title: Potential Browser Data Stealing
id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
related:
    - id: fc028194-969d-4122-8abe-0470d5b8f12f
      type: derived
status: test
description: |
    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
    Web browsers typically store the credentials in an encrypted format within a credential store.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
    - https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2025-03-19
tags:
    - attack.credential-access
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd:
        - CommandLine|contains:
              - 'copy-item'
              - 'copy '
              - 'cpi '
              - ' cp '
              - 'move '
              - 'move-item'
              - ' mi '
              - ' mv '
        - Image|endswith:
              - '\esentutl.exe' # akira ransomware
              - '\xcopy.exe'
              - '\robocopy.exe'
        - OriginalFileName:
              - 'esentutl.exe'
              - 'XCOPY.EXE'
              - 'robocopy.exe'
    selection_path:
        CommandLine|contains:
            - '\Amigo\User Data'
            - '\BraveSoftware\Brave-Browser\User Data'
            - '\CentBrowser\User Data'
            - '\Chromium\User Data'
            - '\CocCoc\Browser\User Data'
            - '\Comodo\Dragon\User Data'
            - '\Elements Browser\User Data'
            - '\Epic Privacy Browser\User Data'
            - '\Google\Chrome Beta\User Data'
            - '\Google\Chrome SxS\User Data'
            - '\Google\Chrome\User Data\'
            - '\Kometa\User Data'
            - '\Maxthon5\Users'
            - '\Microsoft\Edge\User Data'
            - '\Mozilla\Firefox\Profiles'
            - '\Nichrome\User Data'
            - '\Opera Software\Opera GX Stable\'
            - '\Opera Software\Opera Neon\User Data'
            - '\Opera Software\Opera Stable\'
            - '\Orbitum\User Data'
            - '\QIP Surf\User Data'
            - '\Sputnik\User Data'
            - '\Torch\User Data'
            - '\uCozMedia\Uran\User Data'
            - '\Vivaldi\User Data'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential CCleanerDU.DLL Sideloading
id: 1fbc0671-5596-4e17-8682-f020a0b995dc
status: test
description: Detects potential DLL sideloading of "CCleanerDU.dll"
references:
    - https://lab52.io/blog/2344-2/
author: X__Junior (Nextron Systems)
date: 2023-07-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\CCleanerDU.dll'
    filter_main_path:
        Image|startswith:
            - 'C:\Program Files\CCleaner\'
            - 'C:\Program Files (x86)\CCleaner\'
        Image|endswith:
            - '\CCleaner.exe'
            - '\CCleaner64.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium

title: Potential CCleanerReactivator.DLL Sideloading
id: 3735d5ac-d770-4da0-99ff-156b180bc600
status: test
description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
references:
    - https://lab52.io/blog/2344-2/
author: X__Junior
date: 2023-07-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\CCleanerReactivator.dll'
    filter_main_path:
        Image|startswith:
            - 'C:\Program Files\CCleaner\'
            - 'C:\Program Files (x86)\CCleaner\'
        Image|endswith: '\CCleanerReactivator.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium

title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
status: test
description: Detects COM object hijacking via TreatAs subkey
references:
    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Kutepov Anton, oscd.community
date: 2019-10-23
modified: 2025-10-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - 'HKU\'
            - 'Classes\CLSID\'
            - '\TreatAs'
    filter_main_svchost:
        # Example of target object by svchost
        # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs
        Image: 'C:\WINDOWS\system32\svchost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Maybe some system utilities in rare cases use linking keys for backward compatibility
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml
simulation:
    - type: atomic-red-team
      name: COM hijacking via TreatAs
      technique: T1546.015
      atomic_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9

title: Potential COM Objects Download Cradles Usage - PS Script
id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
related:
    - id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
      type: similar
status: test
description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
references:
    - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
author: frack113
date: 2022-12-25
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    product: windows
    category: ps_script
    definition: Script Block Logging must be enable
detection:
    selection_1:
        ScriptBlockText|contains: '[Type]::GetTypeFromCLSID('
    selection_2:
        ScriptBlockText|contains:
            - '0002DF01-0000-0000-C000-000000000046'
            - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
            - 'F5078F35-C551-11D3-89B9-0000F81FE221'
            - '88d96a0a-f192-11d4-a65f-0040963251e5'
            - 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
            - 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
            - '88d96a0b-f192-11d4-a65f-0040963251e5'
            - '2087c2f4-2cef-4953-a8ab-66779b670495'
            - '000209FF-0000-0000-C000-000000000046'
            - '00024500-0000-0000-C000-000000000046'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the library
level: medium

