
    selection_excel_paths:
        - TargetFilename|contains: '\Microsoft\Excel\XLSTART'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\XLSTART'
    filter_exclude_excel_ext:
        TargetFilename|endswith:
            - '.xll'
            - '.xls'
            - '.xlsm'
            - '.xlsx'
            - '.xlt'
            - '.xltm'
            - '.xlw'
    filter_main_office_click_to_run:
        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_office_apps:
        Image|contains:
            - ':\Program Files\Microsoft Office\'
            - ':\Program Files (x86)\Microsoft Office\'
        Image|endswith:
            - '\winword.exe'
            - '\excel.exe'
    condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
falsepositives:
    - False positive might stem from rare extensions used by other Office utilities.
level: high

title: Uncommon File Created by Notepad++ Updater Gup.EXE
id: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
status: experimental
description: |
    Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
    This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
references:
    - https://notepad-plus-plus.org/news/v889-released/
    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
    - https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
modified: 2026-03-16
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1195.002
    - attack.initial-access
    - attack.t1557
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\gup.exe'
    filter_main_legit_paths:
        TargetFilename|startswith:
            - 'C:\Program Files\Notepad++\'
            - 'C:\Program Files (x86)\Notepad++\'
    filter_main_temp_update_installer:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - 'npp.'
            - '.Installer.'
            - '.exe'
    filter_main_temp_generic_zip:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - '.zip'
    filter_main_recycle_bin:
        TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
    filter_main_plugins:
        - TargetFilename|contains:
              - '\plugins\JsonTools\testfiles\'
              - '\Notepad++\plugins\ComparePlugin\'
        - TargetFilename|contains|all:
              - 'npp.'
              - '.portable.'
              - '\plugins\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Custom or portable Notepad++ installations in non-standard directories.
    - Legitimate update processes creating temporary files in unexpected locations.
level: high

title: Uncommon File Creation By Mysql Daemon Process
id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
status: test
description: |
    Detects the creation of files with scripting or executable extensions by Mysql daemon.
    Which could be an indicator of "User Defined Functions" abuse to download malware.
references:
    - https://asec.ahnlab.com/en/58878/
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
author: Joseph Kamau
date: 2024-05-27
tags:
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - \mysqld.exe
            - \mysqld-nt.exe
        TargetFilename|endswith:
            - '.bat'
            - '.dat'
            - '.dll'
            - '.exe'
            - '.ps1'
            - '.psm1'
            - '.vbe'
            - '.vbs'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Uncommon FileSystem Load Attempt By Format.com
id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
status: test
description: |
    Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
references:
    - https://twitter.com/0gtweet/status/1477925112561209344
    - https://twitter.com/wdormann/status/1478011052130459653?s=20
author: Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2024-05-13
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\format.com'
        CommandLine|contains: '/fs:'
    filter_main_known_fs:
        CommandLine|contains:
            - '/fs:exFAT'
            - '/fs:FAT'
            - '/fs:NTFS'
            - '/fs:ReFS'
            - '/fs:UDF'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Uncommon Microsoft Office Trusted Location Added
id: f742bde7-9528-42e5-bd82-84f51a8387d2
related:
    - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
      type: derived
status: test
description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
    - Internal Research
    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-09-29
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'Security\Trusted Locations\Location'
        TargetObject|endswith: '\Path'
    filter_exclude_known_paths:
        Details|contains:
            - '%APPDATA%\Microsoft\Templates'
            - '%%APPDATA%%\Microsoft\Templates'
            - '%APPDATA%\Microsoft\Word\Startup'
            - '%%APPDATA%%\Microsoft\Word\Startup'
            - ':\Program Files (x86)\Microsoft Office\root\Templates\'
            - ':\Program Files\Microsoft Office (x86)\Templates'
            - ':\Program Files\Microsoft Office\root\Templates\'
            - ':\Program Files\Microsoft Office\Templates\'
    filter_main_office_click_to_run:
        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_office_apps:
        Image|contains:
            - ':\Program Files\Microsoft Office\'
            - ':\Program Files (x86)\Microsoft Office\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
falsepositives:
    - Other unknown legitimate or custom paths need to be filtered to avoid false positives
level: high

