title: Manual Execution of Script Inside of a Compressed File
id: 95724fc1-a258-4674-97db-a30351981c5a
status: test
description: |
    This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.

    From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios.
        1. Compressed file opened using 7zip.
        2. Compressed file opened using WinRar.
        3. Compressed file opened using native windows File Explorer capabilities.

    When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
references:
    - https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a
    - https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692
author: '@kostastsale'
date: 2023-02-15
modified: 2024-08-13
tags:
    - attack.execution
    - attack.t1059
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent_7zip:
        ParentImage|endswith: '\7z*.exe'
        CommandLine|contains: '\AppData\local\temp\7z*\'
    selection_parent_winrar:
        ParentImage|endswith: '\winrar.exe'
        CommandLine|contains: '\AppData\local\temp\rar*\'
    selection_parent_explorer:
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains:
            - '\AppData\local\temp\*.rar\'
            - '\AppData\local\temp\*.zip\'
    selection_child:
        Image|endswith:
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        CommandLine|endswith:
            - '.hta'
            - '.js'
            - '.jse'
            - '.ps1'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    condition: 1 of selection_parent_* and selection_child
falsepositives:
    - Batch files may produce a lot of noise, as many applications appear to bundle them as part of their installation process. You should baseline your environment and generate a new query excluding the noisy and expected activity. Some false positives may come up depending on your environment. All results should be investigated thoroughly before filtering out results.
level: medium

title: Masquerading as Linux Crond Process
id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
status: test
description: |
  Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.
  Several different variations of this technique have been observed.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-08-22
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'execve'
        a0: 'cp'
        a1: '/bin/sh'
        a2|endswith: '/crond'
    condition: selection
level: medium

title: Mesh Agent Service Installation
id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc
status: test
description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
references:
    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    service: system
detection:
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: 'MeshAgent.exe'
        - ServiceName|contains: 'Mesh Agent'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium

title: Microsoft 365 - Impossible Travel Activity
id: d7eab125-5f94-43df-8710-795b80fa1189
status: test
description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2020-07-06
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Impossible travel activity'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Microsoft 365 - Potential Ransomware Activity
id: bd132164-884a-48f1-aa2d-c6d646b04c69
status: test
description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1486
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Potential ransomware activity'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Microsoft 365 - Unusual Volume of File Deletion
id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd
status: test
description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1485
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Unusual volume of file deletion'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Microsoft 365 - User Restricted from Sending Email
id: ff246f56-7f24-402a-baca-b86540e3925c
status: test
description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
    - attack.initial-access
    - attack.t1199
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'User restricted from sending email'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Microsoft Excel Add-In Loaded From Uncommon Location
id: af4c4609-5755-42fe-8075-4effb49f5d44
related:
    - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
      type: derived
status: test
description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
references:
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
    - https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-12
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\excel.exe'
        ImageLoaded|contains:
            # Note: Add or remove locations from this list based on your internal policy
            - '\Desktop\'
            - '\Downloads\'
            - '\Perflogs\'
            - '\Temp\'
            - '\Users\Public\'
            - '\Windows\Tasks\'
        ImageLoaded|endswith: '.xll'
    condition: selection
falsepositives:
    - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
level: medium

title: Microsoft Office Trusted Location Updated
id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
related:
    - id: f742bde7-9528-42e5-bd82-84f51a8387d2
      type: similar
status: test
description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - detection.threat-hunting
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'Security\Trusted Locations\Location'
        TargetObject|endswith: '\Path'
    filter_main_office_click_to_run:
        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_office_apps:
        Image|contains:
            - ':\Program Files\Microsoft Office\'
            - ':\Program Files (x86)\Microsoft Office\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - During office installations or setup, trusted locations are added, which will trigger this rule.
level: medium