title: Potential COM Objects Download Cradles Usage - Process Creation
id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
related:
    - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
      type: similar
status: test
description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
references:
    - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
author: frack113
date: 2022-12-25
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    product: windows
    category: process_creation
detection:
    selection_1:
        CommandLine|contains: '[Type]::GetTypeFromCLSID('
    selection_2:
        CommandLine|contains:
            - '0002DF01-0000-0000-C000-000000000046'
            - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
            - 'F5078F35-C551-11D3-89B9-0000F81FE221'
            - '88d96a0a-f192-11d4-a65f-0040963251e5'
            - 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
            - 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
            - '88d96a0b-f192-11d4-a65f-0040963251e5'
            - '2087c2f4-2cef-4953-a8ab-66779b670495'
            - '000209FF-0000-0000-C000-000000000046'
            - '00024500-0000-0000-C000-000000000046'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the library
level: medium

title: Potential CVE-2021-27905 Exploitation Attempt
id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3
status: test
description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
references:
    - https://twitter.com/Al1ex4/status/1382981479727128580
    - https://twitter.com/sec715/status/1373472323538362371
    - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
    - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186
    - https://github.com/murataydemir/CVE-2021-27905
author: '@gott_cyber'
date: 2022-12-11
modified: 2023-03-24
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2021-27905
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection_request1:
        cs-uri-query|contains|all:
            - '/solr/'
            - '/debug/dump?'
            - 'param=ContentStream'
        sc-status: 200
    selection_request2:
        cs-method: 'GET'
        cs-uri-query|contains|all:
            - '/solr/'
            - 'command=fetchindex'
            - 'masterUrl='
        sc-status: 200
    condition: 1 of selection_*
falsepositives:
    - Vulnerability Scanners
level: medium

title: Potential CVE-2021-42278 Exploitation Attempt
id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f
related:
    - id: e80a0fee-1a62-4419-b31e-0d0db6e6013a
      type: similar
status: test
description: |
    The attacker creates a computer object using those permissions with a password known to her.
    After that she clears the attribute ServicePrincipalName on the computer object.
    Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
references:
    - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
author: frack113
date: 2021-12-15
modified: 2023-04-14
tags:
    - attack.credential-access
    - attack.t1558.003
    - cve.2021-42278
    - detection.emerging-threats
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Microsoft-Windows-Kerberos-Key-Distribution-Center'  # Active Directory
        EventID:
            - 35 # PAC without attributes
            - 36 # Ticket without a PAC
            - 37 # Ticket without Requestor
            - 38 # Requestor Mismatch
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential CVE-2021-42287 Exploitation Attempt
id: e80a0fee-1a62-4419-b31e-0d0db6e6013a
related:
    - id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f
      type: similar
status: test
description: |
    The attacker creates a computer object using those permissions with a password known to her.
    After that she clears the attribute ServicePrincipalName on the computer object.
    Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
references:
    - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
author: frack113
date: 2021-12-15
modified: 2023-04-14
tags:
    - attack.credential-access
    - attack.t1558.003
    - detection.emerging-threats
    - cve.2021-42287
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: Microsoft-Windows-Directory-Services-SAM  # Active Directory
        EventID:
            - 16990 # Object class and UserAccountControl validation failure
            - 16991 # SAM Account Name validation failure
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
id: 5660d8db-6e25-411f-b92f-094420168a5d
status: test
description: |
    Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.
    As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
references:
    - https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
    - https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
author: '@kostastsale'
date: 2022-04-25
tags:
    - attack.execution
    - attack.initial-access
    - attack.t1059.006
    - attack.t1190
    - cve.2022-22954
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\prunsrv.exe'
    selection_payload_pwsh:
        Image|endswith: '\powershell.exe'
    selection_payload_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: '/c powershell'
    condition: selection_parent and 1 of selection_payload_*
falsepositives:
    - Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process.
level: medium

title: Potential CVE-2023-2283 Exploitation
id: 8b244735-5833-4517-a45b-28d8c63924c0
status: test
description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
references:
    - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20
    - https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2283
    - https://www.blumira.com/cve-2023-2283/
    - https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283
author: Florian Roth (Nextron Systems)
date: 2023-06-09
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-2283
    - detection.emerging-threats
logsource:
    product: linux
    service: sshd
detection:
    keywords:
        - 'Failed to generate curve25519 keys'
    condition: keywords
falsepositives:
    - Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message
level: medium

