title: PUA - TruffleHog Execution - Linux
id: d7a650c4-226c-451e-948f-cc490db506aa
related:
    - id: 44030449-b0df-4c94-aae1-502359ab28ee
      type: similar
status: experimental
description: |
    Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
    While it is a legitimate tool, intended for use in CI pipelines and security assessments,
    It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
    - https://github.com/trufflesecurity/trufflehog
    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1083
    - attack.t1552.001
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/trufflehog'
    selection_cli_platform:
        CommandLine|contains:
            - ' docker --image '
            - ' Git '
            - ' GitHub '
            - ' Jira '
            - ' Slack '
            - ' Confluence '
            - ' SharePoint '
            - ' s3 '
            - ' gcs '
    selection_cli_verified:
        CommandLine|contains: ' --results=verified'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Legitimate use of TruffleHog by security teams or developers.
level: medium

title: PUA - WebBrowserPassView Execution
id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513
status: test
description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md
author: frack113
date: 2022-08-20
modified: 2023-02-14
tags:
    - attack.credential-access
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'Web Browser Password Viewer'
        - Image|endswith: '\WebBrowserPassView.exe'
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Pass the Hash Activity 2
id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
status: stable
description: Detects the attack technique pass the hash which is used to move laterally inside the network
references:
    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
    - https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
    - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
date: 2019-06-14
modified: 2022-10-05
tags:
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: security
    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
detection:
    selection_logon3:
        EventID: 4624
        SubjectUserSid: 'S-1-0-0'
        LogonType: 3
        LogonProcessName: 'NtLmSsp'
        KeyLength: 0
    selection_logon9:
        EventID: 4624
        LogonType: 9
        LogonProcessName: 'seclogo'
    filter:
        TargetUserName: 'ANONYMOUS LOGON'
    condition: 1 of selection_* and not filter
falsepositives:
    - Administrator activity
level: medium

title: Password Policy Enumerated
id: 12ba6a38-adb3-4d6b-91ba-a7fb248e3199
status: test
description: Detects when the password policy is enumerated.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661
    - https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951
author: Zach Mathis
date: 2023-05-19
tags:
    - attack.discovery
    - attack.t1201
logsource:
    product: windows
    service: security
    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
    selection:
        EventID: 4661 # A handle to an object was requested.
        AccessList|contains: '%%5392' # ReadPasswordParameters
        ObjectServer: 'Security Account Manager'
    condition: selection
level: medium

title: Password Protected ZIP File Opened
id: 00ba9da1-b510-4f6b-b258-8d338836180f
status: test
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
    - https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
    - attack.stealth
    - attack.t1027
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5379
        TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
    filter:  # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4
        TargetName|contains: '\Temporary Internet Files\Content.Outlook'
    condition: selection and not filter
falsepositives:
    - Legitimate used of encrypted ZIP files
level: medium

title: Password Provided In Command Line Of Net.EXE
id: d4498716-1d52-438f-8084-4a603157d131
status: test
description: Detects a when net.exe is called with a password in the command line
references:
    - Internal Research
author: Tim Shelton (HAWK.IO)
date: 2021-12-09
modified: 2023-02-21
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.stealth
    - attack.t1021.002
    - attack.t1078
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' use '
            - ':*\\'
            - '/USER:* *'
    filter_main_empty:
        CommandLine|endswith: ' '
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Password Reset By User Account
id: 340ee172-4b67-4fb4-832f-f961bdc1f3aa
status: test
description: Detect when a user has reset their password in Azure AD
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: YochanaHenderson, '@Yochana-H'
date: 2022-08-03
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        Category: 'UserManagement'
        Status: 'Success'
        Initiatedby: 'UPN'
    filter:
        Target|contains: 'UPN'
        ActivityType|contains: 'Password reset'
    condition: selection and filter
falsepositives:
    - If this was approved by System Administrator or confirmed user action.
level: medium

title: Password Set to Never Expire via WMI
id: 7864a175-3654-4824-9f0d-f0da18ab27c0
status: experimental
description: |
    Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
references:
    - https://www.huntress.com/blog/the-unwanted-guest
author: "Daniel Koifman (KoifSec)"
date: 2025-07-30
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1047
    - attack.t1098
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:   # Example command simulated:  wmic  useraccount where name='guest' set passwordexpires=false
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'useraccount'
            - ' set '
            - 'passwordexpires'
            - 'false'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activity
level: medium

title: Path To Screensaver Binary Modified
id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
status: test
description: Detects value modification of registry key containing path to binary used as screensaver.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
    - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020-10-11
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.002
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
    filter:
        Image|endswith:
            - '\rundll32.exe'
            - '\explorer.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate modification of screensaver
level: medium

title: Path Traversal Exploitation Attempts
id: 7745c2ea-24a5-4290-b680-04359cb84b35
status: test
description: Detects path traversal exploitation attempts
references:
    - https://github.com/projectdiscovery/nuclei-templates
    - https://book.hacktricks.xyz/pentesting-web/file-inclusion
author: Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
date: 2021-09-25
modified: 2023-08-31
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '../../../../../lib/password'
            - '../../../../windows/'
            - '../../../etc/'
            - '..%252f..%252f..%252fetc%252f'
            - '..%c0%af..%c0%af..%c0%afetc%c0%af'
            - '%252e%252e%252fetc%252f'
    condition: selection
falsepositives:
    - Expected to be continuously seen on systems exposed to the Internet
    - Internal vulnerability scanners
level: medium

