title: Buffer Overflow Attempts
id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
status: test
description: Detects buffer overflow attempts in Unix system log files
references:
    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml  # OSSEC attack detection rules​:contentReference[oaicite:6]{index=6}​:contentReference[oaicite:7]{index=7}
    - https://docs.oracle.com/cd/E19683-01/816-4883/6mb2joatd/index.html  # Exec stack syslog message (noexec_user_stack)​:contentReference[oaicite:8]{index=8}
    - https://www.giac.org/paper/gcih/266/review-ftp-protocol-cyber-defense-initiative/102802  # WU-FTPD exploit "0bin0sh" analysis​:contentReference[oaicite:9]{index=9}
    - https://blu.org/mhonarc/discuss/2001/04/msg00285.php  # RPC.statd exploit attempt log example​:contentReference[oaicite:10]{index=10}
    - https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/  # Stack smashing protector alert example​:contentReference[oaicite:11]{index=11}
author: Florian Roth (Nextron Systems)
date: 2017-03-01
modified: 2025-03-17
tags:
    - attack.t1068
    - attack.privilege-escalation
logsource:
    product: linux
detection:
    keywords:
        - 'attempt to execute code on stack by'
        - '0bin0sh1'
        # - 'rpc.statd[\d+]: gethostbyname error for'  # it's an expensive regex and produces questionable results
        - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'  # this can cause false positives in Base64 encoded data
        - 'stack smashing detected'
    condition: keywords
falsepositives:
    - Base64 encoded data in log entries
level: high

title: Bulk Deletion Changes To Privileged Account Permissions
id: 102e11e3-2db5-4c9e-bc26-357d42585d21
status: test
description: Detects when a user is removed from a privileged role. Bulk changes should be investigated.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Remove eligible member (permanent)
            - Remove eligible member (eligible)
    condition: selection
falsepositives:
    - Legtimate administrator actions of removing members from a role
level: high

title: Bypass UAC Using DelegateExecute
id: 46dd5308-4572-4d12-aa43-8938f0184d4f
status: test
description: Bypasses User Account Control using a fileless method
references:
    - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
    - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\open\command\DelegateExecute'
        Details: (Empty)
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml
simulation:
    - type: atomic-red-team
      name: Bypass UAC using sdclt DelegateExecute
      technique: T1548.002
      atomic_guid: 3be891eb-4608-4173-87e8-78b494c029b7

title: Bypass UAC Using Event Viewer
id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af
status: test
description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
references:
    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.010
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)'
    filter:
        Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml
simulation:
    - type: atomic-red-team
      name: Bypass UAC using Event Viewer (cmd)
      technique: T1548.002
      atomic_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9

title: Bypass UAC Using SilentCleanup Task
id: 724ea201-6514-4f38-9739-e5973c34f49a
status: test
description: |
    Detects the setting of the environement variable "windir" to a non default value.
    Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
    The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
    - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
    - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
author: frack113, Nextron Systems
date: 2022-01-06
modified: 2024-01-30
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Environment\windir'
    filter_main_default:
        Details: '%SystemRoot%'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml
simulation:
    - type: atomic-red-team
      name: Bypass UAC using SilentCleanup Task
      technique: T1548.002
      atomic_guid: 28104f8a-4ff1-4582-bcf6-699dce156608

title: Bypass UAC via CMSTP
id: e66779cc-383e-4224-a3a4-267eeb585c40
status: test
description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md
    - https://lolbas-project.github.io/lolbas/Binaries/Cmstp/
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2022-08-30
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1548.002
    - attack.t1218.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmstp.exe'
        - OriginalFileName: 'CMSTP.EXE'
    selection_cli:
        CommandLine|contains:
            - '/s'
            - '-s'
            - '/au'
            - '-au'
            - '/ni'
            - '-ni'
    condition: all of selection*
falsepositives:
    - Legitimate use of cmstp.exe utility by legitimate user
level: high

