title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
related:
    - id: f356a9c4-effd-4608-bbf8-408afd5cd006
      type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
    - attack.t1071.004
    - attack.command-and-control
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection_eid:
        EventID: 3008
    selection_query_1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection_query_2:
        QueryName|contains: '.stage.123456.'
    condition: selection_eid and 1 of selection_query_*
falsepositives:
    - Unknown
level: critical

title: Suspicious Cobalt Strike DNS Beaconing - Sysmon
id: f356a9c4-effd-4608-bbf8-408afd5cd006
related:
    - id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
      type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021-11-09
modified: 2023-01-16
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    product: windows
    category: dns_query
detection:
    selection1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection2:
        QueryName|contains: '.stage.123456.'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical

title: Suspicious PowerShell Mailbox Export to Share
id: 889719ef-dd62-43df-86c3-768fb08dc7c0
status: test
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
    - https://youtu.be/5mqid-7zp8k?t=2481
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems)
date: 2021-08-07
modified: 2022-10-26
tags:
    - attack.exfiltration
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'New-MailboxExportRequest'
            - ' -Mailbox '
            - ' -FilePath \\\\'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Suspicious PowerShell Mailbox Export to Share - PS
id: 4a241dea-235b-4a7e-8d76-50d817b146c4
related:
    - id: 889719ef-dd62-43df-86c3-768fb08dc7c0
      type: derived
status: test
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
    - https://youtu.be/5mqid-7zp8k?t=2481
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
tags:
    - attack.exfiltration
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-MailboxExportRequest'
            - ' -Mailbox '
            - ' -FilePath \\\\'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: TrustedPath UAC Bypass Pattern
id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
related:
    - id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
      type: similar
status: test
description: Detects indicators of a UAC bypass method by mocking directories
references:
    - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
    - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
    - https://github.com/netero1010/TrustedPath-UACBypass-BOF
    - https://x.com/Wietze/status/1933495426952421843
author: Florian Roth (Nextron Systems)
date: 2021-08-27
modified: 2025-06-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - 'C:\Windows \System32\'
            - 'C:\Windows \SysWOW64\'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Turla Group Commands May 2020
id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
status: test
description: Detects commands used by Turla group as reported by ESET in May 2020
references:
    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: Florian Roth (Nextron Systems)
date: 2020-05-26
modified: 2025-10-19
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.stealth
    - attack.g0010
    - attack.execution
    - attack.t1059.001
    - attack.t1053.005
    - attack.t1027
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli_1:
        CommandLine|contains:
            - 'tracert -h 10 yahoo.com'
            - '.WSqmCons))|iex;'
            - 'Fr`omBa`se6`4Str`ing'
    selection_cli_2:
        CommandLine|re: 'net\s+use\s+https://docs.live.net'
        CommandLine|contains: '@aol.co.uk'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical

title: Turla Group Lateral Movement
id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
status: test
description: Detects automated lateral movement by Turla group
references:
    - https://securelist.com/the-epic-turla-operation/65545/
author: Markus Neis
date: 2017-11-07
modified: 2022-10-09
tags:
    - attack.g0010
    - attack.execution
    - attack.t1059
    - attack.lateral-movement
    - attack.t1021.002
    - attack.discovery
    - attack.t1083
    - attack.t1135
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - 'net use \\\\%DomainController%\C$ "P@ssw0rd" *'
            - 'dir c:\\*.doc* /s'
            - 'dir %TEMP%\\*.exe'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Turla Group Named Pipes
id: 739915e4-1e70-4778-8b8a-17db02f66db1
status: test
description: Detects a named pipe used by Turla group samples
references:
    - Internal Research
author: Markus Neis
date: 2017-11-06
modified: 2021-11-27
tags:
    - attack.g0010
    - attack.execution
    - attack.t1106
    - detection.emerging-threats
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName:
            - '\atctl'    # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
            - '\comnap'   # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
            - '\iehelper' # ruag apt case
            - '\sdlrpc'   # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
            - '\userpipe' # ruag apt case
            # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: Turla PNG Dropper Service
id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
status: test
description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
references:
    - https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/
author: Florian Roth (Nextron Systems)
date: 2018-11-23
modified: 2021-11-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.g0010
    - attack.t1543.003
    - detection.emerging-threats
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName: 'WerFaultSvc'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: UNC2452 PowerShell Pattern
id: b7155193-8a81-4d8f-805d-88de864ca50c
status: test
description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
references:
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
    - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
author: Florian Roth (Nextron Systems)
date: 2021-01-20
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1047
    - detection.emerging-threats
    # - sunburst
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli_1:
        CommandLine|contains|all:
            - 'Invoke-WMIMethod win32_process -name create -argumentlist'
            - 'rundll32 c:\windows'
    selection_cli_2:
        CommandLine|contains|all:
            - 'wmic /node:'
            - 'process call create "rundll32 c:\windows'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: critical