title: Payload Decoded and Decrypted via Built-in Utilities
id: 234dc5df-40b5-49d1-bf53-0d44ce778eca
status: test
description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
    - attack.stealth
    - attack.t1059
    - attack.t1204
    - attack.execution
    - attack.t1140
    - attack.s0482
    - attack.s0402
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/openssl'
        CommandLine|contains|all:
            - '/Volumes/'
            - 'enc'
            - '-base64'
            - ' -d '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Periodic Backup For System Registry Hives Enabled
id: 973ef012-8f1a-4c40-93b4-7e659a5cd17f
status: test
description: |
    Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups.
    Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
references:
    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-01
tags:
    - attack.collection
    - attack.t1113
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control\Session Manager\Configuration Manager\EnablePeriodicBackup'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Legitimate need for RegBack feature by administrators.
level: medium

title: Perl Inline Command Execution
id: f426547a-e0f7-441a-b63e-854ac5bdf54d
status: test
description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
references:
    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
    - https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\perl.exe'
        - OriginalFileName: 'perl.exe' # Also covers perlX.XX.exe
    selection_cli:
        CommandLine|contains: ' -e'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Permission Check Via Accesschk.EXE
id: c625d754-6a3d-4f65-9c9a-536aea960d37
status: test
description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43
    - https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW
    - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
    - https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat
author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-13
modified: 2023-02-20
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Product|endswith: 'AccessChk'
        - Description|contains: 'Reports effective permissions'
        - Image|endswith:
              - '\accesschk.exe'
              - '\accesschk64.exe'
        - OriginalFileName: 'accesschk.exe'
    selection_cli:
        CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed
            - 'uwcqv '
            - 'kwsu '
            - 'qwsu '
            - 'uwdqs '
    condition: all of selection*
falsepositives:
    - System administrator Usage
level: medium

title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
id: 47e4bab7-c626-47dc-967b-255608c9a920
status: test
description: |
    Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
    This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-11-11
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_findstr_cli:
        CommandLine|contains:
            - '"Everyone"'
            - "'Everyone'"
            - '"BUILTIN\\"'
            - "'BUILTIN\\'"
    selection_special:
        CommandLine|contains|all:
            # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
            # You could extend it for other groups and users
            #   Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
            # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
            - 'icacls '
            - 'findstr '
            - 'Everyone'
    condition: all of selection_findstr_* or selection_special
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml

title: Persistence Via Disk Cleanup Handler - Autorun
id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc
status: test
description: |
    Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
    The disk cleanup manager is part of the operating system.
    It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
    Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
    Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
    Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
    - https://persistence-info.github.io/Data/diskcleanuphandler.html
    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    root:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
    selection_autorun:
        # Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean
        TargetObject|contains: '\Autorun'
        Details: 'DWORD (0x00000001)'
    selection_pre_after:
        TargetObject|contains:
            - '\CleanupString'
            - '\PreCleanupString'
        Details|contains:
            # Add more as you see fit
            - 'cmd'
            - 'powershell'
            - 'rundll32'
            - 'mshta'
            - 'cscript'
            - 'wscript'
            - 'wsl'
            - '\Users\Public\'
            - '\Windows\TEMP\'
            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
    condition: root and 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: Persistence Via New SIP Provider
id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1
status: test
description: Detects when an attacker register a new SIP provider for persistence and defense evasion
references:
    - https://persistence-info.github.io/Data/codesigning.html
    - https://github.com/gtworek/PSBits/tree/master/SIP
    - https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1553.003
logsource:
    category: registry_set
    product: windows
detection:
    selection_root:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Cryptography\Providers\'
            - '\SOFTWARE\Microsoft\Cryptography\OID\EncodingType'
            - '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\'
            - '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType'
    selection_dll:
        TargetObject|contains:
            - '\Dll'
            - '\$DLL'
    filter:
        Details:
            # Add more legitimate SIP providers according to your env
            - WINTRUST.DLL
            - mso.dll
    filter_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        TargetObject|contains: '\CryptSIPDll'
        Details: 'C:\Windows\System32\PsfSip.dll'
    condition: all of selection_* and not 1 of filter*
falsepositives:
    - Legitimate SIP being registered by the OS or different software.
level: medium

title: Persistence Via Sudoers.d Files
id: ddb26b76-4447-4807-871f-1b035b2bfa5d
status: test
description: |
    Detects the creation or modification of files within the "sudoers.d" directory on Linux systems.
    Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions.
    Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
references:
    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2026-03-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1548.003
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|startswith: '/etc/sudoers.d/'
    filter_main_dpkg:
        Image|endswith: '/usr/bin/dpkg'
        TargetFilename: '/etc/sudoers.d/README.dpkg-new'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Creation of legitimate files in sudoers.d folder as part of administrator work
level: medium