title: Uninstall Crowdstrike Falcon Sensor
id: f0f7be61-9cf5-43be-9836-99d6ef448a18
status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113
date: 2021-07-12
modified: 2023-03-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\WindowsSensor.exe'
            - ' /uninstall'
            - ' /quiet'
    condition: selection
falsepositives:
    - Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated
level: high

title: Unusual Child Process of dns.exe
id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
status: test
description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
modified: 2023-02-05
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\dns.exe'
    filter:
        Image|endswith: '\conhost.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Unusual File Deletion by Dns.exe
id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
related:
    - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
      type: similar
status: test
description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
modified: 2023-02-15
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Unusual File Modification by dns.exe
id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
related:
    - id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version
      type: similar
status: test
description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: file_change
    product: windows
detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Ursnif Redirection Of Discovery Commands
id: 7aaa5739-12fc-41aa-b98b-23ec27d42bdf
status: test
description: |
    Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
references:
    - Internal Research
author: '@kostastsale'
date: 2023-07-16
tags:
    - attack.execution
    - attack.t1059
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/C '
            - ' >> *\AppData\local\temp\*.bin'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: User Added To Highly Privileged Group
id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
related:
    - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
      type: similar
    - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
      type: similar
status: test
description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    category: process_creation
    product: windows
detection:
    selection_main:
        - CommandLine|contains|all:
              # net.exe
              - 'localgroup '
              - ' /add'
        - CommandLine|contains|all:
              # powershell.exe
              - 'Add-LocalGroupMember '
              - ' -Group '
    selection_group:
        CommandLine|contains:
            - 'Group Policy Creator Owners'
            - 'Schema Admins'
    condition: all of selection_*
falsepositives:
    - Administrative activity that must be investigated
level: high

title: User Added to Remote Desktop Users Group
id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
related:
    - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
      type: similar
    - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
      type: similar
status: test
description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
references:
    - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2022-09-09
tags:
    - attack.initial-access
    - attack.persistence
    - attack.lateral-movement
    - attack.t1133
    - attack.t1136.001
    - attack.t1021.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_main:
        - CommandLine|contains|all:
              - 'localgroup '
              - ' /add'
        - CommandLine|contains|all:
              - 'Add-LocalGroupMember '
              - ' -Group '
    selection_group:
        CommandLine|contains:
            - 'Remote Desktop Users'
            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: high

title: Using SettingSyncHost.exe as LOLBin
id: b2ddd389-f676-4ac4-845a-e00781a48e5f
status: test
description: Detects using SettingSyncHost.exe to run hijacked binary
references:
    - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
author: Anton Kutepov, oscd.community
date: 2020-02-05
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.008
logsource:
    category: process_creation
    product: windows
detection:
    system_utility:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    parent_is_settingsynchost:
        ParentCommandLine|contains|all:
            - 'cmd.exe /c'
            - 'RoamDiag.cmd'
            - '-outputpath'
    condition: not system_utility and parent_is_settingsynchost
falsepositives:
    - Unknown
level: high

title: VBA DLL Loaded Via Office Application
id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
status: test
description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|endswith:
            - '\VBE7.DLL'
            - '\VBEUI.DLL'
            - '\VBE7INTL.DLL'
    condition: selection
falsepositives:
    - Legitimate macro usage. Add the appropriate filter according to your environment
level: high

title: VBScript Payload Stored in Registry
id: 46490193-1b22-4c29-bdd6-5bf63907216f
status: test
description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
references:
    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
        Details|contains:
            - 'vbscript:'
            - 'jscript:'
            - 'mshtml,'
            - 'RunHTMLApplication'
            - 'Execute('
            - 'CreateObject'
            - 'window.close'
    filter:
        TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
    filter_dotnet:
        Image|endswith: '\msiexec.exe'
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\'
        Details|contains:
            - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll'
            - '<\Microsoft.mshtml,fileVersion='
            - '_mshtml_dll_'
            - '<\Microsoft.mshtml,culture='
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: high