title: Microsoft Sync Center Suspicious Network Connections
id: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
status: test
description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2024-03-12
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - attack.t1218
    - attack.execution
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        Image|endswith: '\mobsync.exe'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Microsoft Teams Sensitive File Access By Uncommon Applications
id: 65744385-8541-44a6-8630-ffc824d7d4cc
status: test
description: |
    Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
references:
    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
    - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2024-07-22
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: windows
    category: file_access
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection:
        FileName|contains:
            - '\Microsoft\Teams\Cookies'
            - '\Microsoft\Teams\Local Storage\leveldb'
    filter_main_legit_location:
        # Note: its best to filter the full path to avoid false negatives
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Microsoft VBA For Outlook Addin Loaded Via Outlook
id: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
status: test
description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2024-03-12
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\outlook.exe'
        ImageLoaded|endswith: '\outlvba.dll'
    condition: selection
falsepositives:
    - Legitimate macro usage. Add the appropriate filter according to your environment
level: medium

title: Microsoft Workflow Compiler Execution
id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d
status: test
description: |
    Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
references:
    - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/
author: Nik Seetharaman, frack113
date: 2019-01-16
modified: 2023-02-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
    - attack.t1218
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Microsoft.Workflow.Compiler.exe'
        - OriginalFileName: 'Microsoft.Workflow.Compiler.exe'
    condition: selection
falsepositives:
    - Legitimate MWC use (unlikely in modern enterprise environments)
level: medium

title: Modify Group Policy Settings
id: ada4b0c4-758b-46ac-9033-9004613a150d
related:
    - id: b7216a7d-687e-4c8d-82b1-3080b2ad961f
      type: similar
status: test
description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
author: frack113
date: 2022-08-19
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_path:
        CommandLine|contains: '\SOFTWARE\Policies\Microsoft\Windows\System'
    selection_key:
        CommandLine|contains:
            - GroupPolicyRefreshTimeDC
            - GroupPolicyRefreshTimeOffsetDC
            - GroupPolicyRefreshTime
            - GroupPolicyRefreshTimeOffset
            - EnableSmartScreen
            - ShellSmartScreenLevel
    condition: all of selection_*
falsepositives:
    - Legitimate use
level: medium

title: Modify Group Policy Settings - ScriptBlockLogging
id: b7216a7d-687e-4c8d-82b1-3080b2ad961f
related:
    - id: ada4b0c4-758b-46ac-9033-9004613a150d
      type: similar
status: test
description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
author: frack113
date: 2022-08-19
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_path:
        ScriptBlockText|contains: \SOFTWARE\Policies\Microsoft\Windows\System
    selection_key:
        ScriptBlockText|contains:
            - GroupPolicyRefreshTimeDC
            - GroupPolicyRefreshTimeOffsetDC
            - GroupPolicyRefreshTime
            - GroupPolicyRefreshTimeOffset
            - EnableSmartScreen
            - ShellSmartScreenLevel
    condition: all of selection_*
falsepositives:
    - Legitimate use
level: medium

title: Modify System Firewall
id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
related:
    - id: 53059bc0-1472-438b-956a-7508a94a91f0
      type: similar
status: test
description: |
    Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
    Detection rules that match only on the disabling of firewalls will miss this.
references:
    - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
    - https://blog.aquasec.com/container-security-tnt-container-attack
    - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking
author: IAI
date: 2023-03-06
modified: 2025-10-12
tags:
    - attack.defense-impairment
    - attack.t1686
logsource:
    product: linux
    service: auditd
detection:
    selection1:
        type: 'EXECVE'
        a0: 'iptables'
        a1|contains: 'DROP'
    selection2:
        type: 'EXECVE'
        a0: 'firewall-cmd'
        a1|contains: 'remove'
    selection3:
        type: 'EXECVE'
        a0: 'ufw'
        a1|contains: 'delete'
    selection4:
        type: 'EXECVE'
        a0: 'nft'
        a1|contains:
            - 'delete'
            - 'flush'
    condition: 1 of selection*
falsepositives:
    - Legitimate admin activity
level: medium

title: Modifying Crontab
id: af202fd3-7bff-4212-a25a-fb34606cfcbe
status: test
description: Detects suspicious modification of crontab file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Pawel Mazur
date: 2022-04-16
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.003
logsource:
    product: linux
    service: cron
detection:
    keywords:
        - 'REPLACE'
    condition: keywords
falsepositives:
    - Legitimate modification of crontab
level: medium