title: Persistence Via TypedPaths - CommandLine
id: ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba
status: test
description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
references:
    - https://twitter.com/dez_/status/1560101453150257154
    - https://forensafe.com/blogs/typedpaths.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
tags:
    - attack.persistence
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Php Inline Command Execution
id: d81871ef-5738-47ab-9797-7a9c90cd4bfb
status: test
description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
references:
    - https://www.php.net/manual/en/features.commandline.php
    - https://www.revshells.com/
    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\php.exe'
        - OriginalFileName: 'php.exe'
    selection_cli:
        CommandLine|contains: ' -r'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: PktMon.EXE Execution
id: f956c7c1-0f60-4bc5-b7d7-b39ab3c08908
status: test
description: Detects execution of PktMon, a tool that captures network packets.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
author: frack113
date: 2022-03-17
modified: 2023-06-23
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1040
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\pktmon.exe'
        - OriginalFileName: 'PktMon.exe'
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Pnscan Binary Data Transmission Activity
id: 97de11cd-4b67-4abf-9a8b-1020e670aa9e
status: test
description: |
    Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
    This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
author: David Burkett (@signalblur)
date: 2024-04-16
references:
    - https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
    - https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
    - https://regex101.com/r/RugQYK/1
    - https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        CommandLine|re: -(W|R)\s?(\s|"|')([0-9a-fA-F]{2}\s?){2,20}(\s|"|')
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Port Forwarding Activity Via SSH.EXE
id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
status: test
description: Detects port forwarding activity via SSH.exe
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2024-03-05
tags:
    - attack.command-and-control
    - attack.lateral-movement
    - attack.t1572
    - attack.t1021.001
    - attack.t1021.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\ssh.exe'
        CommandLine|contains|windash: ' -R '
    condition: selection
falsepositives:
    - Administrative activity using a remote port forwarding to a local port
level: medium

title: Portable Gpg.EXE Execution
id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41
status: test
description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
references:
    - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a
    - https://securelist.com/locked-out/68960/
    - https://github.com/redcanaryco/atomic-red-team/blob/c4097dc7ed14d7f7d08c89d148c4307097e8c294/atomics/T1486/T1486.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-06
modified: 2023-11-10
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\gpg.exe'
              - '\gpg2.exe'
        - OriginalFileName: 'gpg.exe'
        - Description: 'GnuPG’s OpenPGP tool'
    filter_main_legit_location:
        Image|contains:
            - ':\Program Files (x86)\GNU\GnuPG\bin\'
            - ':\Program Files (x86)\GnuPG VS-Desktop\'
            - ':\Program Files (x86)\GnuPG\bin\'
            - ':\Program Files (x86)\Gpg4win\bin\'
    condition: selection and not 1 of filter_main_*
level: medium

title: Possible DC Shadow Attack
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
related:
    - id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
      type: derived
status: test
description: Detects DCShadow via create new SPN
references:
    - https://twitter.com/gentilkiwi/status/1003236624925413376
    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
    - https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2019-10-25
modified: 2022-10-17
tags:
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1207
logsource:
    product: windows
    service: security
    definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
    selection1:
        EventID: 4742
        ServicePrincipalNames|contains: 'GC/'
    selection2:
        EventID: 5136
        AttributeLDAPDisplayName: servicePrincipalName
        AttributeValue|startswith: 'GC/'
    condition: 1 of selection*
falsepositives:
    - Valid on domain controllers; exclude known DCs
level: medium

title: Possible PrintNightmare Print Driver Install - CVE-2021-1675
id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8
related:
    - id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
      type: derived
status: stable
description: |
    Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).
    The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29
    - https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
    - https://github.com/corelight/CVE-2021-1675
    - https://old.zeek.org/zeekweek2019/slides/bzar.pdf
    - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
author: '@neu5ron (Nate Guagenti)'
date: 2021-08-23
modified: 2025-11-03
tags:
    - attack.execution
    - cve.2021-1678
    - cve.2021-1675
    - cve.2021-34527
    - detection.emerging-threats
logsource:
    product: zeek
    service: dce_rpc
detection:
    selection:
        operation:
            - 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
            - 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
            - 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e
            - 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59
            - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09
            - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
    condition: selection
falsepositives:
    - Legitimate remote alteration of a printer driver.
level: medium

title: Potential AD User Enumeration From Non-Machine Account
id: ab6bffca-beff-4baa-af11-6733f296d57a
status: test
description: Detects read access to a domain user from a non-machine account
references:
    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
    - http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
    - https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
author: Maxime Thiebaut (@0xThiebaut)
date: 2020-03-30
modified: 2022-11-08
tags:
    - attack.discovery
    - attack.t1087.002
logsource:
    product: windows
    service: security
    definition: 'Requirements: The "Read all properties" permission on the user object needs to be audited for the "Everyone" principal'
detection:
    selection:
        EventID: 4662
        # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
        # The user class (https://learn.microsoft.com/en-us/windows/win32/adschema/c-user)
        ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
        AccessMask|endswith:
            # Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property
            - '1?' # This covers all access masks that are 1 bytes or shorter and the "Read Property" itself
            - '3?' # Read Property + Write Property
            - '4?' # Read Property + Delete Tree
            - '7?' # Read Property + Write Property + Delete Tree
            - '9?' # Read Property + List Object
            - 'B?' # Read Property + Write Property + List Object
            - 'D?' # Read Property + Delete Tree + List Object
            - 'F?' # Covers usage of all possible 2 bytes permissions with any or none of the single byte permissions
    filter_main_machine_accounts:
        SubjectUserName|endswith: '$' # Exclude machine accounts
    filter_main_msql:
        SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrators configuring new users.
level: medium

