title: MacOS Network Service Scanning
id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
status: test
description: Detects enumeration of local or remote network services.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2021-11-27
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: process_creation
    product: macos
detection:
    selection_1:
        Image|endswith:
            - '/nc'
            - '/netcat'
    selection_2:
        Image|endswith:
            - '/nmap'
            - '/telnet'
    filter:
        CommandLine|contains: 'l'
    condition: (selection_1 and not filter) or selection_2
falsepositives:
    - Legitimate administration activities
level: low

title: Malicious Windows Script Components File Execution by TAEF Detection
id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
status: test
description: |
  Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces
  Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/
    - https://twitter.com/pabraeken/status/993298228840992768
    - https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/
author: 'Agro (@agro_sev) oscd.community'
date: 2020-10-13
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\te.exe'
        - ParentImage|endswith: '\te.exe'
        - OriginalFileName: '\te.exe'
    condition: selection
falsepositives:
    - It's not an uncommon to use te.exe directly to execute legal TAEF tests
level: low

title: MaxMpxCt Registry Value Changed
id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e
status: test
description: |
    Detects changes to the "MaxMpxCt" registry value.
    MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
    Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
references:
    - https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
    - https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
    - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
    - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-19
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Measurable Increase Of Successful Authentications
id: 67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae
status: test
description: Detects when successful sign-ins increased by 10% or greater.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022-08-11
modified: 2022-08-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        Status: Success
        Count: "<10%"
    condition: selection
falsepositives:
    - Increase of users in the environment
level: low

title: Microsoft Excel Add-In Loaded
id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
status: test
description: Detects Microsoft Excel loading an Add-In (.xll) file
references:
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-12
tags:
    - attack.execution
    - attack.t1204.002
    - detection.threat-hunting
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\excel.exe'
        ImageLoaded|endswith: '.xll'
    condition: selection
falsepositives:
    - The rules is only looking for ".xll" loads. So some false positives are expected with legitimate and allowed XLLs
level: low

title: Microsoft Word Add-In Loaded
id: 1337afba-d17d-4d23-bd55-29b927603b30
status: test
description: |
    Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
references:
    - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
    - https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file
author: Steffen Rogge (dr0pd34d)
date: 2024-07-10
tags:
    - attack.execution
    - attack.t1204.002
    - detection.threat-hunting
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\winword.exe'
        ImageLoaded|endswith: '.wll'
    condition: selection
falsepositives:
    - The rules is only looking for ".wll" loads. So some false positives are expected with legitimate and allowed WLLs.
level: low

title: Modification of IE Registry Settings
id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
status: test
description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
author: frack113
date: 2022-01-22
modified: 2025-10-22
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_domains:
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings'
    filter_main_dword:
        Details|startswith: 'DWORD'
    filter_main_null:
        Details: null
    filter_main_office:
        Details:
            - 'Cookie:'
            - 'Visited:'
            - '(Empty)'
    filter_main_path:
        TargetObject|contains:
            - '\Cache'
            - '\ZoneMap'
            - '\WpadDecision'
    filter_main_binary:
        Details: 'Binary Data'
    filter_optional_accepted_documents:
        # Spotted during Office installations
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents'
    condition: selection_domains and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: low

title: Msiexec.EXE Initiated Network Connection Over HTTP
id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f
status: test
description: |
    Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443.
    Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.
    Use this rule to hunt for potentially anomalous or suspicious communications.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
author: frack113
date: 2022-01-16
modified: 2024-07-16
tags:
    - attack.stealth
    - attack.t1218.007
    - detection.threat-hunting
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\msiexec.exe'
        DestinationPort:
            - 80
            - 443
    condition: selection
falsepositives:
    - Likely
level: low