title: Bypass UAC via Fodhelper.exe
id: 7f741dcf-fc22-4759-87b4-9ae8376676a2
status: test
description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\fodhelper.exe'
    condition: selection
falsepositives:
    - Legitimate use of fodhelper.exe utility by legitimate user
level: high

title: Bypass UAC via WSReset.exe
id: d797268e-28a9-49a7-b9a8-2f5039011c5c
related:
    - id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae
      type: obsolete
status: test
description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
    - https://www.activecyber.us/activelabs/windows-uac-bypass
    - https://twitter.com/ReaQta/status/1222548288731217921
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth
date: 2019-10-24
modified: 2022-05-13
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\wsreset.exe'
    filter:
        - Image|endswith: '\conhost.exe'
        - OriginalFileName: 'CONHOST.EXE'
    condition: selection and not filter
falsepositives:
    - Unknown sub processes of Wsreset.exe
level: high

title: CMSTP Execution Process Access
id: 3b4b232a-af90-427c-a22f-30b0c0837b95
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2021-06-27
tags:
    - attack.stealth
    - attack.t1218.003
    - attack.execution
    - attack.t1559.001
    - attack.g0069
    - attack.g0080
    - car.2019-04-001
logsource:
    product: windows
    category: process_access
detection:
    # Process Access Call Trace
    selection:
        CallTrace|contains: 'cmlua.dll'
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high

title: CMSTP Execution Process Creation
id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2020-12-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    # CMSTP Spawning Child Process
    selection:
        ParentImage|endswith: '\cmstp.exe'
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high

title: CMSTP Execution Registry Event
id: b6d235fc-1d38-4b12-adbe-325f06728f37
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2020-12-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\cmmgr32.exe'
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high

title: CMSTP UAC Bypass via COM Object Access
id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
status: stable
description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
    - https://twitter.com/hFireF0X/status/897640081053364225
    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
    - https://github.com/hfiref0x/UACME
author: Nik Seetharaman, Christian Burkard (Nextron Systems)
date: 2019-07-31
modified: 2024-12-01
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1548.002
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\DllHost.exe'
        ParentCommandLine|contains:
            - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' # cmstplua.dll
            - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' # CMLUAUTIL
            - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' # EditionUpgradeManagerObj.dll
            - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' # colorui.dll
            - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' # wscui.cpl
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high

title: COLDSTEEL Persistence Service Creation
id: 3ced239c-7285-4b54-99c4-8525b69293f7
status: test
description: Detects the creation of new services potentially related to COLDSTEEL RAT
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-02
tags:
    - attack.persistence
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName:
            - 'Name'
            - 'msupdate'
            - 'msupdate2'
        ImagePath|contains: '\Windows\System32\svchost.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: COLDSTEEL RAT Anonymous User Process Execution
id: e01b6eb5-1eb4-4465-a165-85d40d874add
status: test
description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-30
tags:
    - attack.persistence
    - detection.emerging-threats
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains:
            - '\Windows\System32\'
            - '\AppData\'
        User|contains: 'ANONYMOUS'
    condition: selection
falsepositives:
    - Unknown
level: high

title: COM Hijack via Sdclt
id: 07743f65-7ec9-404a-a519-913db7118a8d
status: test
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
references:
    - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
    - https://www.exploit-db.com/exploits/47696
author: Omkar Gudhate
date: 2020-09-27
modified: 2023-09-28
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546
    - attack.t1548
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Software\Classes\Folder\shell\open\command\DelegateExecute'
    condition: selection
falsepositives:
    - Unknown
level: high

