title: RemCom Service Installation
id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf
status: test
description: Detects RemCom service installation and execution events
references:
    - https://github.com/kavika13/RemCom/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ServiceName: 'RemComSvc'
        - ImagePath|endswith: '\RemComSvc.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
id: aa3168fb-d594-4f93-a92d-7a9ba675b766
status: test
description: |
    Detects the execution of Action1 in order to execute arbitrary code or establish a remote session.

    Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries.
    Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.

    Hunting Opportunity 1- Weed Out The Noise

    When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through  a policy with name "test_app_1":

    ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0"

    After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences.

    Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours

    If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.
references:
    - https://twitter.com/Kostastsale/status/1646256901506605063?s=20
    - https://www.action1.com/documentation/
author: '@kostastsale'
date: 2023-04-13
tags:
    - attack.command-and-control
    - attack.t1219.002
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_app_deployment_exec:
        ParentImage|endswith: '\action1_agent.exe'
        Image|contains: '\Windows\Action1\package_downloads\'
    selection_command_exec:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        ParentCommandLine|contains:
            - '\Action1\scripts\Run_Command_'
            - '\Action1\scripts\Run_PowerShell_'
    selection_remote_session_init:
        Image|endswith: '\agent1_remote.exe'
    condition: 1 of selection_*
falsepositives:
    - If Action1 is among the approved software in your environment, you might find that this is a noisy query. See description for ideas on how to alter this query and start looking for suspicious activities.
level: medium

title: Remote Access Tool - Ammy Admin Agent Execution
id: 7da7809e-f3d5-47a3-9d5d-fc9d019caf14
status: test
description: Detects the execution of the Ammy Admin RMM agent for remote management.
references:
    - https://www.ammyy.com/en/admin_features.html
author: '@kostastsale'
date: 2024-08-05
tags:
    - attack.execution
    - attack.persistence
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: 'AMMYY\aa_nts.dll",run'
    condition: selection
falsepositives:
    - Legitimate use of Ammy Admin RMM agent for remote management by admins.
level: medium

title: Remote Access Tool - AnyDesk Execution
id: b52e84a3-029e-4529-b09b-71d19dd27e94
status: test
related:
    - id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86
      type: similar
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: frack113
date: 2022-02-11
modified: 2025-02-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\AnyDesk.exe'
              - '\AnyDeskMSI.exe'
        - Description: AnyDesk
        - Product: AnyDesk
        - Company: AnyDesk Software GmbH
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
id: 41f407b5-3096-44ea-a74f-96d04fbc41be
status: test
description: |
    Detects the execution of an AnyDesk binary with a version prior to 8.0.8.
    Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.
    Use this rule to detect instances of older versions of Anydesk using the compromised certificate
    This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
references:
    - https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
    - https://anydesk.com/en/changelog/windows
author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-08
tags:
    - attack.execution
    - attack.initial-access
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\AnyDesk.exe'
        - Description: 'AnyDesk'
        - Product: 'AnyDesk'
        - Company: 'AnyDesk Software GmbH'
    selection_version:
        FileVersion|startswith:
            - '7.0.'
            - '7.1.'
            - '8.0.1'
            - '8.0.2'
            - '8.0.3'
            - '8.0.4'
            - '8.0.5'
            - '8.0.6'
            - '8.0.7'
    filter_main_uninstall:
        CommandLine|contains:
            - ' --remove'
            - ' --uninstall'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: medium

title: Remote Access Tool - AnyDesk Incoming Connection
id: d58ba5c6-0ed7-4b9d-a433-6878379efda9
status: experimental
description: |
    Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
    - https://asec.ahnlab.com/en/40263/
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2024-09-02
modified: 2025-02-24
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\AnyDesk.exe'
            - '\AnyDeskMSI.exe'
        Initiated: 'false' # If the network connection is initiated remotely (incoming), the field is set to false.
    condition: selection
falsepositives:
    - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally).
level: medium