title: Potential CVE-2023-23397 Exploitation Attempt - SMB
id: de96b824-02b0-4241-9356-7e9b47f04bac
status: test
description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
references:
    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
    - https://github.com/nasbench/Misc-Research/blob/fc46f6da34ff7e0076da28fd3e66d6e1100f1c2f/ETW/Microsoft-Windows-SMBClient.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-05
modified: 2025-10-13
tags:
    - attack.exfiltration
    - cve.2023-23397
    - detection.emerging-threats
logsource:
    product: windows
    service: smbclient-connectivity
detection:
    selection:
        # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
        EventID:
            # - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
            - 30803 # Failed to establish a network connection.
            - 30804 # A network connection was disconnected.
            - 30806 # The client re-established its session to the server.
            # - 31001 # Error (Doesn't contain the "ServerAddress" field)
    filter_main_local_ips:
        - ServerAddress|cidr:
              # IPv4
              - '10.0.0.0/8'
              - '127.0.0.0/8'
              - '169.254.0.0/16'
              - '172.16.0.0/12'
              - '192.168.0.0/16'
              # IPv6
              - '::1/128'  # IPv6 loopback
              - 'fe80::/10'  # IPv6 link-local addresses
              - 'fc00::/7'  # IPv6 private addresses
        - Address|startswith:
        # This is for EventID 30804, which doesn't have the "ServerAddress" field, but a field called "Address" and it contains a socket address (IP:Port) and not an IP
              # IPv4
              - '10.'
              - '127.'
              - '169.254.'
              - '172.'
              - '192.168.'
              # IPv6
              - '::1'
              - 'fe80::'
              - 'fc00::'
        # The filters below cover the XML raw log
        - Address|contains:
              # IPv6
              - '00000000000000000000000000000001' # ::1 - IPv6 loopback
              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses
              - 'FC00000000000000' # fc00:: - IPv6 private addresses
              # IPv4
              # The "?" are meant to represent the port
              - '0200????C0A8' # 192.168.
              - '0200????AC' # 172.
              - '0200????0A' # 10.
              - '0200????7F' # 127
              - '0200????A9FE' # 169.254.
        - ServerAddress|contains:
              # IPv6
              - '00000000000000000000000000000001' # ::1 - IPv6 loopback
              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses
              - 'FC00000000000000' # fc00:: - IPv6 private addresses
              # IPv4
              # The "?" are meant to represent the port
              - '0200????C0A8' # 192.168.
              - '0200????AC' # 172.
              - '0200????0A' # 10.
              - '0200????7F' # 127
              - '0200????A9FE' # 169.254.
        - RemoteAddress|contains:
              # IPv6
              - '00000000000000000000000000000001' # ::1 - IPv6 loopback
              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses
              - 'FC00000000000000' # fc00:: - IPv6 private addresses
              # IPv4
              # The "?" are meant to represent the port
              - '0200????C0A8' # 192.168.
              - '0200????AC' # 172.
              - '0200????0A' # 10.
              - '0200????7F' # 127
              - '0200????A9FE' # 169.254.
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some false positives may occur from external trusted servers. Apply additional filters accordingly
level: medium