title: UNC4841 - Potential SEASPY Execution
id: f6a711f3-d032-4f9e-890b-bbe776236c84
status: test
description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
references:
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/BarracudaMailService'
            - '/resize2fstab'
            - '/resize_reisertab'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: Ursnif Malware C2 URL Pattern
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
status: stable
description: Detects Ursnif C2 traffic.
references:
    - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
author: Thomas Patzke
date: 2019-12-19
modified: 2021-08-09
tags:
    - attack.initial-access
    - attack.t1566.001
    - attack.execution
    - attack.t1204.002
    - attack.command-and-control
    - attack.t1071.001
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    b64encoding:
        c-uri|contains:
            - '_2f'
            - '_2b'
    urlpatterns:
        c-uri|contains|all:
            - '.avi'
            - '/images/'
    condition: b64encoding and urlpatterns
falsepositives:
    - Unknown
level: critical

title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
    - attack.credential-access
    - attack.t1003
    - attack.s0005
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
        ObjectName|endswith: '\wceaux.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: WMI Backdoor Exchange Transport Agent
id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
status: test
description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
references:
    - https://twitter.com/cglyer/status/1182389676876980224
    - https://twitter.com/cglyer/status/1182391019633029120
author: Florian Roth (Nextron Systems)
date: 2019-10-11
modified: 2023-02-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\EdgeTransport.exe'
    filter_conhost:
        Image: 'C:\Windows\System32\conhost.exe'
    filter_oleconverter:  # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
        Image|endswith: '\Bin\OleConverter.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: critical

title: WannaCry Ransomware Activity
id: 41d40bff-377a-43e2-8e1b-2e543069e079
status: test
description: Detects WannaCry ransomware activity
references:
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
    - https://x.com/nas_bench/status/1868639048484425963
author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
date: 2019-01-16
modified: 2025-10-18
tags:
    - attack.lateral-movement
    - attack.defense-impairment
    - attack.t1210
    - attack.discovery
    - attack.t1083
    - attack.t1222.001
    - attack.impact
    - attack.t1486
    - attack.t1490
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\tasksche.exe'
              - '\mssecsvc.exe'
              - '\taskdl.exe'
              - '\taskhsvc.exe'
              - '\taskse.exe'
              - '\111.exe'
              - '\lhdfrgui.exe'
              # - '\diskpart.exe'  # cannot be used in a rule of level critical
              - '\linuxnew.exe'
              - '\wannacry.exe'
        - Image|contains: 'WanaDecryptor'
    selection_cmd:
        CommandLine|contains: '@[email protected]'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical

title: Webshell Remote Command Execution
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
status: test
description: Detects possible command execution by web application/web shell
references:
    - Personal Experience of the Author
    - https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019-10-12
modified: 2025-12-05
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b32 -S execveat -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b64 -S execveat -F euid=33 -k detect_execve_www
        Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL:
            - 'execve'
            - 'execveat'
        euid: 33
    condition: selection
falsepositives:
    - Admin activity
    - Crazy web applications
level: critical

title: Win Susp Computer Name Containing Samtheadmin
id: 39698b3f-da92-4bc6-bfb5-645a98386e45
status: test
description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
references:
    - https://twitter.com/malmoeb/status/1511760068743766026
    - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
author: elhoim
date: 2022-09-09
modified: 2023-01-04
tags:
    - attack.initial-access
    - cve.2021-42278
    - cve.2021-42287
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
logsource:
    service: security
    product: windows
detection:
    # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
    selection1:
        SamAccountName|startswith: 'SAMTHEADMIN-'
        SamAccountName|endswith: '$'
    selection2:
        TargetUserName|startswith: 'SAMTHEADMIN-'
        TargetUserName|endswith: '$'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical

title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0005
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: Services\WCESERVICE\Start
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Winnti Malware HK University Campaign
id: 3121461b-5aa0-4a41-b910-66d25524edbb
status: test
description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
references:
    - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
author: Florian Roth (Nextron Systems), Markus Neis
date: 2020-02-01
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
    - attack.g0044
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        ParentImage|contains:
            - 'C:\Windows\Temp'
            - '\hpqhvind.exe'
        Image|startswith: 'C:\ProgramData\DRM'
    selection2:
        ParentImage|startswith: 'C:\ProgramData\DRM'
        Image|endswith: '\wmplayer.exe'
    selection3:
        ParentImage|endswith: '\Test.exe'
        Image|endswith: '\wmplayer.exe'
    selection4:
        Image: 'C:\ProgramData\DRM\CLR\CLR.exe'
    selection5:
        ParentImage|startswith: 'C:\ProgramData\DRM\Windows'
        Image|endswith: '\SearchFilterHost.exe'
    condition: 1 of selection*
falsepositives:
    - Unlikely
level: critical

title: Winnti Pipemon Characteristics
id: 73d70463-75c9-4258-92c6-17500fe972f2
status: stable
description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
references:
    - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
author: Florian Roth (Nextron Systems), oscd.community
date: 2020-07-30
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
    - attack.g0044
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains: 'setup0.exe -p'
    selection_2:
        CommandLine|contains: 'setup.exe'
        CommandLine|endswith:
            - '-x:0'
            - '-x:1'
            - '-x:2'
    condition: 1 of selection_*
falsepositives:
    - Legitimate setups that use similar flags
level: critical

title: Wmiexec Default Output File
id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
status: test
description: Detects the creation of the default output filename used by the wmiexec tool
references:
    - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
    - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-03-08
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1047
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' # Admin$
        - TargetFilename|re: 'C:\\__1\d{9}\.\d{1,7}$' # C$
        - TargetFilename|re: 'D:\\__1\d{9}\.\d{1,7}$' # D$
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: Wmiprvse Wbemcomn DLL Hijack - File
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-12-02
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image: System
        TargetFilename|endswith: '\wbem\wbemcomn.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Zerologon Exploitation Using Well-known Tools
id: 18f37338-b9bd-4117-a039-280c81f7a596
status: stable
description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
references:
    - https://www.secura.com/blog/zero-logon
    - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'
date: 2020-10-13
modified: 2021-05-30
tags:
    - attack.t1210
    - attack.lateral-movement
logsource:
    service: system
    product: windows
detection:
    selection:
        EventID:
            - 5805
            - 5723
    keywords:
        - kali
        - mimikatz
    condition: selection and keywords
level: critical

title: ZxShell Malware
id: f0b70adb-0075-43b0-9745-e82a1c608fcc
status: test
description: Detects a ZxShell start by the called and well-known function name
references:
    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
    - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2017-07-20
modified: 2021-11-27
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.003
    - attack.t1218.011
    - attack.s0412
    - attack.g0001
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains:
            - 'zxFunction'
            - 'RemoteDiskXXXXX'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: .RDP File Created By Uncommon Application
id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
related:
    - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
      type: derived
status: test
description: |
    Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
references:
    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
modified: 2024-11-01
tags:
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.rdp'
        Image|endswith:
            # Covers browsers
            - '\brave.exe'
            - '\CCleaner Browser\Application\CCleanerBrowser.exe'
            - '\chromium.exe'
            - '\firefox.exe'
            - '\Google\Chrome\Application\chrome.exe'
            - '\iexplore.exe'
            - '\microsoftedge.exe'
            - '\msedge.exe'
            - '\Opera.exe'
            - '\Vivaldi.exe'
            - '\Whale.exe'
            # Covers email clients
            - '\olk.exe' # Outlook
            - '\Outlook.exe'
            - '\RuntimeBroker.exe' # If the windows mail client is used
            - '\Thunderbird.exe'
            # Covers chat applications
            - '\Discord.exe' # Should open the browser for download, but just in case.
            - '\Keybase.exe'
            - '\msteams.exe'
            - '\Slack.exe'
            - '\teams.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: AADInternals PowerShell Cmdlets Execution - ProccessCreation
id: c86500e9-a645-4680-98d7-f882c70c1ea3
related:
    - id: 91e69562-2426-42ce-a647-711b8152ced6
      type: similar
status: test
description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
references:
    - https://o365blog.com/aadinternals/
    - https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
    - attack.execution
    - attack.reconnaissance
    - attack.discovery
    - attack.credential-access
    - attack.impact
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\powershell_ise.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.Exe'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains:
            # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
            - 'Add-AADInt'
            - 'ConvertTo-AADInt'
            - 'Disable-AADInt'
            - 'Enable-AADInt'
            - 'Export-AADInt'
            - 'Find-AADInt'
            - 'Get-AADInt'
            - 'Grant-AADInt'
            - 'Initialize-AADInt'
            - 'Install-AADInt'
            - 'Invoke-AADInt'
            - 'Join-AADInt'
            - 'New-AADInt'
            - 'Open-AADInt'
            - 'Read-AADInt'
            - 'Register-AADInt'
            - 'Remove-AADInt'
            - 'Reset-AADInt'
            - 'Resolve-AADInt'
            - 'Restore-AADInt'
            - 'Save-AADInt'
            - 'Search-AADInt'
            - 'Send-AADInt'
            - 'Set-AADInt'
            - 'Start-AADInt'
            - 'Unprotect-AADInt'
            - 'Update-AADInt'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the library for administrative activity
level: high

