title: Potential Azure Browser SSO Abuse
id: 50f852e6-af22-4c78-9ede-42ef36aa3453
status: test
description: |
    Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.
    An attacker can use this to authenticate to Azure AD in a browser as that user.
references:
    - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
author: Den Iuzvyk
date: 2020-07-15
modified: 2023-04-18
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded: 'C:\Windows\System32\MicrosoftAccountTokenProvider.dll'
    filter_main_bgtaskhost:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
        Image|endswith: '\BackgroundTaskHost.exe'
        # CommandLine|contains: '-ServerNameBackgroundTaskHost.WebAccountProvider'
    filter_optional_devenv:
        Image|startswith:
            - 'C:\Program Files\Microsoft Visual Studio\'
            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
        Image|endswith: '\IDE\devenv.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_onedrive:
        Image|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
    filter_optional_null:
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity
level: low

title: Potential Bucket Enumeration on AWS
id: f305fd62-beca-47da-ad95-7690a0620084
related:
    - id: 4723218f-2048-41f6-bcb0-417f2d784f61
      type: similar
status: test
description: Looks for potential enumeration of AWS buckets via ListBuckets.
references:
    - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md
    - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html
    - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
date: 2023-01-06
modified: 2024-07-10
tags:
    - attack.discovery
    - attack.t1580
    - attack.t1619
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 's3.amazonaws.com'
        eventName: 'ListBuckets'
    filter:
        userIdentity.type: 'AssumedRole'
    condition: selection and not filter
falsepositives:
    - Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
level: low

title: Potential Container Discovery Via Inodes Listing
id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
status: test
description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
references:
    - https://blog.skyplabs.net/posts/container-detection/
    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
    - attack.discovery
    - attack.t1082
author: Seth Hanford
date: 2023-08-23
modified: 2025-11-24
logsource:
    category: process_creation
    product: linux
detection:
    selection_ls_img:
        Image|endswith: '/ls'    # inode outside containers low, inside high
    selection_ls_cli:
        - CommandLine|endswith: ' /'
        - CommandLine|contains: ' / '
    selection_regex_inode:
        CommandLine|re: '(?:\s-[^-\s]{0,20}i|\s--inode\s)'      # -i finds inode number
    selection_regex_dir:
        CommandLine|re: '(?:\s-[^-\s]{0,20}d|\s--directory\s)'  # -d gets directory itself, not contents
    condition: all of selection_*
falsepositives:
    - Legitimate system administrator usage of these commands
    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low

title: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
id: db809f10-56ce-4420-8c86-d6a7d793c79c
status: test
description: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2025-12-03
tags:
    - attack.stealth
    - attack.t1006
logsource:
    product: windows
    category: raw_access_thread
detection:
    filter_main_floppy:
        Device|contains: floppy
    filter_main_generic:
        Image|startswith:
            - 'C:\$WINDOWS.~BT\'
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\CCM\'
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\servicing\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemApps\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\uus\'
            - 'C:\Windows\WinSxS\'
    filter_main_system_images:
        Image:
            - 'Registry'
            - 'System'
    filter_main_windefender:
        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        Image|endswith:
            - '\MsMpEng.exe'
            - '\MpDefenderCoreService.exe'
    filter_main_microsoft_appdata:
        Image|startswith: 'C:\Users\'
        Image|contains|all:
            - '\AppData\'
            - '\Microsoft\'
    filter_main_ssd_nvme:
        Image|startswith: 'C:\Windows\Temp\'
        Image|endswith:
            - '\Executables\SSDUpdate.exe'
            - '\HostMetadata\NVMEHostmetadata.exe'
    filter_main_null:
        Image: null
    filter_main_systemsettings:
        Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
    filter_main_update:
        Image|startswith: 'C:\$WinREAgent\Scratch\'
    filter_optional_github_desktop:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\GitHubDesktop\app-'
        Image|endswith: '\resources\app\git\mingw64\bin\git.exe'
    filter_optional_nextron:
        Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
        Image|endswith: '\thor.exe'
    filter_optional_Keybase:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Keybase\upd.exe'
    condition: not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely
level: low