title: Mstsc.EXE Execution With Local RDP File
id: 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af
status: test
description: Detects potential RDP connection via Mstsc using a local ".rdp" file
references:
    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock
date: 2023-04-18
modified: 2023-04-30
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mstsc.exe'
        - OriginalFileName: 'mstsc.exe'
    selection_cli:
        CommandLine|endswith:
            - '.rdp'
            - '.rdp"'
    filter_optional_wsl:
        ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
        CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Likely with legitimate usage of ".rdp" files
level: low

title: NTDS.DIT Created
id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database)
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
    - attack.credential-access
    - attack.t1003.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: 'ntds.dit'
    condition: selection
falsepositives:
    - Unknown
level: low

title: NTLM Logon
id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
status: test
description: Detects logons using NTLM, which could be caused by a legacy source or attackers
references:
    - https://twitter.com/JohnLaTwC/status/1004895028995477505
author: Florian Roth (Nextron Systems)
date: 2018-06-08
modified: 2024-07-22
tags:
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8002
    condition: selection
falsepositives:
    - Legacy hosts
level: low

title: Named Pipe Created Via Mkfifo
id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility
references:
    - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
    - attack.execution
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/mkfifo'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Net.EXE Execution
id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
status: test
description: Detects execution of "Net.EXE".
references:
    - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
    - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
    - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html
    - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe
author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)
date: 2019-01-16
modified: 2022-07-11
tags:
    - attack.discovery
    - attack.t1007
    - attack.t1049
    - attack.t1018
    - attack.t1135
    - attack.t1201
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1087.001
    - attack.t1087.002
    - attack.lateral-movement
    - attack.t1021.002
    - attack.s0039
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains:
            - ' accounts'
            - ' group'
            - ' localgroup'
            - ' share'
            - ' start'
            - ' stop '
            - ' user'
            - ' view'
    condition: all of selection_*
falsepositives:
    - Likely
level: low

title: Network Connection Initiated By PowerShell Process
id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
status: test
description: |
    Detects a network connection that was initiated from a PowerShell process.
    Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs.
    Use this rule as a basis for hunting for anomalies.
references:
    - https://www.youtube.com/watch?v=DLtJTxMWZ2o
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2024-03-13
tags:
    - attack.execution
    - attack.t1059.001
    - detection.threat-hunting
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        Initiated: 'true'
    filter_main_local_ip:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '169.254.0.0/16'  # link-local address
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_main_msrange:
        DestinationIp|cidr:
            - '20.184.0.0/13'
            - '51.103.210.0/23'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrative scripts
    - Microsoft IP range
    - Additional filters are required. Adjust to your environment (e.g. extend filters with company's ip range')
level: low

title: Network Connection Initiated To Mega.nz
id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
status: test
description: |
    Detects a network connection initiated by a binary to "api.mega.co.nz".
    Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
references:
    - https://megatools.megous.com/
    - https://www.mandiant.com/resources/russian-targeting-gov-business
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2024-05-31
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - 'mega.co.nz'
            - 'mega.nz'
    condition: selection
falsepositives:
    - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.
level: low

title: Network Sniffing - Linux
id: f4d3748a-65d1-4806-bd23-e25728081d01
status: test
description: |
  Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
  An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2022-12-18
tags:
    - attack.credential-access
    - attack.discovery
    - attack.t1040
logsource:
    product: linux
    service: auditd
detection:
    selection_1:
        type: 'execve'
        a0: 'tcpdump'
        a1: '-c'
        a3|contains: '-i'
    selection_2:
        type: 'execve'
        a0: 'tshark'
        a1: '-c'
        a3: '-i'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low

title: New BITS Job Created Via Bitsadmin
id: 1ff315dc-2a3a-4b71-8dde-873818d25d39
status: test
description: Detects the creation of a new bits job by Bitsadmin
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: frack113
date: 2022-03-01
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 3
        processPath|endswith: '\bitsadmin.exe'
    condition: selection
falsepositives:
    - Many legitimate applications or scripts could leverage "bitsadmin". This event is best correlated with EID 16403 via the JobID field
level: low