title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
id: 790317c0-0a36-4a6a-a105-6e576bf99a14
related:
    - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
      type: obsolete
    - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
      type: obsolete
status: experimental
description: Detects potential COM object hijacking via modification of default system CLSID.
references:
    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
    - https://blog.talosintelligence.com/uat-5647-romcom/
    - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
    - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
    - https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
    - https://github.com/rtecCyberSec/BitlockMove
    - https://cert.gov.ua/article/6284080
    - https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-16
modified: 2025-11-10
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection_target_root:
        TargetObject|contains: '\CLSID\'
        TargetObject|endswith:
            - '\InprocServer32\(Default)'
            - '\LocalServer32\(Default)'
    selection_target_builtin_clsid:
        TargetObject|contains:
            # Note: Add other legitimate CLSID
            - '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
            - '\{2155fee3-2419-4373-b102-6843707eb41f}\'
            - '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
            - '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
            - '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
            - '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
            - '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
            - '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
            - '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
            - '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
            - '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
            - '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
            - '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
            - '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
            - '\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\'
    selection_susp_location_1:
        Details|contains:
            # Note: Add more suspicious paths and locations
            - ':\Perflogs\'
            - '\AppData\Local\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
            - '\System32\spool\drivers\color\' # as seen in the knotweed blog
            - '\Temporary Internet'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - '%appdata%'
            - '%temp%'
            - '%tmp%'
    selection_susp_location_2:
        - Details|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - Details|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: all of selection_target_* and 1 of selection_susp_location_*
falsepositives:
    - Unlikely
level: high

title: CVE-2020-0688 Exploitation Attempt
id: 7c64e577-d72e-4c3d-9d75-8de6d1f9146a
status: test
description: Detects CVE-2020-0688 Exploitation attempts
references:
    - https://github.com/Ridter/cve-2020-0688
author: NVISO
date: 2020-02-27
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2020-0688
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains|all:
            - '/ecp/default.aspx'
            - '__VIEWSTATEGENERATOR='
            - '__VIEWSTATE='
    condition: selection
falsepositives:
    - Unknown
level: high

title: CVE-2020-0688 Exploitation via Eventlog
id: d6266bf5-935e-4661-b477-78772735a7cb
status: test
description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
references:
    - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
    - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
author: Florian Roth (Nextron Systems), wagga
date: 2020-02-29
modified: 2022-12-25
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2020-0688
    - detection.emerging-threats
logsource:
    product: windows
    service: application
detection:
    selection1:
        EventID: 4
        Provider_Name: 'MSExchange Control Panel'
        Level: Error
    selection2:
        - '&__VIEWSTATE='
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
id: 7ec912f2-5175-4868-b811-ec13ad0f8567
status: test
description: |
    Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension.
    This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
references:
    - https://windows-internals.com/printdemon-cve-2020-1048/
author: EagleEye Team, Florian Roth (Nextron Systems), NVISO
date: 2020-05-13
modified: 2024-03-25
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
    - cve.2020-1048
    - detection.emerging-threats
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Ports'
        Details|contains:
            - '.bat'
            - '.com'
            - '.dll'
            - '.exe'
            - '.ps1'
            - '.vbe'
            - '.vbs'
            - 'C:'
    condition: selection
falsepositives:
    - New printer port install on host
level: high

title: CVE-2021-21972 VSphere Exploitation
id: 179ed852-0f9b-4009-93a7-68475910fd86
status: test
description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
references:
    - https://www.vmware.com/security/advisories/VMSA-2021-0002.html
    - https://f5.pm/go-59627.html
    - https://swarm.ptsecurity.com/unauth-rce-vmware
author: Bhabesh Raj
date: 2021-02-24
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2021-21972
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'POST'
        cs-uri-query: '/ui/vropspluginui/rest/services/uploadova'
    condition: selection
falsepositives:
    - OVA uploads to your VSphere appliance
level: high

title: CVE-2021-21978 Exploitation Attempt
id: 77586a7f-7ea4-4c41-b19c-820140b84ca9
status: test
description: Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
references:
    - https://twitter.com/wugeej/status/1369476795255320580
    - https://paper.seebug.org/1495/
author: Bhabesh Raj
date: 2020-03-10
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2021-21978
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'POST'
        cs-uri-query|contains|all:
            - 'logupload'
            - 'logMetaData'
            - 'wsgi_log_upload.py'
    condition: selection
falsepositives:
    - Unknown
level: high