title: Potential AMSI Bypass Script Using NULL Bits
id: fa2559c8-1197-471d-9cdd-05a0273d4522
related:
    - id: 92a974db-ab84-457f-9ec0-55db83d7a825
      type: similar
status: test
description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
references:
    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-05-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - "if(0){{{0}}}' -f $(0 -as [char]) +"
            - "#<NULL>"
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential AMSI Bypass Using NULL Bits
id: 92a974db-ab84-457f-9ec0-55db83d7a825
related:
    - id: fa2559c8-1197-471d-9cdd-05a0273d4522
      type: similar
status: test
description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
references:
    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-05-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - "if(0){{{0}}}' -f $(0 -as [char]) +"
            - "#<NULL>"
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential APT FIN7 Exploitation Activity
id: 6676896b-2cce-422d-82af-5a1abe65e241
status: test
description: |
    Detects potential APT FIN7 exploitation activity as reported by Google.
    In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
author: Alex Walston (@4ayymm)
date: 2024-07-29
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1059.003
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_notepad_plus:
        ParentImage|endswith: '\notepad++.exe'
        Image|endswith: '\cmd.exe'
    selection_rdpinit:
        ParentImage|endswith: '\rdpinit.exe'
        Image|endswith: '\notepad++.exe'
    condition: 1 of selection_*
falsepositives:
    - Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD)
level: medium

title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
status: test
description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
references:
    - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg
author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-02
modified: 2023-03-29
tags:
    - attack.stealth
    - attack.t1218.010
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'regsvr32'
            - '\AppData\Local\'
            - '.dll'
            - ',DllEntry'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential AS-REP Roasting via Kerberos TGT Requests
id: 3e2f1b2c-4d5e-11ee-be56-0242ac120002
status: experimental
description: |
    Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.
    This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
references:
    - https://medium.com/system-weakness/detecting-as-rep-roasting-attacks-b5b3965f9714
    - https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
author: ANosir
date: 2025-05-22
modified: 2025-07-04
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4768
        TicketEncryptionType: '0x17'
        ServiceName: 'krbtgt'
        PreAuthType: 0
    condition: selection
falsepositives:
    - Legacy systems or applications that legitimately use RC4 encryption
    - Misconfigured accounts with pre-authentication disabled
level: medium

title: Potential AVKkid.DLL Sideloading
id: 952ed57c-8f99-453d-aee0-53a49c22f95d
status: test
description: Detects potential DLL sideloading of "AVKkid.dll"
references:
    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\AVKkid.dll'
    filter_main_legit_path:
        Image|contains:
            - 'C:\Program Files (x86)\G DATA\'
            - 'C:\Program Files\G DATA\'
        Image|endswith: '\AVKKid.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\G DATA\'
            - 'C:\Program Files\G DATA\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential Abuse of Linux Magic System Request Key
id: ea61bb82-a5e0-42e6-8537-91d29500f1b9
status: experimental
description: |
    Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
    to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
    or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
    misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
references:
    - https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
    - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
    - https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
author: Milad Cheraghi
date: 2025-05-23
tags:
    - attack.execution
    - attack.t1059.004
    - attack.impact
    - attack.t1529
    - attack.t1489
    - attack.t1499
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -w /proc/sysrq-trigger -p wa -k sysrq
        -w /proc/sys/kernel/sysrq -p wa -k sysrq
detection:
    selection:
        type: 'PATH'
        name|endswith:
            # Enable
            - '/sysrq'
            - '/sysctl.conf'
            # Execute
            - '/sysrq-trigger'
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: medium

title: Potential Access Token Abuse
id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
status: test
description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
references:
    - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
    - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
author: Michaela Adams, Zach Mathis
date: 2022-11-06
modified: 2023-04-26
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - stp.4u
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 9
        LogonProcessName: 'Advapi'
        AuthenticationPackageName: 'Negotiate'
        ImpersonationLevel: '%%1833' # Impersonation
    condition: selection
falsepositives:
    - Anti-Virus
level: medium

title: Potential Active Directory Enumeration Using AD Module - ProcCreation
id: 70bc5215-526f-4477-963c-a47a5c9ebd12
related:
    - id: 9e620995-f2d8-4630-8430-4afd89f77604
      type: similar
    - id: 74176142-4684-4d8a-8b0a-713257e7df8e
      type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
    - https://github.com/samratashok/ADModule
    - https://twitter.com/cyb3rops/status/1617108657166061568?s=20
    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: frack113
date: 2023-01-22
tags:
    - attack.reconnaissance
    - attack.discovery
    - attack.impact
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cmdlet:
        CommandLine|contains:
            - 'Import-Module '
            - 'ipmo '
    selection_dll:
        CommandLine|contains: 'Microsoft.ActiveDirectory.Management.dll'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the library for administrative activity
level: medium