title: AADInternals PowerShell Cmdlets Execution - PsScript
id: 91e69562-2426-42ce-a647-711b8152ced6
related:
    - id: c86500e9-a645-4680-98d7-f882c70c1ea3
      type: similar
status: test
description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
references:
    - https://o365blog.com/aadinternals/
    - https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
    - attack.execution
    - attack.reconnaissance
    - attack.discovery
    - attack.credential-access
    - attack.impact
logsource:
    product: windows
    category: ps_script
    definition: Script Block Logging must be enable
detection:
    selection:
        ScriptBlockText|contains:
            # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
            - 'Add-AADInt'
            - 'ConvertTo-AADInt'
            - 'Disable-AADInt'
            - 'Enable-AADInt'
            - 'Export-AADInt'
            - 'Find-AADInt'
            - 'Get-AADInt'
            - 'Grant-AADInt'
            - 'Initialize-AADInt'
            - 'Install-AADInt'
            - 'Invoke-AADInt'
            - 'Join-AADInt'
            - 'New-AADInt'
            - 'Open-AADInt'
            - 'Read-AADInt'
            - 'Register-AADInt'
            - 'Remove-AADInt'
            - 'Reset-AADInt'
            - 'Resolve-AADInt'
            - 'Restore-AADInt'
            - 'Save-AADInt'
            - 'Search-AADInt'
            - 'Send-AADInt'
            - 'Set-AADInt'
            - 'Start-AADInt'
            - 'Unprotect-AADInt'
            - 'Update-AADInt'
    condition: selection
falsepositives:
    - Legitimate use of the library for administrative activity
level: high

title: AD Privileged Users or Groups Reconnaissance
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
status: test
description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
references:
    - https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-07-13
tags:
    - attack.discovery
    - attack.t1087.002
logsource:
    product: windows
    service: security
    definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
detection:
    selection:
        EventID: 4661
        ObjectType:
            - 'SAM_USER'
            - 'SAM_GROUP'
    selection_object:
        - ObjectName|endswith:
              - '-512'
              - '-502'
              - '-500'
              - '-505'
              - '-519'
              - '-520'
              - '-544'
              - '-551'
              - '-555'
        - ObjectName|contains: 'admin'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and selection_object and not filter
falsepositives:
    - If source account name is not an admin then its super suspicious
level: high

title: ADCS Certificate Template Configuration Vulnerability with Risky EKU
id: bfbd3291-de87-4b7c-88a2-d6a5deb28668
status: test
description: Detects certificate creation with template allowing risk permission subject and risky EKU
references:
    - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
author: Orlinum , BlueDefenZer
date: 2021-11-17
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.credential-access
logsource:
    product: windows
    service: security
    definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag with risky EKU.
detection:
    selection10:
        EventID: 4898
        TemplateContent|contains:
            - '1.3.6.1.5.5.7.3.2'
            - '1.3.6.1.5.2.3.4'
            - '1.3.6.1.4.1.311.20.2.2'
            - '2.5.29.37.0'
    selection11:
        TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'

    selection20:
        EventID: 4899
        NewTemplateContent|contains:
            - '1.3.6.1.5.5.7.3.2'
            - '1.3.6.1.5.2.3.4'
            - '1.3.6.1.4.1.311.20.2.2'
            - '2.5.29.37.0'
    selection21:
        NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'