title: New BITS Job Created Via PowerShell
id: fe3a2d49-f255-4d10-935c-bda7391108eb
status: test
description: Detects the creation of a new bits job by PowerShell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: frack113
date: 2022-03-01
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 3
        processPath|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Administrator PowerShell scripts
level: low

title: New Cron File Created
id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
status: experimental
description: |
    Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker.
    Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files.
    This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job.
    Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes.
    Additionally, it is recommended to review the contents of the newly created cron files to assess their intent.
    Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.
references:
    - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
    - https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/
    - https://www.elastic.co/security-labs/primer-on-persistence-mechanisms
    - https://snehbavarva.medium.com/privilege-escalation-techniques-series-linux-cron-jobs-a5b797b424b4
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2026-04-28
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.003
logsource:
    product: linux
    category: file_event
detection:
    selection_cron_dirs:
        TargetFilename|startswith:
            - '/etc/cron.d/'
            - '/etc/cron.daily/'
            - '/etc/cron.hourly/'
            - '/etc/cron.monthly/'
            - '/etc/cron.weekly/'
            - '/var/spool/cron/crontabs/'
            - '/var/spool/cron/root'
    selection_cron_special_files:
        TargetFilename|contains:
            - '/etc/cron.allow'
            - '/etc/cron.deny'
            - '/etc/crontab'
    filter_optional_legit_cron:
        # Note: FPs on docker images: golang, postgres, python, redis, ruby
        TargetFilename:
            - '/etc/cron.daily/apt'
            - '/etc/cron.daily/dpkg'
            - '/etc/cron.daily/passwd'
            - '/etc/crontabs/root'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrative tasks, package managers, containers, configuration management tools, cloud agents, or system maintenance operations might cause false positives. Apply baselining before deployment.
level: low

title: New Kind of Network (NKN) Detection
id: fa7703d6-0ee8-4949-889c-48c84bc15b6f
status: test
description: NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>
references:
    - https://github.com/nknorg/nkn-sdk-go
    - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
    - https://github.com/Maka8ka/NGLite
author: Michael Portera (@mportatoes)
date: 2022-04-21
tags:
    - attack.command-and-control
logsource:
    product: zeek
    service: dns
detection:
    selection:
        query|contains|all:
            - 'seed'
            - '.nkn.org'
    condition: selection
falsepositives:
    - Unknown
level: low

title: New Kubernetes Service Account Created
id: e31bae15-83ed-473e-bf31-faf4f8a17d36
related:
    - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
      type: derived
status: test
description: |
    Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.persistence
    - attack.t1136
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'serviceaccounts'
    condition: selection
falsepositives:
    - Unknown
level: low

title: New Network ACL Entry Added
id: e1f7febb-7b94-4234-b5c6-00fb8500f5dd
status: test
description: |
    Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.defense-impairment
    - attack.t1686.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'ec2.amazonaws.com'
        eventName: 'CreateNetworkAclEntry'
    condition: selection
falsepositives:
    - Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC
level: low

title: New ODBC Driver Registered
id: 3390fbef-c98d-4bdd-a863-d65ed7c610dd
status: test
description: Detects the registration of a new ODBC driver.
references:
    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
        TargetObject|endswith: '\Driver'
    filter_main_sqlserver:
        TargetObject|contains: '\SQL Server\'
        Details: '%WINDIR%\System32\SQLSRV32.dll'
    filter_optional_office_access:
        TargetObject|contains: '\Microsoft Access '
        Details|startswith: 'C:\Progra'
        Details|endswith: '\ACEODBC.DLL'
    filter_optional_office_excel:
        TargetObject|contains: '\Microsoft Excel Driver'
        Details|startswith: 'C:\Progra'
        Details|endswith: '\ACEODBC.DLL'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely
level: low