title: Monitoring For Persistence Via BITS
id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d
status: test
description: |
    BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.
    When the job runs on the system the command specified in the BITS job will be executed.
    This can be abused by actors to create a backdoor within the system and for persistence.
    It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
    - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
    - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
author: Sreeman
date: 2020-10-29
modified: 2024-01-25
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_cli_notify_1:
        CommandLine|contains: '/SetNotifyCmdLine'
    selection_cli_notify_2:
        CommandLine|contains:
            - '%COMSPEC%'
            - 'cmd.exe'
            - 'regsvr32.exe'
    selection_cli_add_1:
        CommandLine|contains: '/Addfile'
    selection_cli_add_2:
        CommandLine|contains:
            - 'http:'
            - 'https:'
            - 'ftp:'
            - 'ftps:'
    condition: selection_img and (all of selection_cli_notify_* or all of selection_cli_add_*)
falsepositives:
    - Unknown
level: medium

title: Mount Execution With Hidepid Parameter
id: ec52985a-d024-41e3-8ff6-14169039a0b3
status: test
description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
references:
    - https://blogs.blackberry.com/
    - https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-12
tags:
    - attack.credential-access
    - attack.stealth
    - attack.t1564
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/mount'
        CommandLine|contains|all:
            - 'hidepid=2'
            - ' -o '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: MsiExec Web Install
id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
related:
    - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
      type: similar
status: test
description: Detects suspicious msiexec process starts with web addresses as parameter
references:
    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
author: Florian Roth (Nextron Systems)
date: 2018-02-09
modified: 2022-01-07
tags:
    - attack.stealth
    - attack.t1218.007
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' msiexec'
            - '://'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium

title: Msiexec Quiet Installation
id: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5
status: test
description: |
    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
    Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
    - https://twitter.com/_st0pp3r_/status/1583914244344799235
author: frack113
date: 2022-01-16
modified: 2024-12-01
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msiexec.exe'
        - OriginalFileName: 'msiexec.exe'
    selection_cli:
        # Note that there is no space before and after the arguments because it's possible to write a commandline as such
        # Example: msiexec -q/i [MSI Package]
        CommandLine|contains|windash:
            - '-i'
            - '-package'
            - '-a'
            - '-j'
    selection_quiet:
        CommandLine|contains|windash: '-q'
    filter_user_temp:
        # The %temp% is a very common location for installers
        ParentImage|startswith: 'C:\Users\'
        ParentImage|contains: '\AppData\Local\Temp\'
    filter_system_temp:
        ParentImage|startswith: 'C:\Windows\Temp\'
    filter_ccm:
        ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe'
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - WindowsApps installing updates via the quiet flag
level: medium

title: Msxsl.EXE Execution
id: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0
status: test
description: |
    Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.
    Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-11-09
tags:
    - attack.stealth
    - attack.t1220
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msxsl.exe'
    condition: selection
falsepositives:
    - Msxsl is not installed by default and is deprecated, so unlikely on most systems.
# Note: If you levreage this utility please consider adding additional filters. As this is looking for "any" type of execition
level: medium

title: Multi Factor Authentication Disabled For User Account
id: b18454c8-0be3-41f7-86bc-9c614611b839
status: test
description: |
    Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled".
    Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
references:
    - https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/
author: Harjot Singh (@cyb3rjy0t)
date: 2024-08-21
tags:
    - attack.credential-access
    - attack.persistence
logsource:
    product: azure
    service: auditlogs
    definition: 'Requirements: The TargetResources array needs to be mapped accurately in order for this rule to work'
detection:
    selection:
        LoggedByService: 'Core Directory'
        Category: 'UserManagement'
        OperationName: 'Update user'
        TargetResources.ModifiedProperties.DisplayName: 'StrongAuthenticationRequirement'
        TargetResources.ModifiedProperties.NewValue|contains: "State\":0"
    condition: selection
falsepositives:
    - Legitimate authorized activity.
level: medium