    condition: (selection10 and selection11) or (selection20 and selection21)
falsepositives:
    - Administrator activity
    - Proxy SSL certificate with subject modification
    - Smart card enrollement
level: high

title: ADSelfService Exploitation
id: 6702b13c-e421-44cc-ab33-42cc25570f11
status: test
description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
references:
    - https://us-cert.cisa.gov/ncas/alerts/aa21-259a
author: Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems)
date: 2021-09-20
modified: 2023-01-02
tags:
    - cve.2021-40539
    - detection.emerging-threats
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/help/admin-guide/Reports/ReportGenerate.jsp'
            - '/ServletApi/../RestApi/LogonCustomization'
            - '/ServletApi/../RestAPI/Connection'
    condition: selection
falsepositives:
    - Unknown
level: high

title: AMSI Bypass Pattern Assembly GetType
id: e0d6c087-2d1c-47fd-8799-3904103c5a98
status: test
description: Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
references:
    - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
    - https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA
author: Florian Roth (Nextron Systems)
date: 2022-11-09
tags:
    - attack.defense-impairment
    - attack.t1685
    - attack.execution
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - '[Ref].Assembly.GetType'
            - 'SetValue($null,$true)'
            - 'NonPublic,Static'
    condition: selection
falsepositives:
    - Unknown
level: high

title: AMSI Disabled via Registry Modification
id: aa37cbb0-da36-42cb-a90f-fdf216fc7467
related:
    - id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981 # Windows AMSI Related Registry Tampering Via CommandLine
      type: similar
status: experimental
description: |
    Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
    Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
    Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
references:
    - https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
    - https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
    - https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Microsoft\Windows Script\Settings\AmsiEnable'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml
simulation:
    - type: atomic-red-team
      name: AMSI Bypass - Create AMSIEnable Reg Key
      technique: T1562.001
      atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0

title: APT PRIVATELOG Image Load Pattern
id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
status: test
description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
references:
    - https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
author: Florian Roth (Nextron Systems)
date: 2021-09-07
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\svchost.exe'
        ImageLoaded|endswith: '\clfsw32.dll'
    condition: selection
falsepositives:
    - Rarely observed
level: high

title: APT User Agent
id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
status: test
description: Detects suspicious user agent strings used in APT malware in proxy logs
references:
    - Internal Research
author: Florian Roth (Nextron Systems), Markus Neis
date: 2019-11-12
modified: 2024-02-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent:
         # APT Related
            - 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace
            - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://www.cisa.gov/news-events/alerts/2017/02/10/enhanced-analysis-grizzly-steppe
            - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp
            - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp
            - 'webclient' # Naikon APT
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT
            - 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut
            - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel
            - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel
            - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel
            - 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
            - 'Netscape' # Unit78020 Malware
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related
            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf
            - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
            - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
            - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
            - 'Mozilla v5.1 *' # Sofacy Zebrocy samples
            - 'MSIE 8.0' # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
            - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
            - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
            - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*' # KerrDown UA
            - 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
            - 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
            - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware
            - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
            - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
            - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001'  # RedCurl Downloader APT https://www.facct.ru/blog/redcurl-2024
    condition: selection
falsepositives:
    - Old browsers
level: high

title: APT40 Dropbox Tool User Agent
id: 5ba715b6-71b7-44fd-8245-f66893e81b3d
status: test
description: Detects suspicious user agent string of APT40 Dropbox tool
references:
    - Internal research from Florian Roth
author: Thomas Patzke
date: 2019-11-12
modified: 2023-05-18
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.exfiltration
    - attack.t1567.002
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
        cs-host: 'api.dropbox.com'
    condition: selection
falsepositives:
    - Old browsers
level: high

title: ASLR Disabled Via Sysctl or Direct Syscall - Linux
id: e497a24e-9345-4a62-9803-b06d7d7cb132
status: experimental
description: |
    Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
      - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
      - Modification of the /proc/sys/kernel/randomize_va_space file
      - Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
    Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
    A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
references:
    - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
    - https://man7.org/linux/man-pages/man2/personality.2.html
    - https://manual.cs50.io/2/personality
    - https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
author: Milad Cheraghi
date: 2025-05-26
modified: 2025-12-05
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.defense-impairment
    - attack.t1685
    - attack.t1055.009
logsource:
    product: linux
    service: auditd
detection:
    selection_syscall:
        type: 'SYSCALL'
        SYSCALL: 'personality'
        a0: 40000
    selection_sysctl:
        type: 'EXECVE'
        a0: 'sysctl'
        a1: '-w'
        a2: 'kernel.randomize_va_space=0' # 0 = disable
    condition: 1 of selection_*
falsepositives:
    - Debugging or legitimate software testing
level: high