title: New Process Created Via Taskmgr.EXE
id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
status: test
description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
references:
    - https://twitter.com/ReneFreingruber/status/1172244989335810049
author: Florian Roth (Nextron Systems)
date: 2018-03-13
modified: 2024-01-18
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\taskmgr.exe'
    filter_main_generic:
        Image|endswith:
            - ':\Windows\System32\mmc.exe'
            - ':\Windows\System32\resmon.exe'
            - ':\Windows\System32\Taskmgr.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrative activity
level: low

title: New Service Creation Using PowerShell
id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2
related:
    - id: 85ff530b-261d-48c6-a441-facaa2e81e48 # Using Sc.EXE
      type: similar
status: test
description: Detects the creation of a new service using powershell.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2023-02-20
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'New-Service'
            - '-BinaryPathName'
    condition: selection
falsepositives:
    - Legitimate administrator or user creates a service for legitimate reasons.
    - Software installation
level: low

title: New Service Creation Using Sc.EXE
id: 85ff530b-261d-48c6-a441-facaa2e81e48
related:
    - id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 # Using PowerShell
      type: similar
status: test
description: Detects the creation of a new service using the "sc.exe" utility.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2023-02-20
modified: 2025-09-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\sc.exe'
        CommandLine|contains|all:
            - 'create'
            - 'binPath'
    filter_optional_dropbox:
        ParentImage|startswith:
            - 'C:\Program Files (x86)\Dropbox\Client\'
            - 'C:\Program Files\Dropbox\Client\'
        ParentImage|endswith: '\Dropbox.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrator or user creates a service for legitimate reasons.
    - Software installation
level: low

title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
id: 51483085-0cba-46a8-837e-4416496d6971
related:
    - id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264
      type: similar
status: test
description: |
    Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
author: frack113
date: 2024-05-03
tags:
    - attack.defense-impairment
    - attack.t1686.003
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\powershell_ise.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_args:
        CommandLine|contains|all:
            - 'New-NetFirewallRule '
            - ' -Action '
            - 'allow'
    condition: all of selection_*
falsepositives:
    - Administrator script
level: low

title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264
related:
    - id: 51483085-0cba-46a8-837e-4416496d6971
      type: similar
status: test
description: |
    Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
author: frack113
date: 2024-05-10
tags:
    - attack.defense-impairment
    - attack.t1686.003
    - detection.threat-hunting
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: 'New-NetFirewallRule*-Action*Allow'
    condition: selection
falsepositives:
    - Administrator script
level: low

title: Nltest.EXE Execution
id: 903076ff-f442-475a-b667-4f246bcc203b
related:
    - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
      type: similar
    - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
      type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
author: Arun Chauhan
date: 2023-02-03
tags:
    - attack.discovery
    - attack.t1016
    - attack.t1018
    - attack.t1482
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\nltest.exe'
        - OriginalFileName: 'nltestrk.exe'
    condition: selection
falsepositives:
    - Legitimate administration activity
level: low

title: No Suitable Encryption Key Found For Generating Kerberos Ticket
id: b1e0b3f5-b62e-41be-886a-daffde446ad4
status: test
description: |
    Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.
    This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
author: '@SerkinValery'
date: 2024-03-07
modified: 2025-09-22
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name:
            - 'Kerberos-Key-Distribution-Center'
            - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
        EventID:
            - 16 # KDCEVENT_NO_KEY_INTERSECTION_TGS
            - 27 # KDCEVENT_UNSUPPORTED_ETYPE_REQUEST_TGS
    condition: selection
falsepositives:
    - Unknown
level: low

title: NodeJS Execution of JavaScript File
id: ba3874b9-0fae-465f-836c-eb5d071a1789
status: experimental
description: |
    Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.
    Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.
    Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.
    Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
references:
    - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-21
tags:
    - attack.execution
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\node.exe'
        - OriginalFileName: 'node.exe'
        - Product: 'Node.js'
    selection_cmd:
        CommandLine|contains: '.js'
    condition: all of selection_*
falsepositives:
    - Legitimate use of node.exe to execute JavaScript or JSC files on your environment
level: low