title: Remote Access Tool - AnyDesk Piped Password Via CLI
id: b1377339-fda6-477a-b455-ac0923f9ec2c
status: test
description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password
            - '/c '
            - 'echo '
            - '.exe --set-password'
    condition: selection
falsepositives:
    - Legitimate piping of the password to anydesk
    - Some FP could occur with similar tools that uses the same command line '--set-password'
level: medium

title: Remote Access Tool - Cmd.EXE Execution via AnyViewer
id: bc533330-fc29-44c0-b245-7dc6e5939c87
status: test
description: |
    Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions.
references:
    - https://www.anyviewer.com/help/remote-technical-support.html
author: '@kostastsale'
date: 2024-08-03
tags:
    - attack.execution
    - attack.persistence
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\AVCore.exe'
        ParentCommandLine|contains: 'AVCore.exe" -d'
        Image|endswith: '\cmd.exe'
    condition: selection
falsepositives:
    - Legitimate use for admin activity.
level: medium

title: Remote Access Tool - GoToAssist Execution
id: b6d98a4f-cef0-4abf-bbf6-24132854a83d
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
author: frack113
date: 2022-02-13
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'GoTo Opener'
        - Product: 'GoTo Opener'
        - Company: 'LogMeIn, Inc.'
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Remote Access Tool - LogMeIn Execution
id: d85873ef-a0f8-4c48-a53a-6b621f11729d
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
author: frack113
date: 2022-02-11
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: LMIGuardianSvc
        - Product: LMIGuardianSvc
        - Company: LogMeIn, Inc.
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Remote Access Tool - MeshAgent Command Execution via MeshCentral
id: 74a2b202-73e0-4693-9a3a-9d36146d0775
status: test
description: |
    Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
    MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
references:
    - https://github.com/Ylianst/MeshAgent
    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55
author: '@Kostastsale'
date: 2024-09-22
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\meshagent.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - False positives can be found in environments using MeshAgent for remote management, analysis should prioritize the grandparent process, MeshAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
level: medium

title: Remote Access Tool - NetSupport Execution
id: 758ff488-18d5-4cbe-8ec4-02b6285a434f
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
author: frack113
date: 2022-09-25
modified: 2023-03-06
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: NetSupport Client Configurator
        - Product: NetSupport Remote Control
        - Company: NetSupport Ltd
        - OriginalFileName: PCICFGUI.EXE
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Remote Access Tool - NetSupport Execution From Unusual Location
id: 37e8d358-6408-4853-82f4-98333fca7014
status: test
description: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2024-11-23
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\client32.exe'
        - Product|contains: 'NetSupport Remote Control'
        - OriginalFileName|contains: 'client32.exe'
        - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e
    filter:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Remote Access Tool - Potential MeshAgent Execution - MacOS
id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
related:
    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968
      type: similar
status: experimental
description: |
    Detects potential execution of MeshAgent which is a tool used for remote access.
    Historical data shows that threat actors rename MeshAgent binary to evade detection.
    Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        CommandLine|contains: '--meshServiceName'
    condition: selection
falsepositives:
    - Environments that legitimately use MeshAgent
level: medium

title: Remote Access Tool - Potential MeshAgent Execution - Windows
id: 2fbbe9ff-0afc-470b-bdc0-592198339968
related:
    - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
      type: similar
status: experimental
description: |
    Detects potential execution of MeshAgent which is a tool used for remote access.
    Historical data shows that threat actors rename MeshAgent binary to evade detection.
    Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '--meshServiceName'
    condition: selection
falsepositives:
    - Environments that legitimately use MeshAgent
level: medium

title: Remote Access Tool - RURAT Execution From Unusual Location
id: e01fa958-6893-41d4-ae03-182477c5e77d
status: test
description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-03-05
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\rutserv.exe'
              - '\rfusclient.exe'
        - Product: 'Remote Utilities'
    filter:
        Image|startswith:
            - 'C:\Program Files\Remote Utilities'
            - 'C:\Program Files (x86)\Remote Utilities'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Remote Access Tool - ScreenConnect Execution
id: 57bff678-25d1-4d6c-8211-8ca106d12053
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022-02-13
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'ScreenConnect Service'
        - Product: 'ScreenConnect'
        - Company: 'ScreenConnect Software'
    condition: selection
falsepositives:
    - Legitimate usage of the tool
level: medium