title: Potential Encoded PowerShell Patterns In CommandLine
id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
related:
    - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
      type: similar
status: test
description: Detects specific combinations of encoding methods in PowerShell via the commandline
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-01-26
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_to_1:
        CommandLine|contains:
            - 'ToInt'
            - 'ToDecimal'
            - 'ToByte'
            - 'ToUint'
            - 'ToSingle'
            - 'ToSByte'
    selection_to_2:
        CommandLine|contains:
            - 'ToChar'
            - 'ToString'
            - 'String'
    selection_gen_1:
        CommandLine|contains|all:
            - 'char'
            - 'join'
    selection_gen_2:
        CommandLine|contains|all:
            - 'split'
            - 'join'
    condition: selection_img and (all of selection_to_* or 1 of selection_gen_*)
falsepositives:
    - Unknown
level: low

title: Potential Executable Run Itself As Sacrificial Process
id: bafd07c6-3ea5-454a-b4be-058fbb073de7
status: experimental
description: |
    Detects when an executable launches an identical instance of itself, a behavior often used to create a suspended “sacrificial” process for code injection or evasion.
    Investigate for indicators such as the process being started in suspended mode, rapid parent termination, memory manipulation (e.g., WriteProcessMemory, CreateRemoteThread), or unsigned binaries.
    Review command-line arguments, process ancestry, and network activity to confirm if this is legitimate behavior or process injection activity.
references:
    - https://www.joesandbox.com/analysis/1605063/0/html
author: frack113
date: 2025-10-17
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|fieldref: ParentImage
    filter_main_path:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_main_original_fn:
        OriginalFileName:
            - 'Cmd.Exe'
            - 'CompatTelRunner.exe'
            - 'Discord.exe'
            - 'electron.exe' # Vs Code
            - 'EXPLORER.EXE'
            - 'httpd.exe'
            - 'IE4UINIT.EXE'
            - 'mmc.exe'
            - 'MpCmdRun.exe'
            - 'mscorsvw.exe'
            - 'msiexec.exe'
            - 'NGenTask.exe'
            - 'OneDriveSetup.exe'
            - 'PowerShell.EXE'
            - 'REGSVR32.EXE'
            - 'smss.exe'
            - 'Spotify.exe'
            - 'WerMgr'
    filter_main_product:
        Product:
            - 'Avira'
            - 'Evernote'
            - 'Firefox'
            - 'Microsoft Office'
            - 'Ninite'
            - 'Opera Browser Assistant Installer'
            - 'Opera Installer'
            - 'Sysinternals Sysmon'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate software that may launch a new instance of itself, especially updaters or installers. Investigate each alert and apply whitelisting as needed.
# Increase the level after some initial tuning in your environment
level: low

title: Potential Execution of Sysinternals Tools
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
status: test
description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2024-03-13
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|windash: ' -accepteula'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same command line flag
level: low

title: Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE
id: 52a85084-6989-40c3-8f32-091e12e17692
status: test
description: |
    Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484 leading to local privilege escalation via the User Profile Service.
    During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate many false positives).
    Additionally, the directory \Users\TEMP may be created during exploitation. This behavior was observed on Windows Server 2008.
references:
    - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
author: Cybex
date: 2022-08-16
modified: 2025-11-03
tags:
    - attack.execution
    - detection.emerging-threats
    - cve.2022-21919
    - cve.2021-34484
logsource:
    product: windows
    service: application
detection:
    selection:
        EventID: 1511
        Provider_Name: 'Microsoft-Windows-User Profiles Service'
    condition: selection
falsepositives:
    - Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
level: low