title: Potential Active Directory Enumeration Using AD Module - PsModule
id: 74176142-4684-4d8a-8b0a-713257e7df8e
related:
    - id: 70bc5215-526f-4477-963c-a47a5c9ebd12
      type: similar
    - id: 9e620995-f2d8-4630-8430-4afd89f77604
      type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
    - https://github.com/samratashok/ADModule
    - https://twitter.com/cyb3rops/status/1617108657166061568?s=20
    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-01-22
tags:
    - attack.reconnaissance
    - attack.discovery
    - attack.impact
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_cmdlet:
        Payload|contains:
            - 'Import-Module '
            - 'ipmo '
    selection_dll:
        Payload|contains: 'Microsoft.ActiveDirectory.Management.dll'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the library for administrative activity
level: medium

title: Potential Active Directory Enumeration Using AD Module - PsScript
id: 9e620995-f2d8-4630-8430-4afd89f77604
related:
    - id: 70bc5215-526f-4477-963c-a47a5c9ebd12
      type: similar
    - id: 74176142-4684-4d8a-8b0a-713257e7df8e
      type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
    - https://github.com/samratashok/ADModule
    - https://twitter.com/cyb3rops/status/1617108657166061568?s=20
    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: frack113, Nasreddine Bencherchali
date: 2023-01-22
tags:
    - attack.reconnaissance
    - attack.discovery
    - attack.impact
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enable'
detection:
    selection_generic:
        ScriptBlockText|contains|all:
            - 'Import-Module '
            - 'Microsoft.ActiveDirectory.Management.dll'
    selection_specific:
        ScriptBlockText|contains: 'ipmo Microsoft.ActiveDirectory.Management.dll'
    condition: 1 of selection_*
falsepositives:
    - Legitimate use of the library for administrative activity
level: medium

title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
id: 31d68132-4038-47c7-8f8e-635a39a7c174
status: test
description: Detects potential Active Directory enumeration via LDAP
references:
    - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
    - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
    - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
    - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
    - https://ipurple.team/2024/07/15/sharphound-detection/
author: Adeem Mawani
date: 2021-06-22
modified: 2025-07-04
tags:
    - attack.discovery
    - attack.t1069.002
    - attack.t1087.002
    - attack.t1482
logsource:
    product: windows
    service: ldap
    definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
detection:
    generic_search:
        EventID: 30
        SearchFilter|contains:
            - '(groupType:1.2.840.113556.1.4.803:=2147483648)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483656)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483652)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483650)'
            - '(sAMAccountType=805306369)'
            - '(sAMAccountType=805306368)'
            - '(sAMAccountType=536870913)'
            - '(sAMAccountType=536870912)'
            - '(sAMAccountType=268435457)'
            - '(sAMAccountType=268435456)'
            - '(objectCategory=groupPolicyContainer)'
            - '(objectCategory=organizationalUnit)'
            # - '(objectCategory=Computer)' Prone to false positives
            - '(objectCategory=nTDSDSA)'
            - '(objectCategory=server)'
            - '(objectCategory=domain)'
            - '(objectCategory=person)'
            - '(objectCategory=group)'
            - '(objectCategory=user)'
            - '(objectClass=trustedDomain)'
            - '(objectClass=computer)'
            - '(objectClass=server)'
            - '(objectClass=group)'
            - '(objectClass=user)'
            - '(primaryGroupID=521)'
            - '(primaryGroupID=516)'
            - '(primaryGroupID=515)'
            - '(primaryGroupID=512)'
            - 'Domain Admins'
            - 'objectGUID=\*'
            - '(schemaIDGUID=\*)'
            - 'admincount=1'
    distinguished_name_enumeration:
        EventID: 30
        SearchFilter: '(objectclass=\*)'
        DistinguishedName|contains:
            - 'CN=Domain Admins'
            - 'CN=Enterprise Admins'
            - 'CN=Group Policy Creator Owners'
    suspicious_flag:
        EventID: 30
        SearchFilter|contains:
            - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
            - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=544)'
            - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
            - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
            - 'msDS-AllowedToDelegateTo'
            - 'msDS-GroupManagedServiceAccount'
            - '(accountExpires=9223372036854775807)'
            - '(accountExpires=0)'
            - '(adminCount=1)'
            - 'ms-MCS-AdmPwd'
    narrow_down_filter:
        EventID: 30
        SearchFilter|contains:
            - '(domainSid=*)'
            - '(objectSid=*)'
    condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration
level: medium

title: Potential Amazon SSM Agent Hijacking
id: d20ee2f4-822c-4827-9e15-41500b1fff10
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-02
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\amazon-ssm-agent.exe'
        CommandLine|contains|all:
            - '-register '
            - '-code '
            - '-id '
            - '-region '
    condition: selection
falsepositives:
    - Legitimate activity of system administrators
level: medium