title: Remote Access Tool - ScreenConnect Installation Execution
id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962
status: test
description: Detects ScreenConnect program starts that establish a remote access to a system.
references:
    - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2024-02-26
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'e=Access&'
            - 'y=Guest&'
            - '&p='
            - '&c='
            - '&k='
    condition: selection
falsepositives:
    - Legitimate use by administrative staff
level: medium

title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
related:
    - id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
      type: derived
status: test
description: |
    Detects potentially suspicious child processes launched via the ScreenConnect client service.
references:
    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
    - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
    - https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2022-02-25
modified: 2024-02-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentCommandLine|contains|all:
            - ':\Windows\TEMP\ScreenConnect\'
            - 'run.cmd'
        Image|endswith:
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\curl.exe'
            - '\dllhost.exe'
            - '\net.exe'
            - '\nltest.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\rundll32.exe'
            - '\wevtutil.exe'
    condition: selection
falsepositives:
    - If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
level: medium

title: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
related:
    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
      type: derived
    - id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
      type: derived
status: test
description: |
    Detects remote binary or command execution via the ScreenConnect Service.
    Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
modified: 2024-02-26
tags:
    - attack.execution
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\ScreenConnect.ClientService.exe'
    condition: selection
falsepositives:
    - Legitimate commands launched from ScreenConnect will also trigger this rule. Look for anomalies.
level: medium

title: Remote Access Tool - Simple Help Execution
id: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - '\JWrapper-Remote Access\'
            - '\JWrapper-Remote Support\'
        Image|endswith: '\SimpleService.exe'
    condition: selection
falsepositives:
    - Legitimate usage of the tool
level: medium

title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
id: 2db93a3f-3249-4f73-9e68-0e77a0f8ae7e
status: experimental
description: |
    Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
    These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.
    This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
references:
    - https://github.com/amidaware/tacticalrmm
    - https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3
author: Ahmed Nosir (@egycondor)
date: 2025-05-29
tags:
    - attack.command-and-control
    - attack.t1219
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains: '\TacticalAgent\tacticalrmm.exe'
        CommandLine|contains|all:
            - '--api'
            - '--auth'
            - '--client-id'
            - '--site-id'
            - '--agent-type'
    condition: selection
falsepositives:
    - Legitimate system administrator deploying TacticalRMM
level: medium

title: Remote Access Tool - UltraViewer Execution
id: 88656cec-6c3b-487c-82c0-f73ebb805503
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
author: frack113
date: 2022-09-25
modified: 2024-03-14
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Product: 'UltraViewer'
        - Company: 'DucFabulous Co,ltd'
        - OriginalFileName: 'UltraViewer_Desktop.exe'
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Remote Access Tool Services Have Been Installed - Security
id: c8b00925-926c-47e3-beea-298fd563728e
related:
    - id: 1a31b18a-f00c-4061-9900-f735b96c99fc
      type: similar
status: test
description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Connor Martin, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2024-12-07
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceName|contains:
            # Based on https://github.com/SigmaHQ/sigma/pull/2841
            - 'AmmyyAdmin' # https://www.ammyy.com/en/
            - 'AnyDesk' # https://usersince99.medium.com/windows-privilege-escalation-8214ceaf4db8
            - 'Atera'
            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
            - 'chromoting'
            - 'GoToAssist' # https://www.goto.com/it-management/resolve
            - 'GoToMyPC' # https://get.gotomypc.com/
            - 'jumpcloud'
            - 'LMIGuardianSvc' # https://www.logmein.com/
            - 'LogMeIn' # https://www.logmein.com/
            - 'monblanking'
            - 'Parsec'
            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
            - 'RPCPerformanceService' # https://www.remotepc.com/
            - 'RPCService' # https://www.remotepc.com/
            - 'SplashtopRemoteService' # https://www.splashtop.com/
            - 'SSUService'
            - 'TeamViewer'
            - 'TightVNC' # https://www.tightvnc.com/
            - 'vncserver'
            - 'Zoho'
    condition: selection
falsepositives:
    - The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out
level: medium