title: Potential CVE-2023-27997 Exploitation Indicators
id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550
status: test
description: |
    Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
    To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
references:
    - https://blog.lexfo.fr/Forensics-xortigate-notice.html
    - https://blog.lexfo.fr/xortigate-cve-2023-27997.html
    - https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/
    - https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
author: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-28
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2023-27997
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection_uri:
        cs-method:
            - 'GET'
            - 'POST'
        cs-uri-query|contains:
            - '/remote/hostcheck_validate'
            - '/remote/logincheck'
    selection_keywords:
        - 'enc='
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
id: 92389a99-5215-43b0-a09f-e334453b2ed3
status: test
description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
references:
    - https://github.com/Wh04m1001/CVE-2023-36874
    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-23
tags:
    - attack.execution
    - cve.2023-36874
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: ':\ProgramData\Microsoft\Windows\WER\ReportArchive\'
        TargetFilename|endswith: '\Report.wer'
    filter_main_locations:
        TargetFilename|contains:
            # Note: This list is non exhaustive. Use this as a start for hunting for suspicious folder report
            - '\ReportArchive\AppCrash_'
            - '\ReportArchive\AppHang_'
            - '\ReportArchive\Critical_'
            - '\ReportArchive\Kernel_'
            - '\ReportArchive\NonCritical_'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential CVE-2023-36884 Exploitation - File Downloads
id: 6af1617f-c179-47e3-bd66-b28034a1052d
status: test
description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior
date: 2023-07-12
tags:
    - attack.command-and-control
    - cve.2023-36884
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        cs-method: 'GET'
        c-uri|contains:
            - '/ex001.url'
            - '/file001.search-ms'
            - '/file001.url'
            - '/file001.vbs'
            - '/file1.mht'
            - '/o2010.asp'
            - '/redir_obj.html'
            - '/RFile.asp'
            - '/zip_k.asp'
            - '/zip_k2.asp'
            - '/zip_k3.asp'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential CVE-2023-36884 Exploitation Dropped File
id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38
status: test
description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
    - https://twitter.com/wdormann/status/1679184475677130755
    - https://twitter.com/r00tbsd/status/1679042071477338114/photo/1
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2023-07-13
tags:
    - attack.persistence
    - cve.2023-36884
    - detection.emerging-threats
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
        TargetFilename|endswith: '\file001.url'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential CVE-2023-46214 Exploitation Attempt
id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
related:
    - id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
      type: derived
status: test
description: |
    Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
references:
    - https://github.com/nathan31337/Splunk-RCE-poc/
    - https://blog.hrncirik.net/cve-2023-46214-analysis
    - https://advisory.splunk.com/advisories/SVD-2023-1104
author: Nasreddine Bencherchali (Nextron Systems), Bhavin Patel (STRT)
date: 2023-11-27
tags:
    - attack.lateral-movement
    - attack.t1210
    - cve.2023-46214
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-method: POST
        cs-uri-query|contains|all:
            - 'NO_BINARY_CHECK=1'
            - 'input.path'
        cs-uri-query|endswith: '.xsl'
        sc-status:
            - 200
            - 302
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
id: bcd95697-e3e7-4c6f-8584-8e3503e6929f
status: test
description: |
    Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.
    As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
references:
    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-3400
author: Andreas Braathen (mnemonic.io)
date: 2024-04-25
tags:
    - attack.execution
    - cve.2024-3400
    - detection.emerging-threats
logsource:
    product: paloalto
    service: globalprotect
    category: file_event
    definition: 'Requirements: file creation events need to be ingested from the Palo Alto GlobalProtect appliance'
detection:
    selection:
        TargetFilename|contains:
            - '{IFS}'
            - 'base64'
            - 'bash'
            - 'curl'
            - 'http'
        TargetFilename|startswith: '/opt/panlogs/tmp/device_telemetry/'
    condition: selection
falsepositives:
    - The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely.
level: medium

title: Potential CVE-2024-35250 Exploitation Activity
id: 17ce9373-2163-4a2c-90ba-f91e9ef7a8c1
status: experimental
description: |
    Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250.
references:
    - https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html
    - https://github.com/varwara/CVE-2024-35250
    - https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: '@eyezuhk Isaac Fernandes'
date: 2025-02-19
tags:
    - attack.privilege-escalation
    - attack.t1068
    - cve.2024-35250
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\ksproxy.ax'
    filter_main_system_paths:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_teams:
        Image|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
    filter_optional_zoom:
        Image|endswith: '\AppData\Roaming\Zoom\bin\Zoom.exe'
    filter_optional_firefox:
        Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
    filter_optional_chrome:
        Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
    filter_optional_opera:
        Image|endswith: '\AppData\Local\Programs\Opera\opera.exe'
    filter_optional_discord:
        Image|endswith: '\AppData\Local\Discord\app-*\Discord.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications that use Windows Stream Interface APIs.
    - Media applications that use DirectShow filters.
level: medium

title: Potential Chrome Frame Helper DLL Sideloading
id: 72ca7c75-bf85-45cd-aca7-255d360e423c
status: test
description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
references:
    - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-05-15
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\chrome_frame_helper.dll'
    filter_main_path:
        ImageLoaded|startswith:
            - 'C:\Program Files\Google\Chrome\Application\'
            - 'C:\Program Files (x86)\Google\Chrome\Application\'
    filter_optional_user_path:
        ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Potential Command Line Path Traversal Evasion Attempt
id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
status: test
description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
references:
    - https://twitter.com/hexacorn/status/1448037865435320323
    - https://twitter.com/Gal_B1t/status/1062971006078345217
author: Christian Burkard (Nextron Systems)
date: 2021-10-26
modified: 2023-03-29
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        Image|contains: '\Windows\'
        CommandLine|contains:
            - '\..\Windows\'
            - '\..\System32\'
            - '\..\..\'
    selection_2:
        CommandLine|contains: '.exe\..\'
    filter_optional_google_drive:
        CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\'
    filter_optional_citrix:
        CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Google Drive
    - Citrix
level: medium