title: Multifactor Authentication Denied
id: e40f4962-b02b-4192-9bfe-245f7ece1f99
status: test
description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
references:
    - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
author: AlertIQ
date: 2022-03-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
    - attack.t1621
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        AuthenticationRequirement: 'multiFactorAuthentication'
        Status|contains: 'MFA Denied'
    condition: selection
falsepositives:
    - Users actually login but miss-click into the Deny button when MFA prompt.
level: medium

title: Multifactor Authentication Interrupted
id: 5496ff55-42ec-4369-81cb-00f417029e25
status: test
description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
    - attack.t1621
logsource:
    product: azure
    service: signinlogs
detection:
    selection_50074:
        ResultType: 50074
        ResultDescription|contains: 'Strong Auth required'
    selection_500121:
        ResultType: 500121
        ResultDescription|contains: 'Authentication failed during strong authentication request'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: NTLM Brute Force
id: 9c8acf1a-cbf9-4db6-b63c-74baabe03e59
status: test
description: Detects common NTLM brute force device names
references:
    - https://www.varonis.com/blog/investigate-ntlm-brute-force
author: Jerry Shockley '@jsh0x'
date: 2022-02-02
tags:
    - attack.credential-access
    - attack.t1110
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8004
    devicename:
        WorkstationName:
            - 'Rdesktop'
            - 'Remmina'
            - 'Freerdp'
            - 'Windows7'
            - 'Windows8'
            - 'Windows2012'
            - 'Windows2016'
            - 'Windows2019'
    condition: selection and devicename
falsepositives:
    - Systems with names equal to the spoofed ones used by the brute force tools
level: medium

title: NTLMv1 Logon Between Client and Server
id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d
status: test
description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
references:
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml
author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2022-04-26
modified: 2023-06-06
tags:
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: "LsaSrv"
        EventID:
            - 6038
            - 6039
    condition: selection
falsepositives:
    - Environments that use NTLMv1
level: medium

title: NetSupport Manager Service Install
id: 2d510d8d-912b-45c5-b1df-36faa3d8c3f4
status: test
description: Detects NetSupport Manager service installation on the target system.
references:
    - http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-31
tags:
    - attack.persistence
logsource:
    product: windows
    service: system
detection:
    # Example:
    #   <EventData>
    #       <Data Name="ServiceName">Client32</Data>
    #       <Data Name="ImagePath">"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *</Data>
    #       <Data Name="ServiceType">user mode service</Data>
    #       <Data Name="StartType">auto start</Data>
    #       <Data Name="AccountName">LocalSystem</Data>
    #   </EventData>
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: '\NetSupport Manager\client32.exe'
        - ServiceName: 'Client32'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium

title: Netcat The Powershell Version
id: c5b20776-639a-49bf-94c7-84f912b91c15
related:
    - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
      type: derived
status: test
description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
    - https://nmap.org/ncat/
    - https://github.com/besimorhino/powercat
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
author: frack113
date: 2021-07-21
modified: 2023-10-27
tags:
    - attack.command-and-control
    - attack.execution
    - attack.t1095
    - attack.t1059.001
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains:
            - 'powercat '
            - 'powercat.ps1'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Netsh Allow Group Policy on Microsoft Defender Firewall
id: 347906f3-e207-4d18-ae5b-a9403d6bcdef
status: test
description: Adversaries may modify system firewalls in order to bypass controls limiting network usage
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
author: frack113
date: 2022-01-09
modified: 2023-02-14
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'advfirewall'
            - 'firewall'
            - 'set'
            - 'rule'
            - 'group='
            - 'new'
            - 'enable=Yes'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activity
level: medium