title: Potential File Override/Append Via SET Command
id: 65e4c134-ee52-4099-9e35-5e17a4b45c62
status: test
description: |
    Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign.
    Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly.
    Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt".
    The typical use case of the "set /p=" command is to prompt the user for input.
references:
    - https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1
    - https://ss64.com/nt/set.html
author: Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikhan)
date: 2024-08-22
tags:
    - attack.execution
    - detection.threat-hunting
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        CommandLine|contains:
            - '/c set /p='
            - '"set /p='
            - '>>*set /p=' # To catch edge cases where the attacker passes it via a "cmd /c"
    condition: all of selection_*
falsepositives:
    - Legitimate use of the SET with the "/p" flag for user prompting. command in administrative scripts or user-generated scripts.
level: low

title: Potential PowerShell Obfuscation Using Alias Cmdlets
id: 96cd126d-f970-49c4-848a-da3a09f55c55
related:
    - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
      type: derived
status: test
description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
references:
    - https://github.com/1337Rin/Swag-PSO
author: frack113
date: 2023-01-08
modified: 2025-10-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1027
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Set-Alias '
            - 'New-Alias '
    filter_main_cim:
        ScriptBlockText:
            - 'Set-Alias -Name ncms -Value New-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcls -Value Get-CimClass -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name ncso -Value New-CimSessionOption -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcms -Value Get-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name rcms -Value Remove-cimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name rcie -Value Register-CimIndicationEvent -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcai -Value Get-CimAssociatedInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcim -Value Get-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name scim -Value Set-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name rcim -Value Remove-cimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name icim -Value Invoke-CimMethod -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: low

title: Potential PowerShell Obfuscation Using Character Join
id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
related:
    - id: 96cd126d-f970-49c4-848a-da3a09f55c55
      type: derived
status: test
description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1027
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        # Example:
        #   Set-Alias -Name Y -Value (-join("Ne","w-O","bje","ct"))
        #   Set-Alias -Name X -Value (-join("Inv","oke","-","Exp","ression"))
        ScriptBlockText|contains|all:
            - '-Alias' # For both "New-Alias" and "Set-Alias"
            - ' -Value (-join('
    condition: selection
falsepositives:
    - Unknown
level: low

title: Potential Proxy Execution Via Explorer.EXE From Shell Process
id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e
status: test
description: |
    Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe".
    Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter.
    While this is often a legitimate action, this rule can be use to hunt for anomalies.
    Muddy Waters threat actor was seeing using this technique.
references:
    - https://twitter.com/CyberRaiju/status/1273597319322058752
    - https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
date: 2020-10-05
modified: 2024-06-21
tags:
    - attack.stealth
    - attack.t1218
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith: '\explorer.exe'
        CommandLine|contains: 'explorer.exe'
    condition: selection
falsepositives:
    - Legitimate explorer.exe run from a shell host like "cmd.exe" or "powershell.exe"
level: low

title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
id: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43
status: test
description: |
    Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
    Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
references:
    - https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt
    - https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect
    - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
author: Swachchhanda Shrawan Poudel
date: 2024-07-31
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
    definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\" and its sub keys must be monitored'
detection:
    selection_registry_image:
        - Image|contains:
              - '\AppData\Local\Temp\'
              - '\Downloads\'
              - '\Users\Public\'
              - '\Windows\Temp\'
        - Image|endswith: '\control.exe'
    selection_registry_object:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\'
    selection_value_enable:
        TargetObject|endswith:
            - '\IntranetName'
            - '\ProxyByPass'
            - '\UNCAsIntranet'
        Details|contains: 'DWORD (0x00000001)'
    selection_value_disable:
        TargetObject|endswith: '\AutoDetect'
        Details|contains: 'DWORD (0x00000000)'
    condition: all of selection_registry_* and 1 of selection_value_*
falsepositives:
    - Unknown
# Note: can be upgraded to medium after an initial baseline
level: low