title: AWS Config Disabling Channel/Recorder
id: 07330162-dba1-4746-8121-a9647d49d297
status: test
description: Detects AWS Config Service disabling
references:
    - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
author: vitaliy0x1
date: 2020-01-21
modified: 2022-10-09
tags:
    - attack.defense-impairment
    - attack.t1685.002
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'config.amazonaws.com'
        eventName:
            - 'DeleteDeliveryChannel'
            - 'StopConfigurationRecorder'
    condition: selection
falsepositives:
    - Valid change in AWS Config Service
level: high

title: AWS EC2 Startup Shell Script Change
id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: test
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
author: faloker
date: 2020-02-12
modified: 2022-06-07
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: ec2.amazonaws.com
        requestParameters.attribute: 'userData'
        eventName: ModifyInstanceAttribute
    condition: selection_source
falsepositives:
    - Valid changes to the startup script
level: high

title: AWS GuardDuty Detector Deleted Or Updated
id: d2656e78-c069-4571-8220-9e0ab5913f19
status: experimental
description: |
    Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
    Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
    Verify with the user identity that this activity is legitimate.
references:
    - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
    - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html
    - https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
    - https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
    - https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
    - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
    - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
    - https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
    - https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
    - https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
    - https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion
author: suktech24
date: 2025-11-27
tags:
    - attack.defense-impairment
    - attack.t1685
    - attack.t1685.002
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_event_source:
        eventSource: 'guardduty.amazonaws.com'
    selection_action_delete:
        eventName: 'DeleteDetector'
    selection_action_update:
        eventName: 'UpdateDetector'
        requestParameters.enable: 'false'
    selection_status_success:
        errorCode: 'Success'
    selection_status_null:
        errorCode: null
    condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*
falsepositives:
    - Legitimate detector deletion by an admin (e.g., during account decommissioning).
    - Temporary disablement for troubleshooting (verify via change management tickets).
    - Automated deployment tools (e.g. Terraform) managing GuardDuty state.
level: high

title: AWS GuardDuty Important Change
id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
status: test
description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9
author: faloker
date: 2020-02-11
modified: 2022-10-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: guardduty.amazonaws.com
        eventName: CreateIPSet
    condition: selection_source
falsepositives:
    - Valid change in the GuardDuty (e.g. to ignore internal scanners)
level: high

title: AWS IAM S3Browser LoginProfile Creation
id: db014773-b1d3-46bd-ba26-133337c0ffee
status: test
description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
references:
    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: [email protected] (@danielhbohannon)
date: 2023-05-17
tags:
    - attack.execution
    - attack.persistence
    - attack.initial-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1059.009
    - attack.t1078.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName:
            - 'GetLoginProfile'
            - 'CreateLoginProfile'
        userAgent|contains: 'S3 Browser'
    condition: selection
falsepositives:
    - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation
level: high

title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
id: db014773-7375-4f4e-b83b-133337c0ffee
status: test
description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
references:
    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: [email protected] (@danielhbohannon)
date: 2023-05-17
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.009
    - attack.persistence
    - attack.initial-access
    - attack.privilege-escalation
    - attack.t1078.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: iam.amazonaws.com
        eventName: PutUserPolicy
        userAgent|contains: 'S3 Browser'
        requestParameters|contains|all:
            - '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
            - '"s3:GetObject"'
            - '"Allow"'
    condition: selection
falsepositives:
    - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
level: high

title: AWS IAM S3Browser User or AccessKey Creation
id: db014773-d9d9-4792-91e5-133337c0ffee
status: test
description: Detects S3 Browser utility creating IAM User or AccessKey.
references:
    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: [email protected] (@danielhbohannon)
date: 2023-05-17
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1059.009
    - attack.t1078.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName:
            - 'CreateUser'
            - 'CreateAccessKey'
        userAgent|contains: 'S3 Browser'
    condition: selection
falsepositives:
    - Valid usage of S3 Browser for IAM User and/or AccessKey creation
level: high