title: CVE-2021-26858 Exchange Exploitation
id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
status: test
description: |
    Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for
    creation of non-standard files on disk by Exchange Server’s Unified Messaging service
    which could indicate dropping web shells or other malicious content
references:
    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Bhabesh Raj
date: 2021-03-03
modified: 2022-10-09
tags:
    - attack.t1203
    - attack.execution
    - cve.2021-26858
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: 'UMWorkerProcess.exe'
    filter:
        TargetFilename|endswith:
            - 'CacheCleanup.bin'
            - '.txt'
            - '.LOG'
            - '.cfg'
            - 'cleanup.bin'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: CVE-2021-41773 Exploitation Attempt
id: 3007fec6-e761-4319-91af-e32e20ac43f5
status: test
description: |
  Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.
  An attacker could use a path traversal attack to map URLs to files outside the expected document root.
  If files outside of the document root are not protected by "require all denied" these requests can succeed.
  Additionally this flaw could leak the source of interpreted files like CGI scripts.
  This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
    - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
    - https://twitter.com/ptswarm/status/1445376079548624899
    - https://twitter.com/h4x0r_dz/status/1445401960371429381
    - https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml
    - https://twitter.com/bl4sty/status/1445462677824761878
author: daffainfo, Florian Roth
date: 2021-10-05
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2021-41773
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/cgi-bin/.%2e/'
            - '/icons/.%2e/'
            - '/cgi-bin/.%%32%65/'
            - '/icons/.%%32%65/'
            - '/cgi-bin/.%%%25%33'
            - '/icons/.%%%25%33'
        sc-status:
            - 200
            - 301
    condition: selection
falsepositives:
    - Unknown
level: high

title: CVE-2021-44077 POC Default Dropped File
id: 7b501acf-fa98-4272-aa39-194f82edc8a3
status: test
description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
references:
    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
    - https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
tags:
    - attack.execution
    - cve.2021-44077
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\ManageEngine\SupportCenterPlus\bin\msiexec.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: CVE-2022-24527 Microsoft Connected Cache LPE
id: e0a41412-c69a-446f-8e6e-0e6d7483dad7
status: test
description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
references:
    - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
author: Florian Roth (Nextron Systems)
date: 2022-04-13
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.t1059.001
    - cve.2022-24527
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1'
    filter:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
id: fcf1101d-07c9-49b2-ad81-7e421ff96d80
status: test
description: |
    Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
    VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.
    A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
references:
    - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-31656
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains: '/SAAS/t/_/;/'
    condition: selection
falsepositives:
    - Vulnerability scanners
level: high

title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
id: f8987c03-4290-4c96-870f-55e75ee377f4
related:
    - id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
      type: similar
status: test
description: |
    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
references:
    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
    - https://github.com/ForceFledgling/CVE-2023-22518
author: Andreas Braathen (mnemonic.io)
date: 2023-11-14
tags:
    - attack.execution
    - attack.t1059
    - attack.initial-access
    - attack.t1190
    - cve.2023-22518
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentImage|endswith: '/java'
        ParentCommandLine|contains: 'confluence'
    selection_child:
        # Only children associated with known campaigns
        Image|endswith:
            - '/bash'
            - '/curl'
            - '/echo'
            - '/wget'
    filter_main_ulimit:
        CommandLine|contains: 'ulimit -u'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
id: e4556676-fc5c-4e95-8c39-5ef27791541f
related:
    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
      type: similar
status: test
description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
references:
    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-30
tags:
    - attack.execution
    - cve.2023-38331
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\WinRAR.exe'
        TargetFilename|contains: '\AppData\Local\Temp\Rar$'
        TargetFilename|re: '\.[a-zA-Z0-9]{1,4} \.'
    condition: selection
falsepositives:
    - Unknown
level: high