title: Potential CommandLine Obfuscation Using Unicode Characters
id: e0552b19-5a83-4222-b141-b36184bb8d79
related:
    - id: 584bca0f-3608-4402-80fd-4075ff6072e3
      type: similar
    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
      type: similar
    - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
      type: obsolete
status: test
description: |
    Detects potential CommandLine obfuscation using unicode characters.
    Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
references:
    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
author: frack113, Florian Roth (Nextron Systems)
date: 2022-01-15
modified: 2024-09-05
tags:
    - attack.stealth
    - attack.t1027
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # spacing modifier letters that get auto-replaced
            - 'ˣ' # 0x02E3
            - '˪' # 0x02EA
            - 'ˢ' # 0x02E2
            # Forward slash alternatives
            - '∕' # 0x22FF
            - '⁄' # 0x206F
            # Hyphen alternatives
            - '―' # 0x2015
            - '—' # 0x2014
            # Whitespace that don't work as path separator
            - ' ' # 0x00A0
            # Other
            - '¯'
            - '®'
            - '¶'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Commandline Obfuscation Using Escape Characters
id: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
status: test
description: Detects potential commandline obfuscation using known escape characters
references:
    - https://twitter.com/vysecurity/status/885545634958385153
    - https://twitter.com/Hexacorn/status/885553465417756673 # Dead link
    - https://twitter.com/Hexacorn/status/885570278637678592 # Dead link
    - https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques
    - https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
author: juju4
date: 2018-12-11
modified: 2023-03-03
tags:
    - attack.stealth
    - attack.t1140
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # - <TAB>   # no TAB modifier in sigmac yet, so this matches <TAB> (or TAB in elasticsearch backends without DSL queries)
            - 'h^t^t^p'
            - 'h"t"t"p'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Configuration And Service Reconnaissance Via Reg.EXE
id: 970007b7-ce32-49d0-a4a4-fbef016950bd
status: test
description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-02-05
tags:
    - attack.discovery
    - attack.t1012
    - attack.t1007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_flag:
        CommandLine|contains: 'query'
    selection_key:
        CommandLine|contains:
            - 'currentVersion\windows'
            - 'winlogon\'
            - 'currentVersion\shellServiceObjectDelayLoad'
            - 'currentVersion\run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce"
            - 'currentVersion\policies\explorer\run'
            - 'currentcontrolset\services'
    condition: all of selection_*
falsepositives:
    - Discord
level: medium

title: Potential Cookies Session Hijacking
id: 5a6e1e16-07de-48d8-8aae-faa766c05e88
status: test
description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
references:
    - https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\curl.exe'
        - OriginalFileName: 'curl.exe'
    selection_cli:
        - CommandLine|re: '\s-c\s'
        - CommandLine|contains: '--cookie-jar'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml

title: Potential Credential Dumping Activity Via LSASS
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: test
description: |
    Detects process access requests to the LSASS process with specific call trace calls and access masks.
    This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
references:
    - https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
    - https://research.splunk.com/endpoint/windows_possible_credential_dumping/
author: Samir Bousseaden, Michael Haag
date: 2019-04-03
modified: 2024-03-02
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess|contains:
            - '0x1038'
            - '0x1438'
            - '0x143a'
            - '0x1fffff' # Too many false positives
            # - '0x01000'  # Too many false positives
            # - '0x1010'   # Too many false positives
            # - '0x1400'  # Too many false positives
            # - '0x1410' # Too many false positives
            # - '0x40'   # Too many false positives
        CallTrace|contains:
            - 'dbgcore.dll'
            - 'dbghelp.dll'
            - 'kernel32.dll'
            - 'kernelbase.dll'
            - 'ntdll.dll'
    filter_main_system_user:
        SourceUser|contains: # Covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_optional_thor:
        CallTrace|contains|all:
            - ':\Windows\Temp\asgard2-agent\'
            - '\thor\thor64.exe+'
            - '|UNKNOWN('
        GrantedAccess: '0x103800'
    filter_optional_sysmon:
        SourceImage|endswith: ':\Windows\Sysmon64.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Potential Credential Dumping Attempt Using New NetworkProvider - REG
id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
related:
    - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
      type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
    - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-08-17
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\System\CurrentControlSet\Services\'
            - '\NetworkProvider'
    filter:
        TargetObject|contains:
            - '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
            - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
            - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
            # - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
    filter_valid_procs:
        Image: C:\Windows\System32\poqexec.exe
    condition: selection and not 1 of filter*
falsepositives:
    - Other legitimate network providers used and not filtred in this rule
level: medium