title: Potential Antivirus Software DLL Sideloading
id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
status: test
description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    # Bitdefender
    selection_bitdefender:
        ImageLoaded|endswith: '\log.dll'
    filter_log_dll_bitdefender:
        ImageLoaded|startswith:
            - 'C:\Program Files\Bitdefender Antivirus Free\'
            - 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
    filter_log_dll_dell_sar:
        Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
        ImageLoaded:
            - 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
            - 'C:\Program Files\Dell\SARemediation\audit\log.dll'
    filter_log_dll_canon:
        ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
    filter_log_dll_avast:
        ImageLoaded:
            - 'C:\Program Files\AVAST Software\Avast\log.dll'
            - 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
    filter_log_dll_avg:
        ImageLoaded:
            - 'C:\Program Files\AVG\Antivirus\log.dll'
            - 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
    # F-Secure
    selection_fsecure:
        ImageLoaded|endswith: '\qrt.dll'
    filter_fsecure:
        ImageLoaded|startswith:
            - 'C:\Program Files\F-Secure\Anti-Virus\'
            - 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
    # McAfee
    selection_mcafee:
        ImageLoaded|endswith:
            - '\ashldres.dll'
            - '\lockdown.dll'
            - '\vsodscpl.dll'
    filter_mcafee:
        ImageLoaded|startswith:
            - 'C:\Program Files\McAfee\'
            - 'C:\Program Files (x86)\McAfee\'
    # CyberArk
    selection_cyberark:
        ImageLoaded|endswith: '\vftrace.dll'
    filter_cyberark:
        ImageLoaded|startswith:
            - 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
            - 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
    # Avast
    selection_avast:
        ImageLoaded|endswith: '\wsc.dll'
    filter_wsc_dll_avast:
        ImageLoaded|startswith:
            - 'C:\program Files\AVAST Software\Avast\'
            - 'C:\program Files (x86)\AVAST Software\Avast\'
    filter_wsc_dll_avg:
        ImageLoaded|startswith:
            - 'C:\Program Files\AVG\Antivirus\'
            - 'C:\Program Files (x86)\AVG\Antivirus\'
    # ESET
    selection_eset_deslock:
        ImageLoaded|endswith: '\DLPPREM32.dll'
    filter_eset_deslock:
        ImageLoaded|startswith:
            - 'C:\program Files\ESET'
            - 'C:\program Files (x86)\ESET'
    # Trend Micro Titanium
    selection_titanium:
        ImageLoaded|endswith: '\tmdbglog.dll'
    filter_titanium:
        ImageLoaded|startswith:
            - 'C:\program Files\Trend Micro\Titanium\'
            - 'C:\program Files (x86)\Trend Micro\Titanium\'
    condition: (selection_bitdefender and not 1 of filter_log_dll_*)
               or (selection_fsecure and not filter_fsecure)
               or (selection_mcafee and not filter_mcafee)
               or (selection_cyberark and not filter_cyberark)
               or (selection_avast and not 1 of filter_wsc_dll_*)
               or (selection_titanium and not filter_titanium)
               or (selection_eset_deslock and not filter_eset_deslock)
falsepositives:
    - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
    - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
    - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
level: medium

title: Potential Application Whitelisting Bypass via Dnx.EXE
id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
status: test
description: |
    Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.
    Attackers might abuse this in order to bypass application whitelisting.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/
    - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
author: Beyu Denis, oscd.community
date: 2019-10-26
modified: 2024-04-24
tags:
    - attack.stealth
    - attack.t1218
    - attack.t1027.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\dnx.exe'
    condition: selection
falsepositives:
    - Legitimate use of dnx.exe by legitimate user
level: medium

title: Potential Arbitrary Command Execution Via FTP.EXE
id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
status: test
description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2024-04-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\ftp.exe'
    selection_child_img:
        - Image|endswith: '\ftp.exe'
        - OriginalFileName: 'ftp.exe'
    selection_child_cli:
        CommandLine|contains|windash: '-s:'
    condition: selection_parent or all of selection_child_*
falsepositives:
    - Unknown
level: medium