title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
related:
    - id: e4556676-fc5c-4e95-8c39-5ef27791541f
      type: similar
status: test
description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
references:
    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io)
date: 2023-08-30
modified: 2024-01-22
tags:
    - detection.emerging-threats
    - attack.execution
    - attack.t1203
    - cve.2023-38331
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\WinRAR.exe'
    selection_folder:
        CommandLine|contains: '\AppData\Local\Temp\Rar$'
    selection_double_ext:
        CommandLine|re: '\.[a-zA-Z0-9]{1,4} \.'
    selection_binaries:
        # Note: add additional binaries that the attacker might use
        - Image|endswith:
              - '\cmd.exe'
              - '\cscript.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wscript.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'cscript.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'wscript.exe'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: CVE-2023-46747 Exploitation Activity - Proxy
id: f195b2ff-e542-41bf-8d91-864fb81e5c20
related:
    - id: e9928831-ba14-42ea-a4bc-33d352b9929a
      type: similar
status: test
description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
references:
    - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main
    - https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml
    - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
    - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-08
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-46747
    - detection.emerging-threats
logsource:
    category: proxy
    definition: 'Requirements: The POST request body data must be collected in order to make use of this detection'
detection:
    selection:
        cs-method: 'POST'
        c-uri|contains: '/mgmt/tm/util/bash'
    keywords_hex:
        '|all':
            - '2f746d75692f436f6e74726f6c2f666f726d' # /tmui/Control/form
            - '666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a7370' # form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp
    keywords_plain:
        '|all':
            - '/tmui/Control/form'
            - 'form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp'
    condition: selection and (keywords_hex or keywords_plain)
falsepositives:
    - Unlikely
level: high

title: CVE-2023-46747 Exploitation Activity - Webserver
id: e9928831-ba14-42ea-a4bc-33d352b9929a
related:
    - id: f195b2ff-e542-41bf-8d91-864fb81e5c20
      type: similar
status: test
description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
references:
    - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main
    - https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml
    - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg
    - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-08
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-46747
    - detection.emerging-threats
logsource:
    category: webserver
    definition: 'Requirements: The POST request body data must be collected in order to make use of this detection'
detection:
    selection:
        cs-method: 'POST'
        cs-uri-stem|contains: '/mgmt/tm/util/bash'
    keywords_hex:
        '|all':
            - '2f746d75692f436f6e74726f6c2f666f726d' # /tmui/Control/form
            - '666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a7370' # form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp
    keywords_plain:
        '|all':
            - '/tmui/Control/form'
            - 'form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp'
    condition: selection and (keywords_hex or keywords_plain)
falsepositives:
    - Unlikely
level: high

title: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
id: aee7681f-b53d-4594-a9de-ac51e6ad3362
related:
    - id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt
      type: similar
    - id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt
      type: similar
    - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
      type: similar
status: test
description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
references:
    - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
    - https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
    - https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
    - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
    - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-28
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-4966
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        cs-method: 'GET'
        cs-uri|contains: '/oauth/idp/.well-known/openid-configuration'
        cs-host|re: '.{150}'
    condition: selection
falsepositives:
    - Vulnerability scanners
level: high

title: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1
related:
    - id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt
      type: similar
    - id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt
      type: similar
    - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
      type: similar
status: test
description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
references:
    - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
    - https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966
    - https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/
    - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
    - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-28
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-4966
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'GET'
        cs-uri-stem|contains: '/oauth/idp/.well-known/openid-configuration'
        cs-host|re: '.{150}'
    condition: selection
falsepositives:
    - Vulnerability scanners
level: high