title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
id: b57ba453-b384-4ab9-9f40-1038086b4e53
status: test
description: Detects dump of credentials in VeeamBackup dbo
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
author: frack113
date: 2021-12-20
modified: 2023-02-13
tags:
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        Image|endswith: '\sqlcmd.exe'
    selection_query:
        CommandLine|contains|all:
            - 'SELECT'
            - 'TOP'
            - '[VeeamBackup].[dbo].[Credentials]'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Vim GTFOBin Abuse - Linux
id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
status: test
description: |
    Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
    Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/vi/
    - https://gtfobins.github.io/gtfobins/vim/
    - https://gtfobins.github.io/gtfobins/rvim/
    - https://gtfobins.github.io/gtfobins/vimdiff/
author: Nasreddine Bencherchali (Nextron Systems), Luc Génaux
date: 2022-12-28
modified: 2026-06-05
tags:
    - attack.execution
    - attack.discovery
    - attack.t1059
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith:
            - '/rvim'
            - '/vi'
            - '/vim'
            - '/vimdiff'
        CommandLine|contains:
            - ' --cmd '
            - ' -c'
    selection_cli:
        CommandLine|contains:
            - ':!/'
            - ':!$'
            - ':!..'
            - ':lua '
            - ':py '
            - ':shell'
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/csh'
            - '/bin/ksh'
            - '/bin/zsh'
            - '/bin/tmux'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Visual Basic Command Line Compiler Usage
id: 7b10f171-7f04-47c7-9fa2-5be43c76e535
status: test
description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Vbc/
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-07
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1027.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\vbc.exe'
        Image|endswith: '\cvtres.exe'
    condition: selection
falsepositives:
    - Utilization of this tool should not be seen in enterprise environment
level: high

title: VolumeShadowCopy Symlink Creation Via Mklink
id: 40b19fa6-d835-400c-b301-41f3a2baacaf
status: stable
description: Shadow Copies storage symbolic link creation using operating systems utilities
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2023-03-06
tags:
    - attack.credential-access
    - attack.t1003.002
    - attack.t1003.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'mklink'
            - 'HarddiskVolumeShadowCopy'
    condition: selection
falsepositives:
    - Legitimate administrator working with shadow copies, access for backup purposes
level: high

title: WINEKEY Registry Modification
id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
status: test
description: Detects potential malicious modification of run keys by winekey or team9 backdoor
references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
    condition: selection
falsepositives:
    - Unknown
level: high

title: WMI Persistence - Command Line Event Consumer
id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
status: test
description: Detects WMI command line event consumers
references:
    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.t1546.003
    - attack.persistence
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
        ImageLoaded|endswith: '\wbemcons.dll'
    condition: selection
falsepositives:
    - Unknown (data set is too small; further testing needed)
level: high

title: WMI Persistence - Script Event Consumer File Write
id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
status: test
description: Detects file writes of WMI script event consumer
references:
    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.t1546.003
    - attack.persistence
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
    condition: selection
falsepositives:
    - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
level: high

title: WSL Kali-Linux Usage
id: 6f1a11aa-4b8a-4b7f-9e13-4d3e4ff0e0d4
status: experimental
description: Detects the use of Kali Linux through Windows Subsystem for Linux
references:
    - https://medium.com/@redfanatic7/running-kali-linux-on-windows-51ad95166e6e
    - https://learn.microsoft.com/en-us/windows/wsl/install
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-10
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img_appdata:
        - Image|contains|all:
              - ':\Users\'
              - '\AppData\Local\packages\KaliLinux'
        - Image|contains|all:
              - ':\Users\'
              - '\AppData\Local\Microsoft\WindowsApps\kali.exe'
    selection_img_windowsapps:
        Image|contains: ':\Program Files\WindowsApps\KaliLinux.'
        Image|endswith: '\kali.exe'
    selection_kali_wsl_parent:
        ParentImage|endswith:
            - '\wsl.exe'
            - '\wslhost.exe'
    selection_kali_wsl_child:
        - Image|contains:
              - '\kali.exe'
              - '\KaliLinux'
        - CommandLine|contains:
              - 'Kali.exe'
              - 'Kali-linux'
              - 'kalilinux'
    filter_main_install_uninstall:
        CommandLine|contains:
            - ' -i '
            - ' --install '
            - ' --unregister '
    condition: 1 of selection_img_* or all of selection_kali_* and not 1 of filter_main_*
falsepositives:
    - Legitimate installation or usage of Kali Linux WSL by administrators or security teams
level: high