title: Potential Suspicious Execution From GUID Like Folder Names
id: 90b63c33-2b97-4631-a011-ceb0f47b77c3
status: test
description: |
    Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks.
    Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.
references:
    - https://twitter.com/Kostastsale/status/1565257924204986369
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2023-03-02
tags:
    - attack.stealth
    - attack.t1027
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    # Uncomment this section and remove the filter if you want the rule to be more specific to processes
    # selection_img:
    #     Image|endswith:
    #         - '\rundll32.exe'
    selection_folder:
        CommandLine|contains:
            # Add more suspicious or unexpected paths
            - '\AppData\Roaming\'
            - '\AppData\Local\Temp\' # This could generate some FP with some installers creating folders with GUID
    selection_guid:
        CommandLine|contains|all:
            - '\{'
            - '}\'
    filter_main_image_guid:
        Image|contains|all:
            - '\{'
            - '}\'
    filter_main_null:
        Image: null
    filter_main_driver_inst:  # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}"
        Image: 'C:\Windows\System32\drvinst.exe'
    filter_main_msiexec:
        Image:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    condition: all of selection_* and not 1 of filter*
falsepositives:
    - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly
level: low

title: Potentially Suspicious Long Filename Pattern - Linux
id: 11629c4d-0fe6-465b-be62-b39a1c442aad
status: experimental
description: |
    Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell.
    This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting.
    Adjust the threshold of filename length as needed based on your environment.
references:
    - https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.004
    - attack.t1027
    - detection.threat-hunting
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|re: '[^/]{100,}$'
    filter_optional_known_good:
        TargetFilename|startswith:
            - '/run/systemd/units/invocation:systemd-fsck@'
            - '/sys/firmware/'
            - '/var/log/journal/'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate files with long filenames.
level: low

title: Potentially Suspicious Network Connection To Notion API
id: 7e9cf7b6-e827-11ed-a05b-15959c120003
status: test
description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
references:
    - https://github.com/mttaggart/OffensiveNotion
    - https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332
author: Gavin Knapp
date: 2023-05-03
tags:
    - attack.command-and-control
    - attack.t1102
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: 'api.notion.com'
    filter_main_notion:
        Image|endswith: '\AppData\Local\Programs\Notion\Notion.exe'
    filter_main_brave:
        Image|endswith: '\brave.exe'
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_main_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_main_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_main_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_main_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_main_opera:
        Image|endswith: '\opera.exe'
    filter_main_safari:
        Image|endswith: '\safari.exe'
    filter_main_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_main_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_main_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured.
level: low

title: Potentially Suspicious Shell Script Creation in Profile Folder
id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
status: test
description: Detects the creation of shell scripts under the "profile.d" path.
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
    - attack.persistence
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|contains: '/etc/profile.d/'
        TargetFilename|endswith:
            - '.csh'
            - '.sh'
    condition: selection
falsepositives:
    - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
    - Regular file creation during system update or software installation by the package manager
level: low # Can be increased to a higher level after some tuning

title: PowerShell Download Via Net.WebClient - PowerShell Classic
id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
related:
    - id: 65531a81-a694-4e31-ae04-f8ba5bc33759
      type: derived
status: test
description: |
    Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class.
    This technique is often abused by attackers to download additional payloads.
references:
    - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
author: Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2026-04-28
tags:
    - attack.execution
    - attack.command-and-control
    - attack.t1059.001
    - attack.t1105
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection_webclient:
        Data|contains: 'Net.WebClient'
    selection_download:
        Data|contains:
            - '.DownloadFile('
            - '.DownloadString('
    condition: all of selection_*
falsepositives:
    - This activity may be used by legitimate software, such as patch management tools or software updaters. Investigate any such activity and apply the necessary filter.
level: low

title: PowerShell Module File Created
id: e36941d0-c0f0-443f-bc6f-cb2952eb69ea
status: test
description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
references:
    - Internal Research
    - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
    - attack.persistence
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|contains:
            - '\WindowsPowerShell\Modules\'
            - '\PowerShell\7\Modules\'
    condition: selection
falsepositives:
    - Likely
level: low