title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15
status: test
description: |
    Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
    It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
references:
    - https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py
    - https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-20
tags:
    - attack.initial-access
    - cve.2024-1212
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection_path:
        cs-method: 'GET'
        cs-uri-stem|contains|all:
            - '/access/set'
            - 'param=enableapi'
            - 'value=1'
    selection_keywords:
        - 'Basic Jz'
        - 'Basic c7'
        - 'Basic nO'
        - "Basic ';"
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
id: 3f2c93c7-7b2a-4d58-bb8d-6f39422d8148
status: experimental
description: |
    Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
references:
    - https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
    - https://www.linkedin.com/feed/update/urn:li:activity:7282295814792605698/
author: Samuel Monsempes
date: 2025-01-08
tags:
    - attack.impact
    - attack.t1499
    - cve.2024-49113
    - detection.emerging-threats
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'Application Error'
        EventID: 1000
        Data|contains|all:
            - 'lsass.exe'
            - 'WLDAP32.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: CVE-2024-50623 Exploitation Attempt - Cleo
id: f007b877-02e3-45b7-8501-1b78c2864029
status: experimental
description: |
    Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
references:
    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
date: 2024-12-09
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1190
    - cve.2024-50623
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\javaw.exe'
        ParentCommandLine|contains:
            - 'Harmony'
            - 'lexicom'
            - 'VersaLex'
            - 'VLTrader'
        Image|endswith: '\cmd.exe'
        CommandLine|contains:
            - 'powershell'
            - ' -enc '
            - ' -EncodedCommand'
            - '.Download'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
id: c74c0390-3e20-41fd-a69a-128f0275a5ea
related:
    - id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
      type: derived
status: test
description: |
    Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
references:
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
    - https://www.echotrail.io/insights/search/wusa.exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-11-28
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_root:
        Image|endswith: '\wusa.exe'
        CommandLine|contains: '/extract:'
    selection_paths:
        CommandLine|contains:
            - ':\PerfLogs\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\Appdata\Local\Temp\'
            # - '\Desktop\'
            # - '\Downloads\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Capsh Shell Invocation - Linux
id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
status: test
description: |
    Detects the use of the "capsh" utility to invoke a shell.
references:
    - https://gtfobins.github.io/gtfobins/capsh/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/capsh'
        CommandLine|endswith: ' --'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Chafer Malware URL Pattern
id: fb502828-2db0-438e-93e6-801c7548686d
status: test
description: Detects HTTP request used by Chafer malware to receive data from its C2.
references:
    - https://securelist.com/chafer-used-remexi-malware/89538/
author: Florian Roth (Nextron Systems)
date: 2019-01-31
modified: 2024-02-15
tags:
    - attack.command-and-control
    - attack.t1071.001
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: '/asp.asp\?ui='
    condition: selection
falsepositives:
    - Unknown
level: high

title: Change Default File Association To Executable Via Assoc
id: ae6f14e6-14de-45b0-9f44-c0986f50dc89
related:
    - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
      type: derived
status: test
description: |
    Detects when a program changes the default file association of any extension to an executable.
    When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-03-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        CommandLine|contains|all:
            - 'assoc '
            - 'exefile'
    filter:
        CommandLine|contains: '.exe=exefile'
    condition: all of selection_* and not filter
falsepositives:
    - Unknown
level: high

title: Change User Account Associated with the FAX Service
id: e3fdf743-f05b-4051-990a-b66919be1743
status: test
description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
references:
    - https://twitter.com/dottor_morte/status/1544652325570191361
    - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
    filter:
        Details|contains: NetworkService
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Change Winevt Channel Access Permission Via Registry
id: 7d9263bd-dc47-4a58-bc92-5474abab390c
status: test
description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
references:
    - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
    - https://learn.microsoft.com/en-us/windows/win32/api/winevt/
    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: frack113
date: 2022-09-17
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
        TargetObject|endswith: '\ChannelAccess'
        # Add more interesting combinations if you found them
        Details|contains:
            - '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL
            - '(A;;0x1;;;SY)' # Local System having GENERIC ALL
            - '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and  GENERIC WRITE
    filter_main_trustedinstaller:
        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
    filter_main_tiworker:
        Image|startswith: 'C:\Windows\WinSxS\'
        Image|endswith: '\TiWorker.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Change the Fax Dll
id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513
status: test
description: Detect possible persistence using Fax DLL load when service restart
references:
    - https://twitter.com/dottor_morte/status/1544652325570191361
    - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains|all:
            - '\Software\Microsoft\Fax\Device Providers\'
            - '\ImageName'
    filter:
        Details: '%systemroot%\system32\fxst30.dll' # Windows 10
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Changes To PIM Settings
id: db6c06c4-bf3b-421c-aa88-15672b88c743
status: test
description: Detects when changes are made to PIM roles
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
    - attack.initial-access
    - attack.privilege-escalation
    - attack.persistence
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Update role setting in PIM
    condition: selection
falsepositives:
    - Legit administrative PIM setting configuration changes
level: high