title: Non Interactive PowerShell Process Spawned
id: f4bbd493-b796-416e-bbf2-121235348529
status: test
description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
references:
    - https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
date: 2019-09-12
modified: 2025-02-28
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    filter_main_generic:
        ParentImage|endswith:
            - ':\Windows\explorer.exe'
            - ':\Windows\System32\CompatTelRunner.exe'
            - ':\Windows\SysWOW64\explorer.exe'
    filter_main_windows_update:
        ParentImage: ':\$WINDOWS.~BT\Sources\SetupHost.exe' # During Windows updates/upgrades
        # CommandLine: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
    filter_optional_vscode:
        # Triggered by VsCode when you open a Shell inside the workspace
        ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
        ParentCommandLine|contains: ' --ms-enable-electron-run-as-node '
    filter_optional_terminal:
        ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal_'
        ParentImage|endswith: '\WindowsTerminal.exe'
    filter_optional_defender:
        ParentImage|endswith: ':\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies
level: low

title: Notepad Password Files Discovery
id: 3b4e950b-a3ea-44d3-877e-432071990709
status: experimental
description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
references:
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
    - https://intel.thedfirreport.com/eventReports/view/57  # Private Report
author: 'The DFIR Report'
tags:
    - attack.discovery
    - attack.t1083
date: 2025-02-21
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith: '\notepad.exe'
        CommandLine|endswith:
        # Note: Commandline to contain a file with the string password and a specific extension
            - 'password*.txt'
            - 'password*.csv'
            - 'password*.doc'
            - 'password*.xls'
    condition: selection
falsepositives:
    - Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further.
level: low

title: OS Architecture Discovery Via Grep
id: d27ab432-2199-483f-a297-03633c05bae6
status: test
description: |
    Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: linux
detection:
    selection_process:
        Image|endswith: '/grep'
    selection_architecture:
        CommandLine|endswith:
            - 'aarch64'
            - 'arm'
            - 'i386'
            - 'i686'
            - 'mips'
            - 'x86_64'
    condition: all of selection_*
falsepositives:
    - Unknown
level: low

title: Office Macro File Creation
id: 91174a41-dc8f-401b-be89-7bfc140612a0
related:
    - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
      type: similar
status: test
description: Detects the creation of a new office macro files on the systems
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2026-01-09
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '.docm'
            - '.dotm'
            - '.xlsm'
            - '.xltm'
            - '.potm'
            - '.pptm'
    filter_main_office:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        Image|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.EXE'
        TargetFilename|contains: '\~$' # Temporary files created by Office applications
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Very common in environments that rely heavily on macro documents
level: low

title: Office Macro File Download
id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
related:
    - id: 91174a41-dc8f-401b-be89-7bfc140612a0
      type: similar
status: test
description: |
    Detects the creation of a new office macro files on the system via an application (browser, mail client).
    This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2025-10-29
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: file_event
    product: windows
detection:
    selection_processes:
        Image|endswith:
            # Email clients
            - '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
            - '\outlook.exe'
            - '\thunderbird.exe'
            # Browsers
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\iexplore.exe'
            - '\maxthon.exe'
            - '\MicrosoftEdge.exe'
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\opera.exe'
            - '\safari.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
            - '\whale.exe'
    selection_ext:
        - TargetFilename|endswith:
              - '.docm'
              - '.dotm'
              - '.xlsm'
              - '.xltm'
              - '.potm'
              - '.pptm'
        - TargetFilename|contains:
              - '.docm:Zone'
              - '.dotm:Zone'
              - '.xlsm:Zone'
              - '.xltm:Zone'
              - '.potm:Zone'
              - '.pptm:Zone'
    condition: all of selection_*
falsepositives:
    - Legitimate macro files downloaded from the internet
    - Legitimate macro files sent as attachments via emails
level: low