title: Network Communication Initiated To Portmap.IO Domain
id: 07837ab9-60e1-481f-a74d-c31fb496a94c
status: test
description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
references:
    - https://portmap.io/
    - https://github.com/rapid7/metasploit-framework/issues/11337
    - https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
author: Florian Roth (Nextron Systems)
date: 2024-05-31
tags:
    - attack.t1041
    - attack.command-and-control
    - attack.t1090.002
    - attack.exfiltration
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.portmap.io'
    condition: selection
falsepositives:
    - Legitimate use of portmap.io domains
level: medium

title: Network Connection Initiated By Regsvr32.EXE
id: c7e91a02-d771-4a6d-a700-42587e0b1095
status: test
description: Detects a network connection initiated by "Regsvr32.exe"
references:
    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
    - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2023-09-18
tags:
    - attack.execution
    - attack.stealth
    - attack.t1559.001
    - attack.t1218.010
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\regsvr32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Network Connection Initiated From Users\Public Folder
id: bcb03938-9f8b-487d-8d86-e480691e1d71
related:
    - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
      type: derived
status: test
description: |
    Detects a network connection initiated from a process located in the "C:\Users\Public" folder.
    Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone.
    Use this rule to hunt for potential suspicious or uncommon activity in your environement.
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2024-05-31
tags:
    - attack.command-and-control
    - attack.t1105
    - detection.threat-hunting
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|contains: ':\Users\Public\'
    filter_optional_ibm:
        Image|contains: ':\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location (Added by Tim Shelton - https://github.com/SigmaHQ/sigma/pull/3053/files)
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Likely from legitimate third party application that execute from the "Public" directory.
level: medium

title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
related:
    - id: e043f529-8514-4205-8ab0-7f7d2927b400
      type: derived
status: test
description: |
    Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
references:
    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
modified: 2024-07-16
tags:
    - attack.command-and-control
    - attack.t1102
    - attack.t1102.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: 'azurewebsites.net'
    # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
    # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_main_chrome_appdata:
        Image|startswith: 'C:\Users\'
        Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
    filter_main_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_main_firefox_appdata:
        Image|startswith: 'C:\Users\'
        Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
    filter_main_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_main_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_main_safari:
        Image|contains:
            - 'C:\Program Files (x86)\Safari\'
            - 'C:\Program Files\Safari\'
        Image|endswith: '\safari.exe'
    filter_main_defender:
        Image|contains:
            - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        Image|endswith:
            - '\MsMpEng.exe' # Microsoft Defender executable
            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
    filter_main_prtg:
        # Paessler's PRTG Network Monitor
        Image|endswith:
            - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
            - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
    filter_main_brave:
        Image|startswith: 'C:\Program Files\BraveSoftware\'
        Image|endswith: '\brave.exe'
    filter_main_maxthon:
        Image|contains: '\AppData\Local\Maxthon\'
        Image|endswith: '\maxthon.exe'
    filter_main_opera:
        Image|contains: '\AppData\Local\Programs\Opera\'
        Image|endswith: '\opera.exe'
    filter_main_seamonkey:
        Image|startswith:
            - 'C:\Program Files\SeaMonkey\'
            - 'C:\Program Files (x86)\SeaMonkey\'
        Image|endswith: '\seamonkey.exe'
    filter_main_vivaldi:
        Image|contains: '\AppData\Local\Vivaldi\'
        Image|endswith: '\vivaldi.exe'
    filter_main_whale:
        Image|startswith:
            - 'C:\Program Files\Naver\Naver Whale\'
            - 'C:\Program Files (x86)\Naver\Naver Whale\'
        Image|endswith: '\whale.exe'
    # Note: The TOR browser shouldn't be something you allow in your corporate network.
    # filter_main_tor:
    #     Image|contains: '\Tor Browser\'
    filter_main_whaterfox:
        Image|startswith:
            - 'C:\Program Files\Waterfox\'
            - 'C:\Program Files (x86)\Waterfox\'
        Image|endswith: '\Waterfox.exe'
    filter_main_slimbrowser:
        Image|startswith:
            - 'C:\Program Files\SlimBrowser\'
            - 'C:\Program Files (x86)\SlimBrowser\'
        Image|endswith: '\slimbrowser.exe'
    filter_main_flock:
        Image|contains: '\AppData\Local\Flock\'
        Image|endswith: '\Flock.exe'
    filter_main_phoebe:
        Image|contains: '\AppData\Local\Phoebe\'
        Image|endswith: '\Phoebe.exe'
    filter_main_falkon:
        Image|startswith:
            - 'C:\Program Files\Falkon\'
            - 'C:\Program Files (x86)\Falkon\'
        Image|endswith: '\falkon.exe'
    filter_main_qtweb:
        Image|startswith:
            - 'C:\Program Files (x86)\QtWeb\'
            - 'C:\Program Files\QtWeb\'
        Image|endswith: '\QtWeb.exe'
    filter_main_avant:
        Image|startswith:
            - 'C:\Program Files (x86)\Avant Browser\'
            - 'C:\Program Files\Avant Browser\'
        Image|endswith: '\avant.exe'
    filter_main_discord:
        Image|contains: '\AppData\Local\Discord\'
        Image|endswith: '\Discord.exe'
    filter_main_null:
        Image: null
    filter_main_empty:
        Image: ''
    # filter_optional_qlik:
    #     Image|endswith: '\Engine.exe' # Process from qlik.com app
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Network Connection Initiated To BTunnels Domains
id: 9e02c8ec-02b9-43e8-81eb-34a475ba7965
status: test
description: |
    Detects network connections to BTunnels domains initiated by a process on the system.
    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/
author: Kamran Saifullah
date: 2024-09-13
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.btunnel.co.in'
    condition: selection
falsepositives:
    - Legitimate use of BTunnels will also trigger this.
level: medium