title: Potential Arbitrary DLL Load Using Winword
id: f7375e28-5c14-432f-b8d1-1db26c832df3
related:
    - id: 2621b3a6-3840-4810-ac14-a02426086171
      type: obsolete
status: test
description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
references:
    - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-03-29
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WINWORD.exe'
        - OriginalFileName: 'WinWord.exe'
    selection_dll:
        CommandLine|contains|all:
            - '/l '
            - '.dll'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential Arbitrary File Download Via Cmdl32.EXE
id: f37aba28-a9e6-4045-882c-d5004043b337
status: test
description: |
    Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
    Attackers can abuse this utility in order to download arbitrary files via a configuration file.
    Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
    - https://twitter.com/SwiftOnSecurity/status/1455897435063074824
    - https://github.com/LOLBAS-Project/LOLBAS/pull/151
author: frack113
date: 2021-11-03
modified: 2024-04-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmdl32.exe'
        - OriginalFileName: CMDL32.EXE
    selection_cli:
        CommandLine|contains|all:
            - '/vpn'
            - '/lan'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential Base64 Encoded User-Agent
id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
related:
    - id: d443095b-a221-4957-a2c4-cd1756c9b747
      type: derived
status: test
description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
references:
    - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Florian Roth (Nextron Systems), Brian Ingram (update)
date: 2022-07-08
modified: 2023-05-04
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|endswith: '='
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Binary Impersonating Sysinternals Tools
id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9
status: test
description: |
    Detects binaries that use the same name as legitimate sysinternals tools to evade detection.
    This rule looks for the execution of binaries that are named similarly to Sysinternals tools.
    Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-12-20
modified: 2025-04-12
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_exe:
        Image|endswith:
            - '\accesschk.exe'
            - '\accesschk64.exe'
            - '\AccessEnum.exe'
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
            - '\ADInsight.exe'
            - '\ADInsight64.exe'
            - '\adrestore.exe'
            - '\adrestore64.exe'
            - '\Autologon.exe'
            - '\Autologon64.exe'
            - '\Autoruns.exe'
            - '\Autoruns64.exe'
            - '\autorunsc.exe'
            - '\autorunsc64.exe'
            - '\Bginfo.exe'
            - '\Bginfo64.exe'
            - '\Cacheset.exe'
            - '\Cacheset64.exe'
            - '\Clockres.exe'
            - '\Clockres64.exe'
            - '\Contig.exe'
            - '\Contig64.exe'
            - '\Coreinfo.exe'
            - '\Coreinfo64.exe'
            - '\CPUSTRES.EXE'
            - '\CPUSTRES64.EXE'
            - '\ctrl2cap.exe'
            - '\Dbgview.exe'
            - '\dbgview64.exe'
            - '\Desktops.exe'
            - '\Desktops64.exe'
            - '\disk2vhd.exe'
            - '\disk2vhd64.exe'
            - '\diskext.exe'
            - '\diskext64.exe'
            - '\Diskmon.exe'
            - '\Diskmon64.exe'
            - '\DiskView.exe'
            - '\DiskView64.exe'
            - '\du.exe'
            - '\du64.exe'
            - '\efsdump.exe'
            - '\FindLinks.exe'
            - '\FindLinks64.exe'
            - '\handle.exe'
            - '\handle64.exe'
            - '\hex2dec.exe'
            - '\hex2dec64.exe'
            - '\junction.exe'
            - '\junction64.exe'
            - '\ldmdump.exe'
            - '\listdlls.exe'
            - '\listdlls64.exe'
            - '\livekd.exe'
            - '\livekd64.exe'
            - '\loadOrd.exe'
            - '\loadOrd64.exe'
            - '\loadOrdC.exe'
            - '\loadOrdC64.exe'
            - '\logonsessions.exe'
            - '\logonsessions64.exe'
            - '\movefile.exe'
            - '\movefile64.exe'
            - '\notmyfault.exe'
            - '\notmyfault64.exe'
            - '\notmyfaultc.exe'
            - '\notmyfaultc64.exe'
            - '\ntfsinfo.exe'
            - '\ntfsinfo64.exe'
            - '\pendmoves.exe'
            - '\pendmoves64.exe'
            - '\pipelist.exe'
            - '\pipelist64.exe'
            - '\portmon.exe'
            - '\procdump.exe'
            - '\procdump64.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\Procmon.exe'
            - '\Procmon64.exe'
            - '\psExec.exe'
            - '\psExec64.exe'
            - '\psfile.exe'
            - '\psfile64.exe'
            - '\psGetsid.exe'
            - '\psGetsid64.exe'
            - '\psInfo.exe'
            - '\psInfo64.exe'
            - '\pskill.exe'
            - '\pskill64.exe'
            - '\pslist.exe'
            - '\pslist64.exe'
            - '\psLoggedon.exe'
            - '\psLoggedon64.exe'
            - '\psloglist.exe'
            - '\psloglist64.exe'
            - '\pspasswd.exe'
            - '\pspasswd64.exe'
            - '\psping.exe'
            - '\psping64.exe'
            - '\psService.exe'
            - '\psService64.exe'
            - '\psshutdown.exe'
            - '\psshutdown64.exe'
            - '\pssuspend.exe'
            - '\pssuspend64.exe'
            - '\RAMMap.exe'
            - '\RAMMap64.exe'
            - '\RDCMan.exe'
            - '\RegDelNull.exe'
            - '\RegDelNull64.exe'
            - '\regjump.exe'
            - '\ru.exe'
            - '\ru64.exe'
            - '\sdelete.exe'
            - '\sdelete64.exe'
            - '\ShareEnum.exe'
            - '\ShareEnum64.exe'
            - '\shellRunas.exe'
            - '\sigcheck.exe'
            - '\sigcheck64.exe'
            - '\streams.exe'
            - '\streams64.exe'
            - '\strings.exe'
            - '\strings64.exe'
            - '\sync.exe'
            - '\sync64.exe'
            - '\Sysmon.exe'
            - '\Sysmon64.exe'
            - '\tcpvcon.exe'
            - '\tcpvcon64.exe'
            - '\tcpview.exe'
            - '\tcpview64.exe'
            - '\Testlimit.exe'
            - '\Testlimit64.exe'
            - '\vmmap.exe'
            - '\vmmap64.exe'
            - '\Volumeid.exe'
            - '\Volumeid64.exe'
            - '\whois.exe'
            - '\whois64.exe'
            - '\Winobj.exe'
            - '\Winobj64.exe'
            - '\ZoomIt.exe'
            - '\ZoomIt64.exe'
    selection_arm64:
        Image|endswith:
            - '\accesschk64a.exe'
            - '\ADExplorer64a.exe'
            - '\ADInsight64a.exe'
            - '\adrestore64a.exe'
            - '\Autologon64a.exe'
            - '\Autoruns64a.exe'
            - '\autorunsc64a.exe'
            - '\Clockres64a.exe'
            - '\Contig64a.exe'
            - '\Coreinfo64a.exe'
            - '\Dbgview64a.exe'
            - '\disk2vhd64a.exe'
            - '\diskext64a.exe'
            - '\DiskView64a.exe'
            - '\du64a.exe'
            - '\FindLinks64a.exe'
            - '\handle64a.exe'
            - '\hex2dec64a.exe'
            - '\junction64a.exe'
            - '\LoadOrd64a.exe'
            - '\LoadOrdC64a.exe'
            - '\logonsessions64a.exe'
            - '\movefile64a.exe'
            - '\notmyfault64a.exe'
            - '\notmyfaultc64a.exe'
            - '\pendmoves64a.exe'
            - '\pipelist64a.exe'
            - '\procdump64a.exe'
            - '\procexp64a.exe'
            - '\Procmon64a.exe'
            - '\PsExec64a.exe'
            - '\psfile64a.exe'
            - '\PsGetsid64a.exe'
            - '\PsInfo64a.exe'
            - '\pskill64a.exe'
            - '\psloglist64a.exe'
            - '\pspasswd64a.exe'
            - '\psping64a.exe'
            - '\PsService64a.exe'
            - '\pssuspend64a.exe'
            - '\RAMMap64a.exe'
            - '\RegDelNull64a.exe'
            - '\ru64a.exe'
            - '\sdelete64a.exe'
            - '\sigcheck64a.exe'
            - '\streams64a.exe'
            - '\strings64a.exe'
            - '\sync64a.exe'
            - '\Sysmon64a.exe'
            - '\tcpvcon64a.exe'
            - '\tcpview64a.exe'
            - '\vmmap64a.exe'
            - '\whois64a.exe'
            - '\Winobj64a.exe'
            - '\ZoomIt64a.exe'
    filter_valid:
        - Company:
              - 'Sysinternals - www.sysinternals.com'
              - 'Sysinternals'
        - Product|startswith: 'Sysinternals'
    filter_empty:
        - Company: null
        - Product: null
    condition: 1 of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