title: WScript or CScript Dropper - File
id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
related:
    - id: cea72823-df4d-4567-950c-0b579eaf0846
      type: derived
status: test
description: Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe
references:
    - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
author: Tim Shelton
date: 2022-01-10
modified: 2026-02-17
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        TargetFilename|contains:
            - ':\Perflogs\'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Tmp\'
            - ':\Users\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming\Temp'
            - '\Start Menu\Programs\Startup\'
            - '\Temporary Internet'
        TargetFilename|endswith:
            - '.js'
            - '.jse'
            - '.vba'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Wab Execution From Non Default Location
id: 395907ee-96e5-4666-af2e-2ca91688e151
status: test
description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
references:
    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2022-09-27
tags:
    - attack.execution
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\wab.exe'
            - '\wabmig.exe'
    filter:
        Image|startswith:
            - 'C:\Windows\WinSxS\'
            - 'C:\Program Files\Windows Mail\'
            - 'C:\Program Files (x86)\Windows Mail\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Wab/Wabmig Unusual Parent Or Child Processes
id: 63d1ccc0-2a43-4f4b-9289-361b308991ff
status: test
description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
references:
    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2022-09-27
tags:
    - attack.execution
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            # Add more if known
            - \WmiPrvSE.exe
            - \svchost.exe
            - \dllhost.exe
        Image|endswith:
            - '\wab.exe'
            - '\wabmig.exe' # (Microsoft Address Book Import Tool)
    selection_child:
        # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
        ParentImage|endswith:
            - '\wab.exe'
            - '\wabmig.exe' # (Microsoft Address Book Import Tool)
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Wdigest CredGuard Registry Modification
id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
status: test
description: |
  Detects potential malicious modification of the property value of IsCredGuardEnabled from
  HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system.
  This is usually used with UseLogonCredential to manipulate the caching credentials.
references:
    - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-08-25
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: '\IsCredGuardEnabled'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Wdigest Enable UseLogonCredential
id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
status: test
description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
references:
    - https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html
    - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649
    - https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-09-12
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'WDigest\UseLogonCredential'
        Details: DWORD (0x00000001)
    condition: selection
falsepositives:
    - Unknown
level: high

title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
    Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
    - https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
    - attack.persistence
    - attack.discovery
    - attack.t1505.003
    - attack.t1018
    - attack.t1033
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
   # Webserver
    selection_webserver_image:
        ParentImage|endswith:
            - '\caddy.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\w3wp.exe'
            - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        CommandLine|contains:
            - 'catalina.jar'
            - 'CATALINA_HOME'
    # Suspicious child processes
    selection_child_1:
        # Process dumping
        CommandLine|contains|all:
            - 'rundll32'
            - 'comsvcs'
    selection_child_2:
        # Winrar exfil
        CommandLine|contains|all:
            - ' -hp'
            - ' a '
            - ' -m'
    selection_child_3:
        # User add
        CommandLine|contains|all:
            - 'net'
            - ' user '
            - ' /add'
    selection_child_4:
        CommandLine|contains|all:
            - 'net'
            - ' localgroup '
            - ' administrators '
            - '/add'
    selection_child_5:
        Image|endswith:
            # Credential stealing
            - '\ntdsutil.exe'
            # AD recon
            - '\ldifde.exe'
            - '\adfind.exe'
            # Process dumping
            - '\procdump.exe'
            - '\Nanodump.exe'
            # Destruction / ransom groups
            - '\vssadmin.exe'
            - '\fsutil.exe'
    selection_child_6:
        # SUspicious patterns
        CommandLine|contains:
            - ' -decode '  # Used with certutil
            - ' -NoP '  # Often used in malicious PowerShell commands
            - ' -W Hidden '  # Often used in malicious PowerShell commands
            - ' /decode '  # Used with certutil
            - ' /ticket:'  # Rubeus
            - ' sekurlsa'  # Mimikatz
            - '.dmp full'  # Process dumping method apart from procdump
            - '.downloadfile('  # PowerShell download command
            - '.downloadstring('  # PowerShell download command
            - 'FromBase64String' # PowerShell encoded payload
            - 'process call create' # WMIC process creation
            - 'reg save '  # save registry SAM - syskey extraction
            - 'whoami /priv'
    condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
    - Unlikely
level: high