title: Potential Credential Dumping Attempt Via PowerShell
id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5
related:
    - id: 3f07b9d1-2082-4c56-9277-613a621983cc
      type: obsolete
    - id: fb656378-f909-47c1-8747-278bf09f4f4f
      type: similar
status: test
description: Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2023-11-28
tags:
    - attack.credential-access
    - attack.t1003.001
    - detection.threat-hunting
logsource:
    product: windows
    category: process_access
detection:
    selection:
        SourceImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetImage|endswith: '\lsass.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential DLL File Download Via PowerShell Invoke-WebRequest
id: 0f0450f3-8b47-441e-a31b-15a91dc243e2
status: test
description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
references:
    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: Florian Roth (Nextron Systems), Hieu Tran
date: 2023-03-13
modified: 2025-07-18
tags:
    - attack.command-and-control
    - attack.execution
    - attack.t1059.001
    - attack.t1105
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Invoke-RestMethod '
            - 'Invoke-WebRequest '
            - 'IRM '
            - 'IWR '
        CommandLine|contains|all:
            - 'http'
            - 'OutFile'
            - '.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential DLL Injection Or Execution Using Tracker.exe
id: 148431ce-4b70-403d-8525-fcc2993f29ea
status: test
description: Detects potential DLL injection and execution using "Tracker.exe"
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
author: 'Avneet Singh @v3t0_, oscd.community'
date: 2020-10-18
modified: 2023-01-09
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\tracker.exe'
        - Description: 'Tracker'
    selection_cli:
        CommandLine|contains:
            - ' /d '
            - ' /c '
    filter_msbuild1:
        CommandLine|contains: ' /ERRORREPORT:PROMPT '
    filter_msbuild2:
        # Example:
        #   GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe
        #   ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false
        #   CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe"
        ParentImage|endswith:
            - '\Msbuild\Current\Bin\MSBuild.exe'
            - '\Msbuild\Current\Bin\amd64\MSBuild.exe'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

title: Potential DLL Injection Via AccCheckConsole
id: 0f6da907-5854-4be6-859a-e9958747b0aa
status: test
description: |
    Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI.
    One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc.
    The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
references:
    - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
    - https://twitter.com/bohops/status/1477717351017680899?s=12
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/
author: Florian Roth (Nextron Systems)
date: 2022-01-06
modified: 2024-08-29
tags:
    - attack.execution
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\AccCheckConsole.exe'
        - OriginalFileName: 'AccCheckConsole.exe'
    selection_cli:
        CommandLine|contains:
            - ' -hwnd'
            - ' -process '
            - ' -window '
    condition: all of selection_*
falsepositives:
    - Legitimate use of the UI Accessibility Checker
level: medium

title: Potential DLL Sideloading Activity Via ExtExport.EXE
id: fb0b815b-f5f6-4f50-970f-ffe21f253f7a
status: test
description: |
    Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa.
    It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll".
    Arbitrary DLLs can also be loaded if a specific number of flags was provided.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Extexport/
    - https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
    - https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/
    - https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/
    - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
    - https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-26
modified: 2024-08-26
tags:
    - attack.stealth
    - attack.t1218
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Extexport.exe'
        - OriginalFileName: 'extexport.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential DLL Sideloading Of DBGCORE.DLL
id: 9ca2bf31-0570-44d8-a543-534c47c33ed7
status: test
description: Detects DLL sideloading of "dbgcore.dll"
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-10-25
modified: 2025-10-06
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\dbgcore.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemTemp\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    filter_optional_steam:
        ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
    filter_optional_opera:
        # C:\\Users\\User\\AppData\\Local\\Temp\\.opera\\Opera Installer Temp\\opera_package_202311051506321\\assistant\\dbgcore.dll
        ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package'
        ImageLoaded|endswith: '\assistant\dbgcore.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium

title: Potential DLL Sideloading Of DBGHELP.DLL
id: 6414b5cd-b19d-447e-bb5e-9f03940b5784
status: test
description: Detects potential DLL sideloading of "dbghelp.dll"
references:
    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-10-25
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\dbghelp.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemTemp\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    filter_optional_anaconda:
        ImageLoaded|endswith:
            - '\Anaconda3\Lib\site-packages\vtrace\platforms\windll\amd64\dbghelp.dll'
            - '\Anaconda3\Lib\site-packages\vtrace\platforms\windll\i386\dbghelp.dll'
    filter_optional_epicgames:
        ImageLoaded|endswith:
            - '\Epic Games\Launcher\Engine\Binaries\ThirdParty\DbgHelp\dbghelp.dll'
            - '\Epic Games\MagicLegends\x86\dbghelp.dll'
    filter_optional_opera:
        ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package'
        ImageLoaded|endswith: '\assistant\dbghelp.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium

title: Potential DLL Sideloading Of DbgModel.DLL
id: fef394cd-f44d-4040-9b18-95d92fe278c0
status: test
description: Detects potential DLL sideloading of "DbgModel.dll"
references:
    - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html
author: Gary Lobermier
date: 2024-07-11
modified: 2024-07-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith: '\dbgmodel.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    filter_optional_windbg:
        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.WinDbg_'
    filter_optional_windows_kits:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Windows Kits\'
            - 'C:\Program Files\Windows Kits\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium

title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e
status: test
description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\gup.exe'
        ImageLoaded|endswith: '\libcurl.dll'
    filter_main_notepad_plusplus:
        Image|endswith: '\Notepad++\updater\GUP.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential DLL Sideloading Of MpSvc.DLL
id: 5ba243e5-8165-4cf7-8c69-e1d3669654c1
status: test
description: Detects potential DLL sideloading of "MpSvc.dll".
references:
    - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema
date: 2024-07-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith: '\MpSvc.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Program Files\Windows Defender\'
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule.
level: medium

title: Potential DLL Sideloading Of MsCorSvc.DLL
id: cdb15e19-c2d0-432a-928e-e49c8c60dcf2
status: test
description: Detects potential DLL sideloading of "mscorsvc.dll".
references:
    - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
author: Wietze Beukema
date: 2024-07-11
modified: 2025-02-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith: '\mscorsvc.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Windows\Microsoft.NET\Framework\'
            - 'C:\Windows\Microsoft.NET\Framework64\'
            - 'C:\Windows\Microsoft.NET\FrameworkArm\'
            - 'C:\Windows\Microsoft.NET\FrameworkArm64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate applications loading their own versions of the DLL mentioned in this rule.
level: medium

title: Potential DLL Sideloading Using Coregen.exe
id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171
status: test
description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/
author: frack113
date: 2022-12-31
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1218
    - attack.t1055
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\coregen.exe'
    filter_main_legit_paths:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Microsoft Silverlight\'
            - 'C:\Program Files\Microsoft Silverlight\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential DLL Sideloading Via ClassicExplorer32.dll
id: caa02837-f659-466f-bca6-48bde2826ab4
status: test
description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
references:
    - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
    - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
author: frack113
date: 2022-12-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection_classicexplorer:
        ImageLoaded|endswith: '\ClassicExplorer32.dll'
    filter_classicexplorer:
        ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
    condition: selection_classicexplorer and not filter_classicexplorer
falsepositives:
    - Unknown
level: medium

title: Potential DLL Sideloading Via DeviceEnroller.EXE
id: e173ad47-4388-4012-ae62-bd13f71c18a8
related:
    - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
      type: similar
status: test
description: |
    Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll".
    Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
references:
    - https://mobile.twitter.com/0gtweet/status/1564131230941122561
    - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
author: '@gott_cyber'
date: 2022-08-29
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\deviceenroller.exe'
        - OriginalFileName: 'deviceenroller.exe'
    selection_cli:
        CommandLine|contains: '/PhoneDeepLink'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential DLL Sideloading Via JsSchHlp
id: 68654bf0-4412-43d5-bfe8-5eaa393cd939
status: test
description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
references:
    - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/
    - http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp
author: frack113
date: 2022-12-14
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\JSESPR.dll'
    filter:
        ImageLoaded|startswith: 'C:\Program Files\Common Files\Justsystem\JsSchHlp\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
status: test
description: |
    Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email.
    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
    - https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-09-26
modified: 2024-11-01
tags:
    - attack.exfiltration
    - attack.t1048.003
    - detection.threat-hunting
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: 'Send-MailMessage*-Attachments'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Data Exfiltration Via Audio File
id: e4f93c99-396f-47c8-bb0f-201b1fa69034
status: test
description: Detects potential exfiltration attempt via audio file using PowerShell
references:
    - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
    - attack.exfiltration
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_main:
        ScriptBlockText|contains|all:
            - '[System.Math]::'
            - '[IO.FileMode]::'
            - 'BinaryWriter'
    selection_header_wav:
        ScriptBlockText|contains|all:
            # Byte chunks from the WAV header used in the example POC
            # You can extend this for different audio formats by adding different selections
            - '0x52'
            - '0x49'
            - '0x46'
            - '0x57'
            - '0x41'
            - '0x56'
            - '0x45'
            - '0xAC'
    condition: selection_main and 1 of selection_header_*
falsepositives:
    - Unknown
level: medium