title: Network Connection Initiated To Cloudflared Tunnels Domains
id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
related:
    - id: a1d9eec5-33b2-4177-8d24-27fe754d0812
      type: derived
status: test
description: |
    Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
    - Internal Research
author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-27
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - '.v2.argotunnel.com'
            - 'protocol-v2.argotunnel.com'
            - 'trycloudflare.com'
            - 'update.argotunnel.com'
    condition: selection
falsepositives:
    - Legitimate use of cloudflare tunnels will also trigger this.
level: medium

title: Network Connection Initiated To DevTunnels Domain
id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
related:
    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
      type: similar
    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
      type: similar
    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
      type: similar
status: test
description: |
    Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
    - https://cydefops.com/devtunnels-unleashed
author: Kamran Saifullah
date: 2023-11-20
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567.001
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.devtunnels.ms'
    condition: selection
falsepositives:
    - Legitimate use of Devtunnels will also trigger this.
level: medium

title: Network Connection Initiated To Visual Studio Code Tunnels Domain
id: 4b657234-038e-4ad5-997c-4be42340bce4
related:
    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
      type: similar
    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
      type: similar
    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
      type: similar
status: test
description: |
    Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://cydefops.com/vscode-data-exfiltration
author: Kamran Saifullah
date: 2023-11-20
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.tunnels.api.visualstudio.com'
    condition: selection
falsepositives:
    - Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium

title: New AWS Lambda Function URL Configuration Created
id: ec541962-c05a-4420-b9ea-84de072d18f4
status: experimental
description: |
    Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.
    This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
references:
    - https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html
    - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc
    - https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
author: Ivan Saakov
date: 2024-12-19
tags:
    - attack.initial-access
    - attack.privilege-escalation
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: lambda.amazonaws.com
        eventName: 'CreateFunctionUrlConfig'
    condition: selection
falsepositives:
    - Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: New BgInfo.EXE Custom DB Path Registry Configuration
id: 53330955-dc52-487f-a3a2-da24dcff99b5
status: test
description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Winternals\BGInfo\Database'
    condition: selection
falsepositives:
    - Legitimate use of external DB to save the results
level: medium

title: New BgInfo.EXE Custom VBScript Registry Configuration
id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
related:
    - id: cd277474-5c52-4423-a52b-ac2d7969902f
      type: similar
status: test
description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
        Details|startswith: '4' # WMI
    condition: selection
falsepositives:
    - Legitimate VBScript
level: medium