title: Okta Password Health Report Query
id: 0d58814b-1660-4d31-8c93-d1086ed24cba
status: test
description: |
    Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI.
    Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login
references:
    - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
author: Muhammad Faisal (@faisalusuf)
date: 2023-10-25
tags:
    - attack.credential-access
    - detection.threat-hunting
logsource:
    service: okta
    product: okta
detection:
    selection:
        debugContext.debugData.requestUri|contains: '/reports/password-health/'
    condition: selection
falsepositives:
    - OKTA Admin Activites via Web Console UI.
    - This rule is recommended to be used for threat hunting, especially in the context of OKTA support incident in OCT-2023.
    - This rule can be used to hunt the activity against endpoints like /reports/password-health/async_csv_download_schedule?, which are typically used from Okta Admin Console UI only, without any corresponding admin console login. See reference
level: low

title: Okta Policy Modified or Deleted
id: 1667a172-ed4c-463c-9969-efd92195319a
status: test
description: Detects when an Okta policy is modified or deleted.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
    - attack.impact
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - policy.lifecycle.update
            - policy.lifecycle.delete
    condition: selection
falsepositives:
    - Okta Policies being modified or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: OneLogin User Account Locked
id: a717c561-d117-437e-b2d9-0118a7035d01
status: test
description: Detects when an user account is locked or suspended.
references:
    - https://developers.onelogin.com/api-docs/1/events/event-resource/
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-25
tags:
    - attack.impact
logsource:
    product: onelogin
    service: onelogin.events
detection:
    selection1: # Locked via API
        event_type_id: 532
    selection2: # Locked via API
        event_type_id: 553
    selection3: # Suspended via API
        event_type_id: 551
    condition: 1 of selection*
falsepositives:
    - System may lock or suspend user accounts.
level: low

title: OneLogin User Assumed Another User
id: 62fff148-278d-497e-8ecd-ad6083231a35
status: test
description: Detects when an user assumed another user account.
references:
    - https://developers.onelogin.com/api-docs/1/events/event-resource
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-25
tags:
    - attack.impact
logsource:
    product: onelogin
    service: onelogin.events
detection:
    selection:
        event_type_id: 3
    condition: selection
falsepositives:
    - Unknown
level: low

title: Outgoing Logon with New Credentials
id: def8b624-e08f-4ae1-8612-1ba21190da6b
status: test
description: Detects logon events that specify new credentials
references:
    - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
    - attack.lateral-movement
    - attack.t1550
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 9
    condition: selection
falsepositives:
    - Legitimate remote administration activity
level: low

title: Outlook Task/Note Reminder Received
id: fc06e655-d98c-412f-ac76-05c2698b1cb2
status: test
description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
references:
    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-05
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.t1137
    - cve.2023-23397
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Office\'
            - '\Outlook\'
        TargetObject|contains:
            - '\Tasks\'
            - '\Notes\'
    condition: selection
falsepositives:
    - Legitimate reminders received for a task or a note will also trigger this rule.
level: low

title: Overwriting the File with Dev Zero or Null
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
status: stable
description: Detects overwriting (effectively wiping/deleting) of a file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: Jakob Weinzettl, oscd.community
date: 2019-10-23
tags:
    - attack.impact
    - attack.t1485
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'dd'
        a1|contains:
            - 'if=/dev/null'
            - 'if=/dev/zero'
    condition: selection
falsepositives:
    - Appending null bytes to files.
    - Legitimate overwrite of files.
level: low

title: PFX File Creation
id: dca1b3e8-e043-4ec8-85d7-867f334b5724
status: test
description: |
    Detects the creation of PFX files (Personal Information Exchange format).
    PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to:

        - Exfiltrate digital certificates for impersonation or signing malicious code
        - Establish persistent access through certificate-based authentication
        - Bypass security controls that rely on certificate validation

    Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/14
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-10-19
tags:
    - attack.credential-access
    - attack.t1552.004
    - detection.threat-hunting
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.pfx'
    filter_optional_onedrive:
        Image:
            - 'C:\Program Files\Microsoft OneDrive\OneDrive.exe'
            - 'C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe'
        TargetFilename|endswith: '\OneDrive\CodeSigning.pfx'
    filter_optional_visual_studio:
        TargetFilename|startswith:
            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
            - 'C:\Program Files\Microsoft Visual Studio\'
    filter_optional_cmake:
        TargetFilename|startswith: 'C:\Program Files\CMake\'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - System administrators legitimately managing certificates and PKI infrastructure
    - Development environments where developers create test certificates for application signing
    - Automated certificate deployment tools and scripts used in enterprise environments
    - Software installation processes that include certificate provisioning (e.g., web servers, VPN clients)
    - Certificate backup and recovery operations performed by IT staff
    - Build systems and CI/CD pipelines that generate code signing certificates
    - Third-party applications that create temporary certificates for secure communications
level: low

title: PUA - Adidnsdump Execution
id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
status: test
description: |
    This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
    Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump
author: frack113
date: 2022-01-01
modified: 2023-02-21
tags:
    - attack.discovery
    - attack.t1018
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\python.exe'
        CommandLine|contains: 'adidnsdump'
    condition: selection
falsepositives:
    - Unknown
level: low

title: PUA - Sysinternal Tool Execution - Registry
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
status: test
description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\EulaAccepted'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same Registry Key
level: low
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml

title: Password Policy Discovery - Linux
id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
status: stable
description: Detects password policy discovery commands
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
    - https://linux.die.net/man/1/chage
    - https://man7.org/linux/man-pages/man1/passwd.1.html
    - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
author: Ömer Günal, oscd.community, Pawel Mazur
date: 2020-10-08
modified: 2024-12-01
tags:
    - attack.discovery
    - attack.t1201
logsource:
    product: linux
    service: auditd
detection:
    selection_files:
        type: 'PATH'
        name:
            - '/etc/login.defs'
            - '/etc/pam.d/auth'
            - '/etc/pam.d/common-account'
            - '/etc/pam.d/common-auth'
            - '/etc/pam.d/common-password'
            - '/etc/pam.d/system-auth'
            - '/etc/security/pwquality.conf'
    selection_chage:
        type: 'EXECVE'
        a0: 'chage'
        a1:
            - '--list'
            - '-l'
    selection_passwd:
        type: 'EXECVE'
        a0: 'passwd'
        a1:
            - '-S'
            - '--status'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration activities
level: low

title: Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
id: bbb9495b-58fc-4016-b9df-9a3a1b67ca82
status: test
description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy
    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
author: frack113
date: 2022-03-17
tags:
    - attack.discovery
    - attack.t1201
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Get-AdDefaultDomainPasswordPolicy
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low

title: Password Protected Compressed File Extraction Via 7Zip
id: b717b8fd-6467-4d7d-b3d3-27f9a463af77
status: test
description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
references:
    - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-10
modified: 2026-06-05
tags:
    - attack.collection
    - attack.t1560.001
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Description|contains: '7-Zip'
        - Image|endswith:
              - '\7z.exe'
              - '\7za.exe'
              - '\7zr.exe'
        - OriginalFileName:
              - '7z.exe'
              - '7za.exe'
              - '7zr.exe'
    selection_password:
        CommandLine|contains|all:
            - ' -p'
            - ' x '
            - ' -o'
    condition: all of selection_*
falsepositives:
    - Legitimate activity is expected since extracting files with a password can be common in some environment.
level: low

title: Potential 7za.DLL Sideloading
id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57
status: test
description: Detects potential DLL sideloading of "7za.dll"
references:
    - https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d
author: X__Junior
date: 2023-06-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\7za.dll'
    filter_main_legit_path:
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed.
level: low