title: PowerShell Script Change Permission Via Set-Acl - PsScript
id: cae80281-ef23-44c5-873b-fd48d2666f49
related:
    - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
      type: derived
    - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
      type: derived
    - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
      type: derived
status: test
description: Detects PowerShell scripts set ACL to of a file or a folder
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
    - attack.defense-impairment
    - attack.t1222
logsource:
    product: windows
    category: ps_script
    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Set-Acl '
            - '-AclObject '
            - '-Path '
    condition: selection
falsepositives:
    - Unknown
level: low

title: PowerShell Script Dropped Via PowerShell.EXE
id: 576426ad-0131-4001-ae01-be175da0c108
status: test
description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
references:
    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: frack113
date: 2023-05-09
tags:
    - attack.persistence
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|endswith: '.ps1'
    filter_main_psscriptpolicytest:
        TargetFilename|contains: '__PSScriptPolicyTest_'
    filter_main_appdata:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Local\Temp\'
    filter_main_windows_temp:
        TargetFilename|startswith: 'C:\Windows\Temp\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
level: low

title: PowerShell Script Execution Policy Enabled
id: 8218c875-90b9-42e2-b60d-0b0069816d10
related:
    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814
      type: derived
status: test
description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
references:
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-10-18
tags:
    - attack.execution
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\EnableScripts'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Likely
level: low

title: PowerShell Script With File Upload Capabilities
id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
status: test
description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
author: frack113
date: 2022-01-07
modified: 2025-07-18
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    product: windows
    category: ps_script
    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'Invoke-RestMethod'
            - 'Invoke-WebRequest'
            - 'irm '
            - 'iwr '
    selection_flag:
        ScriptBlockText|contains:
            - '-Method "POST"'
            - '-Method "PUT"'
            - '-Method POST'
            - '-Method PUT'
            - "-Method 'POST'"
            - "-Method 'PUT'"
    condition: all of selection_*
falsepositives:
    - Unknown
level: low

title: Powershell Suspicious Win32_PnPEntity
id: b26647de-4feb-4283-af6b-6117661283c5
status: test
description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md
author: frack113
date: 2021-08-23
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.t1120
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Win32_PnPEntity
    condition: selection
falsepositives:
    - Admin script
level: low

title: Previously Installed IIS Module Was Removed
id: 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f
status: test
description: Detects the removal of a previously installed IIS module.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: Nasreddine Bencherchali
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|contains: '/system.webServer/modules/remove'
    condition: selection
falsepositives:
    - Legitimate administrator activity
# Note: Upgrade after an initial baseline
level: low

title: Privileged Container Deployed
id: c5cd1b20-36bb-488d-8c05-486be3d0cb97
status: test
description: |
    Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
    A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
    Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
    - https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html
    - https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1611
    - attack.privilege-escalation
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        capabilities: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
    condition: selection
falsepositives:
    - Unknown
level: low

title: Process Discovery
id: 4e2f5868-08d4-413d-899f-dc2f1508627b
status: stable
description: |
  Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.
  Information obtained could be used to gain an understanding of common software/applications running on systems within the network
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md
    - https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/
author: Ömer Günal, oscd.community, CheraaghiMilad
date: 2020-10-06
modified: 2022-07-07
tags:
    - attack.discovery
    - attack.t1057
    - detection.threat-hunting
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/atop'
            - '/htop'
            - '/pgrep'
            - '/ps'
            - '/pstree'
            - '/top'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low

title: Process Execution From WebDAV Share
id: f8de9dd5-7a63-4cfd-9d0c-ae124878b5a9
status: experimental
description: |
    Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares.
    Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application.
    Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.
references:
    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-13
tags:
    - attack.execution
    - attack.command-and-control
    - attack.lateral-movement
    - attack.t1105
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|startswith: '\\\\'
        Image|contains: '\DavWWWRoot\'
    condition: selection
falsepositives:
    - Legitimate use of WebDAV shares for process execution
    - Known applications executing from WebDAV paths
level: low