title: Potential Data Exfiltration Via Curl.EXE
id: 00bca14a-df4e-4649-9054-3f2aa676bc04
status: test
description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
references:
    - https://twitter.com/d1r4c/status/1279042657508081664
    - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
    - https://curl.se/docs/manpage.html
author: Florian Roth (Nextron Systems), Cedric MAURUGEON (Update)
date: 2020-07-03
modified: 2023-05-02
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1105
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\curl.exe'
        - Product: 'The curl executable'
    selection_cli:
        - CommandLine|contains:
              - ' --form' # Also covers the "--form-string"
              - ' --upload-file '
              - ' --data '
              - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
        - CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
    filter_optional_localhost:
        CommandLine|contains:
            - '://localhost'
            - '://127.0.0.1'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Scripts created by developers and admins
level: medium

title: Potential Defense Evasion Via Binary Rename
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
related:
    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
      type: similar
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
    - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-06-15
modified: 2026-06-05
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName:
            - 'Cmd.Exe'
            - 'CONHOST.EXE'
            - '7z.exe'
            - '7za.exe'
            - '7zr.exe'
            - 'WinRAR.exe'
            - 'wevtutil.exe'
            - 'net.exe'
            - 'net1.exe'
            - 'netsh.exe'
            - 'InstallUtil.exe'
    filter:
        Image|endswith:
            - '\cmd.exe'
            - '\conhost.exe'
            - '\7z.exe'
            - '\7za.exe'
            - '\7zr.exe'
            - '\WinRAR.exe'
            - '\wevtutil.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\netsh.exe'
            - '\InstallUtil.exe'
    condition: selection and not filter
falsepositives:
    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary/info.yml

title: Potential Direct Syscall of NtOpenProcess
id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
status: test
description: Detects potential calls to NtOpenProcess directly from NTDLL.
references:
    - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
author: Christian Burkard (Nextron Systems), Tim Shelton (FP)
date: 2021-07-28
modified: 2023-12-13
tags:
    - attack.execution
    - attack.t1106
logsource:
    category: process_access
    product: windows
detection:
    selection:
        CallTrace|startswith: 'UNKNOWN'
    filter_main_vcredist:
        TargetImage|endswith: 'vcredist_x64.exe'
        SourceImage|endswith: 'vcredist_x64.exe'
    filter_main_generic:
        # Examples include "systeminfo", "backgroundTaskHost", "AUDIODG"
        SourceImage|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
        TargetImage|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
    filter_main_kerneltrace_edge:
        # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
        Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
    filter_optional_vmware:
        TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
        SourceImage|endswith: 'setup64.exe' # vmware
    filter_optional_cylance:
        SourceImage|endswith: ':\Windows\Explorer.EXE'
        TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
    filter_optional_amazon:
        SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
        TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
    filter_optional_vscode: # VsCode
        SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
        TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
    filter_optional_teams: # MS Teams
        TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
    filter_optional_discord: # Discord
        TargetImage|contains: '\AppData\Local\Discord\'
        TargetImage|endswith: '\Discord.exe'
    filter_optional_yammer:
        SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
        SourceImage|endswith: '\Yammer.exe'
        TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
        TargetImage|endswith: '\Yammer.exe'
        GrantedAccess: '0x1000'
    filter_optional_evernote:
        TargetImage|endswith: '\Evernote\Evernote.exe'
    filter_optional_adobe_acrobat:
        SourceImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
        SourceImage|endswith: '\AcroCEF.exe'
        TargetImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
        TargetImage|endswith: '\AcroCEF.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Potential Discovery Activity Using Find - Linux
id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
related:
    - id: 85de3a19-b675-4a51-bfc6-b11a5186c971
      type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/find'
        CommandLine|contains:
            - '-perm -4000'
            - '-perm -2000'
            - '-perm 0777'
            - '-perm -222'
            - '-perm -o w'
            - '-perm -o x'
            - '-perm -u=s'
            - '-perm -g=s'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Discovery Activity Using Find - MacOS
id: 85de3a19-b675-4a51-bfc6-b11a5186c971
related:
    - id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
      type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/find'
        CommandLine|contains:
            - '-perm -4000'
            - '-perm -2000'
            - '-perm 0777'
            - '-perm -222'
            - '-perm -o w'
            - '-perm -o x'
            - '-perm -u=s'
            - '-perm -g=s'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Discovery Activity Via Dnscmd.EXE
id: b6457d63-d2a2-4e29-859d-4e7affc153d1
status: test
description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
    - https://learn.microsoft.com/en-us/azure/dns/dns-zones-records
    - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/
author: '@gott_cyber'
date: 2022-07-31
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\dnscmd.exe'
    selection_cli:
        CommandLine|contains:
            - '/enumrecords'
            - '/enumzones'
            - '/ZonePrint'
            - '/info'
    condition: all of selection_*
falsepositives:
    - Legitimate administration use
level: medium