title: Potential Binary Or Script Dropper Via PowerShell
id: 7047d730-036f-4f40-b9d8-1c63e36d5e62
status: test
description: Detects PowerShell creating a binary executable or a script file.
references:
    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-17
modified: 2025-07-04
tags:
    - attack.persistence
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
        TargetFilename|endswith:
            - '.bat'
            - '.chm'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.jar'
            - '.js'
            - '.ocx'
            - '.scr'
            - '.sys'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    filter_main_user_temp:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Local\Temp\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_main_other_temp:
        # Example: C:\Windows\Temp\0DA9758B-4649-4969-9409-5CBDF193FB53\TransmogProvider.dll
        TargetFilename|startswith:
            - 'C:\Windows\Temp\'
            - 'C:\Windows\SystemTemp\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_main_powershell_module:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\WindowsPowerShell\Modules\' # C:\Users\xxxx\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.12\lib\net47\PowerShellYamlSerializer.dll
        TargetFilename|endswith: '.dll'
    filter_main_nuget:
        TargetFilename|startswith: 'C:\Program Files\PackageManagement\ProviderAssemblies\nuget\'
        TargetFilename|endswith: '\Microsoft.PackageManagement.NuGetProvider.dll'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
level: medium

title: Potential Binary Proxy Execution Via Cdb.EXE
id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
status: test
description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
    - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
    - https://twitter.com/nas_bench/status/1534957360032120833
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2024-04-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1106
    - attack.t1218
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cdb.exe'
        - OriginalFileName: 'CDB.Exe'
    selection_cli:
        CommandLine|contains:
            - ' -c ' # Using a debugger script
            - ' -cf '
    condition: all of selection*
falsepositives:
    - Legitimate use of debugging tools
level: medium

title: Potential Binary Proxy Execution Via VSDiagnostics.EXE
id: ac1c92b4-ac81-405a-9978-4604d78cc47e
status: test
description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
references:
    - https://twitter.com/0xBoku/status/1679200664013135872
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-03
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\VSDiagnostics.exe'
        - OriginalFileName: 'VSDiagnostics.exe'
    selection_cli_start:
        CommandLine|contains: 'start'
    selection_cli_launch:
        CommandLine|contains:
            - ' /launch:'
            - ' -launch:'
    condition: all of selection_*
falsepositives:
    - Legitimate usage for tracing and diagnostics purposes
level: medium