title: Process Terminated Via Taskkill
id: 86085955-ea48-42a2-9dd3-85d4c36b167d
status: test
description: |
    Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity.
    Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process
    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
author: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali
date: 2021-12-26
modified: 2024-10-06
tags:
    - attack.impact
    - attack.t1489
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\taskkill.exe'
        - OriginalFileName: 'taskkill.exe'
    selection_cli_force:
        - CommandLine|contains|windash: ' /f '
        - CommandLine|endswith|windash: ' /f'
    selection_cli_filter_process:
        CommandLine|contains|windash:
            - ' /im '
            - ' /pid '
    filter_main_installers:
        ParentImage|contains:
            - '\AppData\Local\Temp\'
            - ':\Windows\Temp'
        ParentImage|endswith: '.tmp'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates
level: low

title: PsExec Default Named Pipe
id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
related:
    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28
      type: derived
status: test
description: Detects PsExec service default pipe creation
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
    - detection.threat-hunting
logsource:
    category: pipe_created
    product: windows
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName: '\PSEXESVC'
    condition: selection
falsepositives:
    - Unknown
level: low

title: PsExec Service File Creation
id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
related:
    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28
      type: derived
status: test
description: Detects default PsExec service filename which indicates PsExec service installation and execution
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2022-10-26
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\PSEXESVC.exe'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Python Image Load By Non-Python Process
id: cbb56d62-4060-40f7-9466-d8aaf3123f83
status: test
description: |
    Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code.
    Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables.
    Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.
references:
    - https://www.py2exe.org/
    - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
author: Patrick St. John, OTR (Open Threat Research)
date: 2020-05-03
modified: 2025-08-18
tags:
    - attack.stealth
    - attack.t1027.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Description: 'Python Core'
    filter_main_generic:
        - Image|contains: 'Python'  # FPs with python38.dll, python.exe etc.
        - Image|startswith:
              - 'C:\Program Files\'
              - 'C:\Program Files (x86)\'
              - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
    filter_optional_null_image:
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate Py2Exe Binaries
    - Known false positive caused with Python Anaconda
    - Various legitimate software is bundled from Python code into executables
level: low

title: QuickAssist Execution
id: e20b5b14-ce93-4230-88af-981983ef6e74
status: experimental
description: |
    Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
references:
    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
    - https://x.com/cyb3rops/status/1862406110365245506
    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
author: Muhammad Faisal (@faisalusuf)
date: 2024-12-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\QuickAssist.exe'
    condition: selection
falsepositives:
    - Legitimate use of Quick Assist in the environment.
level: low

title: RBAC Permission Enumeration Attempt
id: 84b777bd-c946-4d17-aa2e-c39f5a454325
status: test
description: |
    Detects identities attempting to enumerate their Kubernetes RBAC permissions.
    In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
    In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
    This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
references:
    - https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1069.003
    - attack.t1087.004
    - attack.discovery
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        apiGroup: 'authorization.k8s.io'
        objectRef.resource: 'selfsubjectrulesreviews'
    condition: selection
falsepositives:
    - Unknown
level: low

title: RegAsm.EXE Execution Without CommandLine Flags or Files
id: 651f87f7-12db-47f9-84c5-f27b081b94b6
status: experimental
description: |
    Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity.
    Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
references:
    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
    - https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
    - https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
    - https://www.joesandbox.com/analysis/1467354/0/html
author: frack113
date: 2025-06-04
tags:
    - attack.stealth
    - attack.t1218.009
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\RegAsm.exe'
        - OriginalFileName: 'RegAsm.exe'
    selection_cli:
        CommandLine|endswith:
            - 'RegAsm'
            - 'RegAsm.exe'
            - 'RegAsm.exe"'
            - "RegAsm.exe'"
    condition: all of selection_*
falsepositives:
    - Legitimate use of Regasm by developers.
# Note: You can increase after an initial baseline
level: low