title: Changes to Device Registration Policy
id: 9494bff8-959f-4440-bbce-fb87a208d517
status: test
description: Monitor and alert for changes to the device registration policy.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        Category: 'Policy'
        ActivityDisplayName: 'Set device registration policies'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Chopper Webshell Process Pattern
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
status: test
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
author: Florian Roth (Nextron Systems), MSTI (query)
date: 2022-10-01
tags:
    - attack.persistence
    - attack.discovery
    - attack.t1505.003
    - attack.t1018
    - attack.t1033
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
    selection_origin:
        - Image|endswith: '\w3wp.exe'
        - ParentImage|endswith: '\w3wp.exe'
    selection_cmdline:
        CommandLine|contains:
            - '&ipconfig&echo'
            - '&quser&echo'
            - '&whoami&echo'
            - '&c:&echo'
            - '&cd&echo'
            - '&dir&echo'
            - '&echo [E]'
            - '&echo [S]'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: ChromeLoader Malware Execution
id: 0a74c5a9-1b71-4475-9af2-7829d320d5c2
status: test
description: Detects execution of ChromeLoader malware via a registered scheduled task
references:
    - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER
    - https://twitter.com/th3_protoCOL/status/1480621526764322817
    - https://twitter.com/Kostastsale/status/1480716528421011458
    - https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd
author: '@kostastsale'
date: 2022-01-10
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - attack.t1059.001
    - attack.t1176
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\powershell.exe'
        ParentCommandLine|contains: '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB'
        CommandLine|contains: '--load-extension="*\Appdata\local\chrome"'
        Image|endswith: '\chrome.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Chromium Browser Headless Execution To Mockbin Like Site
id: 1c526788-0abe-4713-862f-b520da5e5316
status: test
description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
references:
    - https://www.zscaler.com/blogs/security-research/steal-it-campaign
author: X__Junior (Nextron Systems)
date: 2023-09-11
tags:
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
    selection_headless:
        CommandLine|contains: '--headless'
    selection_url:
        CommandLine|contains:
            - '://run.mocky'
            - '://mockbin'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml

title: Cisco ASA Exploitation Activity - Proxy
id: 15697955-6a29-47ca-92e9-0e05efae3260
status: experimental
description: |
    Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.
references:
    - https://x.com/defusedcyber/status/1971492272966598683
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-20
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2025-20333
    - cve.2025-20362
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        cs-method: 'GET'
        cs-uri-stem:
            - '/+CSCOU+/MacTunnelStart.jar'
            - '/+CSCOL+/csvrloader64.cab'
            - '/+CSCOL+/csvrloader.jar'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Cisco ASA FTD Exploit CVE-2020-3452
id: aba47adc-4847-4970-95c1-61dce62a8b29
status: test
description: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
references:
    - https://twitter.com/aboul3la/status/1286012324722155525
    - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
author: Florian Roth (Nextron Systems)
date: 2021-01-07
modified: 2023-01-02
tags:
    - attack.t1190
    - attack.initial-access
    - cve.2020-3452
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection_endpoint:
        cs-uri-query|contains:
            - '+CSCOT+/translation-table'
            - '+CSCOT+/oem-customization'
    selection_path_select:
        cs-uri-query|contains:
            - '&textdomain=/'
            - '&textdomain=%'
            - '&name=/'
            - '&name=%'
    select_status_code:
        sc-status: 200
    condition: selection_endpoint and selection_path_select and select_status_code
falsepositives:
    - Unknown
level: high