title: AWS Identity Center Identity Provider Change
id: d3adb3ef-b7e7-4003-9092-1924c797db35
status: test
description: |
    Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
    A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
references:
    - https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html
    - https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html
    - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
author: Michael McIntyre @wtfender
date: 2023-09-27
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource:
            - 'sso-directory.amazonaws.com'
            - 'sso.amazonaws.com'
        eventName:
            - 'AssociateDirectory'
            - 'DisableExternalIdPConfigurationForDirectory'
            - 'DisassociateDirectory'
            - 'EnableExternalIdPConfigurationForDirectory'
    condition: selection
falsepositives:
    - Authorized changes to the AWS account's identity provider
level: high

title: AWS KMS Imported Key Material Usage
id: 1279262f-1464-422f-ac0d-5b545320c526
status: experimental
description: |
    Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
references:
    - https://www.chrisfarris.com/post/effective-aws-ransomware/
    - https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html
    - https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html
author: toopricey
date: 2025-10-18
tags:
    - attack.impact
    - attack.t1486
    - attack.resource-development
    - attack.t1608.003
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'kms.amazonaws.com'
        eventName:
            - 'ImportKeyMaterial'
            - 'DeleteImportedKeyMaterial'
    condition: selection
falsepositives:
    - Legitimate use cases for imported key material are rare, but may include, Organizations with hybrid cloud architectures that import external key material for compliance requirements.
    - Development or testing environments that simulate external key management scenarios. Even in these cases, such activity is typically infrequent and should not add significant noise.
level: high

title: AWS SecurityHub Findings Evasion
id: a607e1fe-74bf-4440-a3ec-b059b9103157
status: stable
description: Detects the modification of the findings on SecurityHub.
references:
    - https://docs.aws.amazon.com/cli/latest/reference/securityhub/
author: Sittikorn S
date: 2021-06-28
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: securityhub.amazonaws.com
        eventName:
            - 'BatchUpdateFindings'
            - 'DeleteInsight'
            - 'UpdateFindings'
            - 'UpdateInsight'
    condition: selection
falsepositives:
    - System or Network administrator behaviors
    - DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
level: high

title: AWS User Login Profile Was Modified
id: 055fb148-60f8-462d-ad16-26926ce050f1
status: test
description: |
    Detects activity when someone is changing passwords on behalf of other users.
    An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
references:
    - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
author: toffeebr33k
date: 2021-08-09
modified: 2024-04-26
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1098
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName: 'UpdateLoginProfile'
    filter_main_user_identity:
        userIdentity.arn|fieldref: requestParameters.userName
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate user account administration
level: high

title: AWS VPC Flow Logs Deleted
id: e386b9b5-af12-450e-afff-761730fb8a98
status: experimental
description: |
    Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
    Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
references:
    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html
    - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html
    - https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion
author: Ivan Saakov
date: 2025-10-19
tags:
    - attack.stealth
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_event_name:
        eventName: 'DeleteFlowLogs'
    selection_status_success:
        errorCode: 'Success'
    selection_status_null:
        errorCode: null
    condition: selection_event_name and 1 of selection_status_*
falsepositives:
    - During maintenance operations or testing, authorized administrators may delete VPC Flow Logs as part of routine network management or cleanup activities.
level: high

title: Abusable DLL Potential Sideloading From Suspicious Location
id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a
status: test
description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
references:
    - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-07-11
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: image_load
    product: windows
detection:
    selection_dll:
        ImageLoaded|endswith:
            # Note: Add more generic DLLs that cannot be pin-pointed to a single application
            - '\coreclr.dll'
            - '\facesdk.dll'
            - '\HPCustPartUI.dll'
            - '\libcef.dll'
            - '\ZIPDLL.dll'
    selection_folders_1:
        ImageLoaded|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - '\Temporary Internet'
            - '\Windows\Temp\'
    selection_folders_2:
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: selection_dll and 1 of selection_folders_*
falsepositives:
    - Unknown
level: high

title: Abuse of Service Permissions to Hide Services Via Set-Service
id: 514e4c3a-c77d-4cde-a00f-046425e2301e
related:
    - id: a537cfc3-4297-4789-92b5-345bfd845ad0
      type: derived
    - id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
      type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\pwsh.exe'
        - OriginalFileName: 'pwsh.dll'
    selection_sddl:
        # Example would be: "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
        CommandLine|contains|all:
            - 'Set-Service '
            - 'DCLCWPDTSD'
    selection_cmdlet:
        CommandLine|contains:
            - '-SecurityDescriptorSddl '
            - '-sd '
    condition: all of selection_*
falsepositives:
    - Rare intended use of hidden services
level: high