title: Registry Modification Via Regini.EXE
id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
related:
    - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
      type: derived
status: test
description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Regini/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
author: Eli Salem, Sander Wiebing, oscd.community
date: 2020-10-08
modified: 2023-02-08
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\regini.exe'
        - OriginalFileName: 'REGINI.EXE'
    filter:
        CommandLine|re: ':[^ \\]' # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682
    condition: selection and not filter
falsepositives:
    - Legitimate modification of keys
level: low

title: Remote Access Tool - ScreenConnect Command Execution
id: 076ebe48-cc05-4d8f-9d41-89245cd93a14
related:
    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
      type: similar
status: test
description: Detects command execution via ScreenConnect RMM
references:
    - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
    - https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    service: application
    product: windows
detection:
    selection:
        Provider_Name: 'ScreenConnect'
        EventID: 200
        Data|contains: 'Executed command of length'
    condition: selection
falsepositives:
    - Legitimate use of ScreenConnect
level: low

title: Remote Access Tool - ScreenConnect File Transfer
id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13
related:
    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
      type: similar
status: test
description: Detects file being transferred via ScreenConnect RMM
references:
    - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
    - https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    service: application
    product: windows
detection:
    selection:
        Provider_Name: 'ScreenConnect'
        EventID: 201
        Data|contains: 'Transferred files with action'
    condition: selection
falsepositives:
    - Legitimate use of ScreenConnect
level: low

title: Remote Access Tool - ScreenConnect Remote Command Execution
id: b1f73849-6329-4069-bc8f-78a604bb8b23
status: test
description: Detects the execution of a system command via the ScreenConnect RMM service.
references:
    - https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
modified: 2024-02-26
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\ScreenConnect.ClientService.exe'
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        # Example:
        #   CommandLine: "cmd.exe" /c "C:\Windows\TEMP\ScreenConnect\23.6.8.8644\3c41d689-bbf5-4216-b2f4-ba8fd6192c25run.cmd"
        CommandLine|contains: '\TEMP\ScreenConnect\'
    condition: all of selection_*
falsepositives:
    - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used.
# Note: Increase the level if you don't leverage ScreenConnect
level: low

title: Remote Access Tool - ScreenConnect Temporary File
id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
related:
    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
      type: similar
status: test
description: |
    Detects the creation of files in a specific location by ScreenConnect RMM.
    ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
references:
    - https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\ScreenConnect.WindowsClient.exe'
        TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\'
    condition: selection
falsepositives:
    - Legitimate use of ScreenConnect
# Note: Incase the level if ScreenConnect is not used
level: low

title: Remote Access Tool - Team Viewer Session Started On Linux Host
id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
related:
    - id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
      type: similar
    - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
      type: similar
status: test
description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
    - Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        ParentImage|endswith: '/TeamViewer_Service'
        Image|endswith: '/TeamViewer_Desktop'
        CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
    condition: selection
falsepositives:
    - Legitimate usage of TeamViewer
level: low

title: Remote Access Tool - Team Viewer Session Started On MacOS Host
id: f459ccb4-9805-41ea-b5b2-55e279e2424a
related:
    - id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
      type: similar
    - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
      type: similar
status: test
description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
    - Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        ParentImage|endswith: '/TeamViewer_Service'
        Image|endswith: '/TeamViewer_Desktop'
        CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
    condition: selection
falsepositives:
    - Legitimate usage of TeamViewer
level: low

title: Remote Access Tool - Team Viewer Session Started On Windows Host
id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
related:
    - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
      type: similar
    - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
      type: similar
status: test
description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
    - Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image: 'TeamViewer_Desktop.exe'
        ParentImage: 'TeamViewer_Service.exe'
        CommandLine|endswith: 'TeamViewer_Desktop.exe --IPCport 5939 --Module 1'
    condition: selection
falsepositives:
    - Legitimate usage of TeamViewer
level: low