title: Webshell Tool Reconnaissance Activity
id: f64e5c19-879c-4bae-b471-6d84c8339677
status: test
description: |
    Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
references:
    - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
author: Cian Heasley, Florian Roth (Nextron Systems)
date: 2020-07-22
modified: 2023-11-09
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_webserver_image:
        ParentImage|endswith:
            - '\caddy.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\w3wp.exe'
            - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        CommandLine|contains:
            - 'CATALINA_HOME'
            - 'catalina.jar'
    selection_recon:
        CommandLine|contains:
            - 'perl --help'
            - 'perl -h'
            - 'python --help'
            - 'python -h'
            - 'python3 --help'
            - 'python3 -h'
            - 'wget --help'
    condition: 1 of selection_webserver_* and selection_recon
falsepositives:
    - Unknown
level: high

title: WerFault LSASS Process Memory Dump
id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
status: test
description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
references:
    - https://github.com/helpsystems/nanodump
author: Florian Roth (Nextron Systems)
date: 2022-06-27
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image: C:\WINDOWS\system32\WerFault.exe
        TargetFilename|contains:
            - '\lsass'
            - 'lsass.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: WhoAmI as Parameter
id: e9142d84-fbe0-401d-ac50-3e519fb00c89
status: test
description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
references:
    - https://twitter.com/blackarrowsec/status/1463805700602224645?s=12
author: Florian Roth (Nextron Systems)
date: 2021-11-29
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.t1033
    - car.2016-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '.exe whoami'
    condition: selection
falsepositives:
    - Unknown
level: high

title: WinRAR Creating Files in Startup Locations
id: 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc
status: experimental
description: |
    Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
    This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
references:
    - https://github.com/mulwareX/CVE-2025-6218-POC
    - https://x.com/0x534c/status/1944694507787710685
    - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\WinRAR.exe'
            - '\Rar.exe'
        TargetFilename|contains: '\Start Menu\Programs\Startup\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Windows Binaries Write Suspicious Extensions
id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
related:
    - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
      type: derived
status: test
description: Detects Windows executables that write files with suspicious extensions
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: file_event
    product: windows
detection:
    selection_generic:
        Image|endswith:
            - '\csrss.exe'
            - '\lsass.exe'
            - '\RuntimeBroker.exe'
            - '\sihost.exe'
            - '\smss.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
        TargetFilename|endswith:
            - '.bat'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.iso'
            - '.ps1'
            - '.txt'
            - '.vbe'
            - '.vbs'
    selection_special:
        Image|endswith:
            - '\dllhost.exe'
            - '\rundll32.exe'
            - '\svchost.exe'
        TargetFilename|endswith:
            - '.bat'
            - '.hta'
            - '.iso'
            - '.ps1'
            - '.vbe'
            - '.vbs'
    filter_main_AppLockerPolicyTest:
        Image: 'C:\Windows\System32\dllhost.exe'
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\__PSScriptPolicyTest_'
        TargetFilename|endswith: '.ps1'
    filter_main_script_gpo_machine:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetFilename|contains|all:
            - 'C:\Windows\System32\GroupPolicy\DataStore\'
            - '\sysvol\'
            - '\Policies\'
            - '\Machine\Scripts\Startup\'
        TargetFilename|endswith:
            - '.ps1'
            - '.bat'
    filter_main_clipchamp:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetFilename|contains|all:
            - 'C:\Program Files\WindowsApps\Clipchamp'
            - '.ps1'
    filter_main_powershell_preview:
        Image:
            - 'C:\Windows\system32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
        TargetFilename|startswith:
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
            - 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
        TargetFilename|endswith: '.ps1'
    condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Windows Credential Guard Disabled - Registry
id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
related:
    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
      type: similar
status: experimental
description: |
    Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
references:
    - https://woshub.com/disable-credential-guard-windows/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\DeviceGuard\EnableVirtualizationBasedSecurity'
            - '\DeviceGuard\LsaCfgFlags'
            - '\Lsa\LsaCfgFlags'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/info.yml