title: New BgInfo.EXE Custom WMI Query Registry Configuration
id: cd277474-5c52-4423-a52b-ac2d7969902f
related:
    - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
      type: similar
status: test
description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
        Details|startswith: '6' # WMI
    condition: selection
falsepositives:
    - Legitimate WMI query
level: medium

title: New CA Policy by Non-approved Actor
id: 0922467f-db53-4348-b7bf-dee8d0d348c6
status: test
description: Monitor and alert on conditional access changes.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure
author: Corissa Koopmans, '@corissalea'
date: 2022-07-18
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Add conditional access policy
    condition: selection
falsepositives:
    - Misconfigured role permissions
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium

title: New Capture Session Launched Via DXCap.EXE
id: 60f16a96-db70-42eb-8f76-16763e333590
status: test
description: |
    Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/
    - https://twitter.com/harr0ey/status/992008180904419328
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2022-06-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\DXCap.exe'
        - OriginalFileName: 'DXCap.exe'
    selection_cli:
        CommandLine|contains: ' -c ' # The ".exe" is not required to run the binary
    condition: all of selection*
falsepositives:
    - Legitimate execution of dxcap.exe by legitimate user
level: medium

title: New Custom Shim Database Created
id: ee63c85c-6d51-4d12-ad09-04e25877a947
status: test
description: |
    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
    The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
    - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
    - https://liberty-shell.com/sec/2020/02/25/shim-persistence/
    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-29
modified: 2023-12-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.009
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains:
            - ':\Windows\apppatch\Custom\'
            - ':\Windows\apppatch\CustomSDB\'
    condition: selection
falsepositives:
    - Legitimate custom SHIM installations will also trigger this rule
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml

title: New DLL Added to AppCertDlls Registry Key
id: 6aa1d992-5925-4e9f-a49b-845e51d1de01
status: test
description: |
  Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation
  by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
references:
    - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
    - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.009
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
        - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
        # key rename
        - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: New DLL Added to AppInit_DLLs Registry Key
id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
status: test
description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
author: Ilyas Ochkov, oscd.community, Tim Shelton
date: 2019-10-25
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.010
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        - TargetObject|endswith:
              - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
              - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
        # Key Rename
        - NewName|endswith:
              - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
              - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
    filter:
        Details: '(Empty)'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: New DLL Registered Via Odbcconf.EXE
id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
related:
    - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76
      type: similar
status: test
description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
references:
    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
    - https://redcanary.com/blog/raspberry-robin/
    - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
    - attack.stealth
    - attack.t1218.008
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\odbcconf.exe'
        - OriginalFileName: 'odbcconf.exe'
    selection_cli:
        # Note: The "/A" flag is not required to call a specific action
        CommandLine|contains|all:
            - 'REGSVR '
            - '.dll'
    condition: all of selection_*
falsepositives:
    - Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized.
level: medium

title: New DMSA Service Account Created in Specific OUs
id: 0ea8db81-2ff6-4525-9448-33bbe7effc13
related:
    - id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
      type: similar
    - id: 02122374-b74e-495c-b285-9e4da973f3d6 # ScriptBlockText Detection
      type: similar
status: experimental
description: |
    Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.
    The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
    It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
    On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
    it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078.002
    - attack.t1098
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\powershell_ise.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'powershell_ise.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'New-ADServiceAccount'
            - '-CreateDelegatedServiceAccount'
            - '-path'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: New Federated Domain Added
id: 58f88172-a73d-442b-94c9-95eaed3cbb36
related:
    - id: 42127bdd-9133-474f-a6f1-97b6c08a4339
      type: similar
status: test
description: Detects the addition of a new Federated Domain.
references:
    - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/
    - https://o365blog.com/post/aadbackdoor/
author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
date: 2023-09-18
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.002
logsource:
    service: audit
    product: m365
detection:
    selection_domain:
        Operation|contains: 'domain'
    selection_operation:
        Operation|contains:
            - 'add'
            - 'new'
    condition: all of selection_*
falsepositives:
    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
level: medium