title: Remote Access Tool Services Have Been Installed - System
id: 1a31b18a-f00c-4061-9900-f735b96c99fc
related:
    - id: c8b00925-926c-47e3-beea-298fd563728e
      type: similar
status: test
description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Connor Martin, Nasreddine Bencherchali
date: 2022-12-23
modified: 2023-06-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID:
            - 7045
            - 7036
        ServiceName|contains:
            # Based on https://github.com/SigmaHQ/sigma/pull/2841
            - 'AmmyyAdmin' # https://www.ammyy.com/en/
            - 'Atera'
            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
            - 'chromoting'
            - 'GoToAssist' # https://www.goto.com/it-management/resolve
            - 'GoToMyPC' # https://get.gotomypc.com/
            - 'jumpcloud'
            - 'LMIGuardianSvc' # https://www.logmein.com/
            - 'LogMeIn' # https://www.logmein.com/
            - 'monblanking'
            - 'Parsec'
            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
            - 'RPCPerformanceService' # https://www.remotepc.com/
            - 'RPCService' # https://www.remotepc.com/
            - 'SplashtopRemoteService' # https://www.splashtop.com/
            - 'SSUService'
            - 'TeamViewer'
            - 'TightVNC' # https://www.tightvnc.com/
            - 'vncserver'
            - 'Zoho'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote Code Execute via Winrm.vbs
id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
status: test
description: Detects an attempt to execute code or create service on remote host via winrm.vbs.
references:
    - https://twitter.com/bohops/status/994405551751815170
    - https://redcanary.com/blog/lateral-movement-winrm-wmi/
    - https://lolbas-project.github.io/lolbas/Scripts/Winrm/
author: Julia Fomina, oscd.community
date: 2020-10-07
modified: 2023-03-03
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        # Note: winrm.vbs can only be run by a process named cscript (see "IsCScriptEnv" function)
        - Image|endswith: '\cscript.exe'
        - OriginalFileName: 'cscript.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'winrm'
            - 'invoke Create wmicimv2/Win32_'
            - '-r:http'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Remote DLL Load Via Rundll32.EXE
id: f40017b3-cb2e-4335-ab5d-3babf679c1de
status: test
description: Detects a remote DLL load event via "rundll32.exe".
references:
    - https://github.com/gabe-k/themebleed
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-18
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        ImageLoaded|startswith: '\\\\'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote File Download Via Desktopimgdownldr Utility
id: 214641c2-c579-4ecb-8427-0cf19df6842e
status: test
description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
references:
    - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\desktopimgdownldr.exe'
        ParentImage|endswith: '\desktopimgdownldr.exe'
        CommandLine|contains: '/lockscreenurl:http'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote File Download Via Findstr.EXE
id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
related:
    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
      type: obsolete
status: test
description: |
    Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2024-03-05
tags:
    - attack.credential-access
    - attack.command-and-control
    - attack.stealth
    - attack.t1218
    - attack.t1564.004
    - attack.t1552.001
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr:
        - CommandLine|contains: findstr
        - Image|endswith: 'findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_cli_download_1:
        CommandLine|contains|windash: ' -v '
    selection_cli_download_2:
        CommandLine|contains|windash: ' -l '
    selection_cli_download_3:
        CommandLine|contains: '\\\\'
    condition: selection_findstr and all of selection_cli_download_*
falsepositives:
    - Unknown
level: medium

title: Remote PowerShell Session Host Process (WinRM)
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
status: test
description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2022-10-09
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1059.001
    - attack.t1021.006
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\wsmprovhost.exe'
        - ParentImage|endswith: '\wsmprovhost.exe'
    condition: selection
falsepositives:
    - Legitimate usage of remote Powershell, e.g. for monitoring purposes.
level: medium