title: Windows Credential Guard Related Registry Value Deleted - Registry
id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
related:
    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
      type: similar
status: experimental
description: |
    Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
references:
    - https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50
    - https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_delete
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\DeviceGuard\EnableVirtualizationBasedSecurity'
            - '\DeviceGuard\LsaCfgFlags'
            - '\DeviceGuard\RequirePlatformSecurityFeatures'
            - '\Lsa\LsaCfgFlags'
    condition: selection
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/info.yml

title: Windows Defender Service Disabled - Registry
id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a
status: test
description: Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry
references:
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
date: 2022-08-01
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\Services\WinDefend\Start'
        Details: 'DWORD (0x00000004)'
    condition: selection
falsepositives:
    - Administrator actions
level: high

title: Windows Defender Threat Severity Default Action Modified
id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
related:
    - id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
      type: similar
status: experimental
description: |
    Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
    allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
references:
    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\'
        TargetObject|endswith:
            - '\1' # Low severity
            - '\2' # Moderate severity
            - '\4' # High severity
            - '\5' # Severe severity
        Details:
            - 'DWORD (0x00000006)' # Allow
            - 'DWORD (0x00000009)' # NoAction
    condition: selection
falsepositives:
    - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.
    - Software installations that legitimately modify Defender settings (less common for these specific keys).
level: high

title: Windows Hypervisor Enforced Code Integrity Disabled
id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
related:
    - id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
      type: similar
status: test
description: |
    Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
references:
    - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
    - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2023-03-14
modified: 2024-07-05
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity'
            - '\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled'
            - '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml
simulation:
    - type: atomic-red-team
      name: Disable Hypervisor-Enforced Code Integrity (HVCI)
      technique: T1562.001
      atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020

title: Windows Shell/Scripting Application File Write to Suspicious Folder
id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
status: test
description: Detects Windows shells and scripting applications that write files to suspicious folders
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-20
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: file_event
    product: windows
detection:
    selection_1:
        Image|endswith:
            - '\bash.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\sh.exe'
            - '\wscript.exe'
        TargetFilename|startswith:
            - 'C:\PerfLogs\'
            - 'C:\Users\Public\'
    selection_2:
        Image|endswith:
            - '\certutil.exe'
            - '\forfiles.exe'
            - '\mshta.exe'
            # - '\rundll32.exe' # Potential FP
            - '\schtasks.exe'
            - '\scriptrunner.exe'
            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
        TargetFilename|contains:
            - 'C:\PerfLogs\'
            - 'C:\Users\Public\'
            - 'C:\Windows\Temp\'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Windows Shell/Scripting Processes Spawning Suspicious Programs
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
references:
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2018-04-06
modified: 2023-05-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1059.001
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            # - '\cmd.exe'  # too many false positives
            - '\rundll32.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\wmiprvse.exe'
            - '\regsvr32.exe'
        Image|endswith:
            - '\schtasks.exe'
            - '\nslookup.exe'
            - '\certutil.exe'
            - '\bitsadmin.exe'
            - '\mshta.exe'
    filter_ccmcache:
        CurrentDirectory|contains: '\ccmcache\'
    filter_amazon:
        ParentCommandLine|contains:
            # FP - Amazon Workspaces
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
            - '\nessus_' # Tenable/Nessus VA Scanner
    filter_nessus:
        CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
    filter_sccm_install:
        ParentImage|endswith: '\mshta.exe'
        Image|endswith: '\mshta.exe'
        ParentCommandLine|contains|all:
            - 'C:\MEM_Configmgr_'
            - '\splash.hta'
            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
        CommandLine|contains|all:
            - 'C:\MEM_Configmgr_'
            - '\SMSSETUP\BIN\'
            - '\autorun.hta'
            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
    condition: selection and not 1 of filter_*
falsepositives:
    - Administrative scripts
    - Microsoft SCCM
level: high