title: Remote File Copy
id: 7a14080d-a048-4de8-ae58-604ce58a795b
status: stable
description: Detects the use of tools that copy files from or to remote systems
references:
    - https://www.cisa.gov/stopransomware/ransomware-guide
author: Ömer Günal
date: 2020-06-18
tags:
    - attack.command-and-control
    - attack.lateral-movement
    - attack.t1105
logsource:
    product: linux
detection:
    tools:
        - 'scp '
        - 'rsync '
        - 'sftp '
    filter:
        - '@'
        - ':'
    condition: tools and filter
falsepositives:
    - Legitimate administration activities
level: low

title: Remote PowerShell Session (PS Classic)
id: 60167e5c-84b2-4c95-a7ac-86281f27c445
related:
    - id: 96b9f619-aa91-478f-bacb-c3e50f8df575
      type: derived
status: test
description: Detects remote PowerShell sessions
references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2024-01-03
tags:
    - attack.execution
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.006
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains|all:
            - 'HostName=ServerRemoteHost'
            - 'wsmprovhost.exe'
    condition: selection
falsepositives:
    - Legitimate use remote PowerShell sessions
# Note: Increase the level to "medium" in environments that do not leverage PowerShell remoting
level: low

title: Renamed Powershell Under Powershell Channel
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
status: test
description: |
    Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020-06-29
modified: 2025-01-20
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1036.003
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains: 'HostName=ConsoleHost'
    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases.
    filter_main_ps:
        Data|contains:
            - 'HostApplication=powershell'
            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
            # In some cases powershell was invoked with inverted slashes
            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
            - 'HostApplication=C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
            - 'HostApplication=C:\\\\WINDOWS\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
    filter_main_host_application_null:
        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
        # If you're already mapping and extracting the field, then obviously use that directly.
        Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: low

title: Replace Desktop Wallpaper by Powershell
id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
status: test
description: |
    An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
    This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
author: frack113
date: 2021-12-26
tags:
    - attack.impact
    - attack.t1491.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_1:
        ScriptBlockText|contains|all:
            - 'Get-ItemProperty'
            - 'Registry::'
            - 'HKEY_CURRENT_USER\Control Panel\Desktop\'
            - 'WallPaper'
    selection_2:
        ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: low

title: Run Once Task Execution as Configured in Registry
id: 198effb6-6c98-4d0c-9ea3-451fa143c45c
status: test
description: This rule detects the execution of Run Once task as configured in the registry
references:
    - https://twitter.com/pabraeken/status/990717080805789697
    - https://lolbas-project.github.io/lolbas/Binaries/Runonce/
    - https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)'
date: 2020-10-18
modified: 2022-12-13
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\runonce.exe'
        - Description: 'Run Once Wrapper'
    selection_cli:
        - CommandLine|contains: '/AlternateShellStartup'
        - CommandLine|endswith: '/r'
    condition: all of selection_*
falsepositives:
    - Unknown
level: low

title: SC.EXE Query Execution
id: 57712d7a-679c-4a41-a913-87e7175ae429
status: test
description: Detects execution of "sc.exe" to query information about registered services on the system
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery
author: frack113
date: 2021-12-06
modified: 2024-02-08
tags:
    - attack.discovery
    - attack.t1007
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\sc.exe'
        OriginalFileName: 'sc.exe'
    selection_cli:
        CommandLine|contains: ' query'
    filter_optional_keybase:
        CommandLine: 'sc query dokan1'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate query of a service by an administrator to get more information such as the state or PID
    - Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1"
level: low

title: SNAKE Malware Installer Name Indicators
id: 99eccc2b-7182-442f-8806-b76cc36d866b
status: test
description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
references:
    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '\jpsetup.exe'
            - '\jpinst.exe'
    condition: selection
falsepositives:
    - Some legitimate software was also seen using these names. Apply additional filters and use this rule as a hunting basis.
level: low