title: Remote Registry Management Using Reg Utility
id: 68fcba0d-73a5-475e-a915-e8b4c576827e
status: test
description: Remote registry management using REG utility from non-admin workstation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2023-12-15
tags:
    - attack.credential-access
    - attack.persistence
    - attack.discovery
    - attack.defense-impairment
    - attack.s0075
    - attack.t1012
    - attack.t1112
    - attack.t1552.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        RelativeTargetName|contains: '\winreg'
    filter_main:
        IpAddress|expand: '%Admins_Workstations%'
    condition: selection and not filter_main
falsepositives:
    - Legitimate usage of remote registry management by administrator
level: medium

title: Remote Service Activity via SVCCTL Named Pipe
id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
status: test
description: Detects remote service activity via remote access to the svcctl named pipe
references:
    - https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2024-08-01
tags:
    - attack.lateral-movement
    - attack.persistence
    - attack.t1021.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName: svcctl
        AccessList|contains: 'WriteData'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote Task Creation via ATSVC Named Pipe
id: f6de6525-4509-495a-8a82-1f8b0ed73a00
status: test
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
references:
    - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2024-08-01
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.lateral-movement
    - attack.persistence
    - car.2013-05-004
    - car.2015-04-001
    - attack.t1053.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName: atsvc
        AccessList|contains: 'WriteData'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote Task Creation via ATSVC Named Pipe - Zeek
id: dde85b37-40cd-4a94-b00c-0b8794f956b5
related:
    - id: f6de6525-4509-495a-8a82-1f8b0ed73a00
      type: derived
status: test
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
references:
    - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
author: 'Samir Bousseaden, @neu5rn'
date: 2020-04-03
modified: 2022-12-27
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.lateral-movement
    - attack.persistence
    - car.2013-05-004
    - car.2015-04-001
    - attack.t1053.002
logsource:
    product: zeek
    service: smb_files
detection:
    selection:
        path: '\\\*\IPC$'
        name: 'atsvc'
        # Accesses: '*WriteData*'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote Thread Created In Shell Application
id: a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f
status: test
description: |
    Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE".
    It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
references:
    - https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/
    - https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/
author: Splunk Research Team
date: 2024-07-29
modified: 2025-07-04
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - detection.threat-hunting
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        TargetImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_main_system:
        SourceImage|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
    filter_optional_defender:
        SourceImage|endswith: '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Remote Thread Creation By Uncommon Source Image
id: 66d31e5f-52d6-40a4-9615-002d3789a119
related:
    - id: 02d1d718-dd13-41af-989d-ea85c7fab93f
      type: derived
status: test
description: Detects uncommon processes creating remote threads.
references:
    - Personal research, statistical analysis
    - https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019-10-27
modified: 2025-07-08
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\explorer.exe'
            - '\iexplore.exe'
            - '\msiexec.exe'
            - '\powerpnt.exe'
            - '\schtasks.exe'
            - '\winlogon.exe'
    filter_main_winlogon_1:
        SourceImage: 'C:\Windows\System32\winlogon.exe'
        TargetImage:
            - 'C:\Windows\System32\services.exe' # happens on Windows 7
            - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
            - 'C:\Windows\System32\csrss.exe' # multiple OS
            - 'C:\Windows\System32\LogonUI.exe' # multiple OS
            - 'C:\Windows\System32\wlrmdr.exe'
            - 'C:\Windows\System32\AtBroker.exe'
            - 'C:\Windows\System32\dwm.exe'
            - 'C:\Windows\System32\fontdrvhost.exe'
            - 'C:\Windows\System32\userinit.exe'
    filter_main_winlogon_2:
        SourceImage: 'C:\Windows\System32\winlogon.exe'
        TargetParentProcessId: 4
    filter_main_schtasks_conhost:
        SourceImage:
            - 'C:\Windows\System32\schtasks.exe'
            - 'C:\Windows\SysWOW64\schtasks.exe'
        TargetImage: 'C:\Windows\System32\conhost.exe'
    filter_main_explorer:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    filter_main_system:
        TargetImage: 'System'
    filter_main_msiexec_1:
        # Note: MSI installers will trigger this
        SourceImage|endswith: '\msiexec.exe'
        TargetImage|contains:
            - '\AppData\Local\'
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\Microsoft.NET\Framework64\' # C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    filter_main_msiexec_2:
        SourceImage|endswith: '\msiexec.exe'
        TargetImage:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    filter_main_iexplore:
        SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
        TargetImage:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Windows\System32\rundll32.exe'
    filter_main_powerpnt:
        SourceImage|endswith: '\POWERPNT.EXE'
        TargetImage|contains:
            - 'C:\Program Files\Microsoft Office\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
            - 'C:\Program Files (x86)\Microsoft Office\'
    filter_optional_aurora_smartconsole1:
        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
        SourceCommandLine|contains|all:
            - 'https://'
            - '.checkpoint.com/documents/'
            - 'SmartConsole_OLH/'
            - 'default.htm#cshid='
    filter_optional_aurora_smartconsole2:
        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
        SourceParentImage|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
        SourceParentImage|contains|all:
            - '\CheckPoint\SmartConsole\'
            - '\SmartConsole.exe'
    filter_optional_powerpnt:
        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
        SourceImage|contains: '\Microsoft Office\'
        SourceImage|endswith: '\POWERPNT.EXE'
        TargetImage: 'C:\Windows\System32\csrss.exe'
    filter_main_null:
        TargetImage: null
    filter_main_empty:
        TargetImage: ''
    filter_optional_onedrive:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
    filter_optional_aurora:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\aurora-dashboard.exe'
    filter_optional_officesetup:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\OfficeSetup.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: medium