title: Windows Suspicious Child Process from Node.js - React2Shell
id: 271de298-cc0e-4842-acd8-079a0a99ea65
related:
    - id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
      type: similar
status: experimental
description: |
    Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).
    Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().
    If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.
    For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
references:
    - https://github.com/msanft/CVE-2025-55182
    - https://nodejs.org/api/child_process.html#class-childprocess
    - https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
    - https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
date: 2025-12-05
tags:
    - attack.execution
    - attack.t1059
    - attack.initial-access
    - attack.t1190
    - detection.emerging-threats
    - cve.2025-55182
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\node.exe'
        ParentCommandLine|contains:
            - '--experimental-https'
            - '--experimental-next-config-strip-types'
            - '\node_modules\next'
            - 'next dev'
            - 'next start'
            - 'next" start'
            - 'node_modules\\.bin\\\\..\\next' # We escape every backslash to avoid confusion
            - 'react-scripts start'
            - 'start-server.js'
    selection_generic_child_img:
        # Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method  is used to spawn suspicious processes
        - Image|endswith:
              - '\bash.exe'
              - '\bitsadmin.exe'
              - '\certutil.exe'
              - '\cscript.exe'
              - '\curl.exe'
              - '\ipconfig.exe'
              - '\mshta.exe'
              - '\net.exe'
              - '\net1.exe'
              - '\netsh.exe'
              - '\nslookup.exe'
              - '\OpenConsole.exe'
              - '\perl.exe'
              - '\ping.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\py.exe'
              - '\python.exe'
              - '\pythonw.exe'
              - '\pyw.exe'
              - '\reg.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\sc.exe'
              - '\sh.exe'
              - '\systeminfo.exe'
              - '\wget.exe'
              - '\whoami.exe'
              - '\wmic.exe'
              - '\wscript.exe'
              - '\wt.exe'
        - Image|contains: '\python'
    selection_generic_child_cli_susp_pattern:
        # Observed when child_process.execSync() is used to spawn suspicious processes
        # Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
        # In default, the cli will look something like `C:\WINDOWS\System32\cmd.exe /d /s /c "...susp..cli...."`
        CommandLine|contains:
            - '\net'
            - 'bitsadmin'
            - 'certutil '
            - 'conhost --headless'
            - 'cscript '
            - 'curl'
            - 'ipconfig'
            - 'java'
            - 'lua'
            - 'mshta'
            - 'netsh'
            - 'nslookup '
            - 'perl'
            - 'ping '
            - 'powershell'
            - 'pwsh'
            - 'python'
            - 'reg '
            - 'reg.exe'
            - 'regsvr32'
            - 'ruby'
            - 'rundll32'
            - 'sc.exe'
            - 'systeminfo'
            - 'wget'
            - 'whoami'
            - 'wmic'
            - 'wscript'
    selection_specific_cmd:
        Image|endswith: '\cmd.exe'
    selection_specific_cli:
        CommandLine|contains: '/d /s /c '
    filter_main_default_shell_flag:
        CommandLine|contains: '/d /s /c '
    filter_main_cli_git:
        CommandLine|contains: 'git config --local --get remote.origin.url'
    filter_main_cli_netstat:
        CommandLine|contains|all:
            - 'netstat -ano | findstr /C:'
            - ' | findstr LISTENING'
    filter_main_cli_mkcert_install:
        CommandLine|contains|all:
            - '\mkcert\'
            - ' -install '
    filter_main_cli_mkcert_caroot:
        CommandLine|contains|all:
            - '\mkcert\'
            - ' -CAROOT'
    condition:
        selection_parent and
        (
            1 of selection_generic_*
            or
            (selection_specific_cmd and not filter_main_default_shell_flag)
            or
            (all of selection_specific_* and not 1 of filter_main_cli_*)
        )
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/info.yml

title: Windows Vulnerable Driver Blocklist Disabled
id: d526c60a-e236-4011-b165-831ffa52ab70
related:
    - id: 22154f0e-5132-4a54-aa78-cc62f6def531
      type: similar
status: experimental
description: |
    Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
    and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
    particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
    This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
    Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-26
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control\CI\Config\VulnerableDriverBlocklistEnable'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unlikely and should be investigated immediately.
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml

title: Winlogon Notify Key Logon Persistence
id: bbf59793-6efb-4fa1-95ca-a7d288e52c88
status: test
description: |
    Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
    Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
author: frack113
date: 2021-12-30
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.004
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon'
        Details|endswith: '.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Wmiprvse Wbemcomn DLL Hijack
id: 7707a579-e0d8-4886-a853-ce47e4575aaa
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith: '\wmiprvse.exe'
        ImageLoaded|endswith: '\wbem\wbemcomn.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Wusa.EXE Executed By Parent Process Located In Suspicious Location
id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99
status: test
description: |
    Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
    Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
references:
    - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
author: X__Junior (Nextron Systems)
date: 2023-11-26
modified: 2024-08-15
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\wusa.exe'
    selection_paths_1:
        ParentImage|contains:
            # Note: Add additional suspicious locations to increase coverage
            - ':\Perflogs\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\Appdata\Local\Temp\'
            - '\Temporary Internet'
    selection_paths_2:
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Pictures\'
    filter_main_msu:
        # Note: We exclude MSU extension files. A better approach is to baseline installation of updates in your env to avoid false negatives.
        CommandLine|contains: '.msu'
    condition: selection_img and 1 of selection_paths_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: ADExplorer Writing Complete AD Snapshot Into .dat File
id: 0a1255c5-d732-4b62-ac02-b5152d34fb83
related:
    - id: 9212f354-7775-4e28-9c9f-8f0a4544e664
      type: similar
status: experimental
description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
    - https://trustedsec.com/blog/adexplorer-on-engagements
author: Arnim Rupp (Nextron Systems), Thomas Patzke
date: 2025-07-09
tags:
    - attack.discovery
    - attack.t1087.002
    - attack.t1069.002
    - attack.t1482
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\ADExp.exe'
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
            - '\ADExplorer64a.exe'
        TargetFilename|endswith: '.dat'
    condition: selection
falsepositives:
    - Legitimate use of ADExplorer by administrators creating .dat snapshots
level: medium

title: ADS Zone.Identifier Deleted By Uncommon Application
id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
related:
    - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
      type: similar
status: test
description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
references:
    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
modified: 2025-07-04
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|endswith: ':Zone.Identifier'
    filter_main_generic:
        # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\explorer.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_optional_browsers_chrome:
        Image:
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_browsers_firefox:
        Image:
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_browsers_msedge:
        Image:
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other third party applications not listed.
level: medium

title: ADSI-Cache File Creation By Uncommon Tool
id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
status: test
description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
references:
    - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
    - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
    - https://github.com/fox-it/LDAPFragger
author: xknow @xknow_infosec, Tim Shelton
date: 2019-03-24
modified: 2023-10-18
tags:
    - attack.t1001.003
    - attack.command-and-control
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
        TargetFilename|endswith: '.sch'
    filter_main_generic:
        - Image|endswith:
              - ':\Program Files\Cylance\Desktop\CylanceSvc.exe'
              - ':\Windows\CCM\CcmExec.exe'
              - ':\windows\system32\dllhost.exe'
              - ':\Windows\system32\dsac.exe'
              - ':\Windows\system32\efsui.exe'
              - ':\windows\system32\mmc.exe'
              - ':\windows\system32\svchost.exe'
              - ':\Windows\System32\wbem\WmiPrvSE.exe'
              - ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
        - Image|contains:
              - ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
              - ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe
    filter_main_office:
        Image|contains|all:
            - ':\Program Files\'
            - '\Microsoft Office'
        Image|endswith: '\OUTLOOK.EXE'
    filter_optional_ldapwhoami:
        Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
    filter_optional_citrix:
        # Example:
        #   TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch
        Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
level: medium

title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
status: test
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
references:
    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020-10-06
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    contains_format_pretty_arg:
        CommandLine|contains:
            - 'format:pretty'
            - 'format:"pretty"'
            - 'format:"text"'
            - 'format:text'
    image_from_system_folder:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    contains_winrm:
        CommandLine|contains: 'winrm'
    condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
falsepositives:
    - Unlikely
level: medium