title: Remote Thread Creation In Uncommon Target Image
id: a1a144b7-5c9b-4853-a559-2172be8d4a03
related:
    - id: f016c716-754a-467f-a39e-63c06f773987
      type: obsolete
status: test
description: Detects uncommon target processes for remote thread creation
references:
    - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
author: Florian Roth (Nextron Systems)
date: 2022-03-16
modified: 2025-07-04
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.003
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        TargetImage|endswith:
            - '\calc.exe'
            - '\calculator.exe'
            - '\mspaint.exe'
            - '\notepad.exe'
            - '\ping.exe'
            - '\sethc.exe'
            - '\spoolsv.exe'
            - '\wordpad.exe'
            - '\write.exe'
    filter_main_csrss:
        SourceImage: 'C:\Windows\System32\csrss.exe'
    filter_main_notepad:
        SourceImage:
            - 'C:\Windows\System32\explorer.exe'
            - 'C:\Windows\System32\OpenWith.exe'
        TargetImage: 'C:\Windows\System32\notepad.exe'
    filter_main_sethc:
        SourceImage: 'C:\Windows\System32\AtBroker.exe'
        TargetImage: 'C:\Windows\System32\Sethc.exe'
    filter_optional_aurora_1:
        StartFunction: 'EtwpNotificationThread'
    filter_optional_aurora_2:
        SourceImage|contains: 'unknown process'
    filter_optional_vmtoolsd:
        SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
        StartFunction: 'GetCommandLineW'
        TargetImage:
            - 'C:\Windows\System32\notepad.exe'
            - 'C:\Windows\System32\spoolsv.exe'
    filter_optional_xerox_pjems:
        SourceImage: 'C:\Program Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe'
        StartFunction: 'LoadLibraryW'
        TargetImage: 'C:\Windows\System32\spoolsv.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Remote Thread Creation Via PowerShell
id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
related:
    - id: 99b97608-3e21-4bfe-8217-2a127c396a0e
      type: derived
status: test
description: Detects the creation of a remote thread from a Powershell process to another process
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nikita Nazarov, oscd.community
date: 2020-10-06
modified: 2023-11-10
tags:
    - attack.execution
    - attack.t1059.001
    - detection.threat-hunting
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    filter_main_compattelrunner:
        SourceParentImage|endswith: ':\Windows\System32\CompatTelRunner.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Remote Thread Creation Via PowerShell In Uncommon Target
id: 99b97608-3e21-4bfe-8217-2a127c396a0e
related:
    - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
      type: similar
status: test
description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
references:
    - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
author: Florian Roth (Nextron Systems)
date: 2018-06-25
modified: 2023-11-10
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218.011
    - attack.t1059.001
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetImage|endswith:
            # Note: Please add additional potential interesting targets to increase coverage
            - '\rundll32.exe'
            - '\regsvr32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote Utilities Host Service Install
id: 85cce894-dd8b-4427-a958-5cc47a4dc9b9
status: test
description: Detects Remote Utilities Host service installation on the target system.
references:
    - https://www.remoteutilities.com/support/kb/host-service-won-t-start/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-31
tags:
    - attack.persistence
logsource:
    product: windows
    service: system
detection:
    # Example:
    #   <EventData>
    #       <Data Name="ServiceName">Remote Utilities - Host</Data>
    #       <Data Name="ImagePath">"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service</Data>
    #       <Data Name="ServiceType">user mode service</Data>
    #       <Data Name="StartType">auto start</Data>
    #       <Data Name="AccountName">LocalSystem</Data>
    #   </EventData>
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains|all:
              - '\rutserv.exe'
              - '-service'
        - ServiceName: 'Remote Utilities - Host'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium

title: Removal Of Index Value to Hide Schedule Task - Registry
id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
related:
    - id: acd74772-5f88-45c7-956b-6a7b36c294d2
      type: similar
    - id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61
      type: similar
status: test
description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
references:
    - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-26
modified: 2025-10-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_delete
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
            - 'Index'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml

title: Removal Of SD Value to Hide Schedule Task - Registry
id: acd74772-5f88-45c7-956b-6a7b36c294d2
related:
    - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
      type: similar
status: test
description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
references:
    - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
author: Sittikorn S
date: 2022-04-15
modified: 2025-10-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_delete
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
            - 'SD'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml

title: Removal of Potential COM Hijacking Registry Keys
id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
status: test
description: |
    Detects any deletion of entries in ".*\shell\open\command" registry keys.
    These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/7
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md
    - https://learn.microsoft.com/en-us/windows/win32/shell/launch
    - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
    - https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_delete
detection:
    selection:
        TargetObject|endswith: '\shell\open\command'
    filter_main_explorer:
        Image|endswith: 'C:\Windows\explorer.exe'
    filter_main_svchost:
        Image: 'C:\Windows\system32\svchost.exe'
    filter_main_msiexec:
        Image:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    filter_main_generic_prorams:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_main_openwith:
        Image: 'C:\Windows\System32\OpenWith.exe'
    filter_optional_dropbox:
        Image|endswith: '\Dropbox.exe'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\Dropbox.'
    filter_optional_wireshark:
        Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\wireshark-capture-file\'
    filter_optional_peazip:
        Image|contains: 'peazip'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\PeaZip.'
    filter_optional_everything:
        Image|endswith: '\Everything.exe'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\Everything.'
    filter_optional_uninstallers:
        # This image path is linked with different uninstallers when running as admin unfortunately
        Image|startswith: 'C:\Windows\Installer\MSI'
    filter_optional_java:
        Image|startswith: 'C:\Program Files (x86)\Java\'
        Image|endswith: '\installer.exe'
        TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'
    filter_optional_edgeupdate:
        Image|contains: '\Microsoft\EdgeUpdate\Install'
    filter_optional_avira:
        Image:
            - 'C:\Program Files (x86)\Avira\Antivirus\'
            - 'C:\Program Files\Avira\Antivirus\'
        TargetObject|endswith:
            - '\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command'
            - '\AntiVir.Keyfile\shell\open\command'
    filter_optional_installer_temp:
        - Image|contains|all:
              - 'AppData\Local\Temp'
              - '\setup.exe'
        - Image|contains|all:
              - '\Temp\is-'
              - '\target.tmp'
    filter_optional_ninite:
        Image|endswith: '\ninite.exe'
    filter_optional_discord:
        Image|endswith: '\reg.exe'
        TargetObject|endswith: '\Discord\shell\open\command'
    filter_optional_spotify:
        Image|endswith: '\Spotify.exe'
        TargetObject|endswith: '\Spotify\shell\open\command'
    filter_optional_eclipse:
        Image|endswith: 'C:\eclipse\eclipse.exe'
        TargetObject|contains: '_Classes\eclipse+'
    filter_optional_teamviewer:
        Image|contains|all:
            - '\Temp'
            - '\TeamViewer'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered
level: medium

title: Remove Account From Domain Admin Group
id: 48a45d45-8112-416b-8a67-46e03a4b2107
status: test
description: |
    Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
    Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
author: frack113
date: 2021-12-26
tags:
    - attack.impact
    - attack.t1531
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Remove-ADGroupMember'
            - '-Identity '
            - '-Members '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remove Immutable File Attribute
id: 34979410-e4b5-4e5d-8cfb-389fdff05c12
related:
    - id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
      type: derived
status: test
description: Detects usage of the 'chattr' utility to remove immutable file attribute.
references:
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.defense-impairment
    - attack.t1222.002
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/chattr'
        CommandLine|contains: ' -i '
    condition: selection
falsepositives:
    - Administrator interacting with immutable files (e.g. for instance backups).
level: medium

title: Remove Immutable File Attribute - Auditd
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
status: test
description: Detects removing immutable file attribute.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: Jakob Weinzettl, oscd.community
date: 2019-09-23
modified: 2022-11-26
tags:
    - attack.defense-impairment
    - attack.t1222.002
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'chattr'
        a1|contains: '-i'
    condition: selection
falsepositives:
    - Administrator interacting with immutable files (e.g. for instance backups).
level: medium
simulation:
    - type: atomic-red-team
      name: Remove immutable file attribute
      technique: T1222.002
      atomic_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f

title: Remove Scheduled Cron Task/Job
id: c2e234de-03a3-41e1-b39a-1e56dc17ba67
status: test
description: |
    Detects usage of the 'crontab' utility to remove the current crontab.
    This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
references:
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: 'crontab'
        CommandLine|contains: ' -r'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Renamed AutoHotkey.EXE Execution
id: 0f16d9cf-0616-45c8-8fad-becc11b5a41c
status: test
description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
references:
    - https://www.autohotkey.com/download/
    - https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
author: Nasreddine Bencherchali
date: 2023-02-07
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Product|contains: 'AutoHotkey'
        - Description|contains: 'AutoHotkey'
        - OriginalFileName:
              - 'AutoHotkey.exe'
              - 'AutoHotkey.rc'
    filter:
        - Image|endswith:
              - '\AutoHotkey.exe'
              - '\AutoHotkey32.exe'
              - '\AutoHotkey32_UIA.exe'
              - '\AutoHotkey64.exe'
              - '\AutoHotkey64_UIA.exe'
              - '\AutoHotkeyA32.exe'
              - '\AutoHotkeyA32_UIA.exe'
              - '\AutoHotkeyU32.exe'
              - '\AutoHotkeyU32_UIA.exe'
              - '\AutoHotkeyU64.exe'
              - '\AutoHotkeyU64_UIA.exe'
        - Image|contains: '\AutoHotkey'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Renamed BOINC Client Execution
id: 30d07da2-83ab-45d8-ae75-ec7c0edcaffc
status: test
description: Detects the execution of a renamed BOINC binary.
references:
    - https://boinc.berkeley.edu/
    - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details
    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
    - attack.defense-impairment
    - attack.t1553
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'BOINC.exe'
    filter_main_legit_name:
        Image|endswith: '\BOINC.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Renamed CURL.EXE Execution
id: 7530cd3d-7671-43e3-b209-976966f6ea48
status: test
description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
references:
    - https://twitter.com/Kostastsale/status/1700965142828290260
author: X__Junior (Nextron Systems)
date: 2023-09-11
modified: 2023-10-12
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'curl.exe'
        - Description: 'The curl executable'
    filter_main_img:
        Image|contains: '\curl'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/info.yml