title: Potential Homoglyph Attack Using Lookalike Characters in Filename
id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
status: test
description: |
    Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
    This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
    are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
    - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
    - http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-08
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1036.003
logsource:
    category: file_event
    product: windows
detection:
    selection_upper:
        TargetFilename|contains:
            - "\u0410" # А/A
            - "\u0412" # В/B
            - "\u0415" # Е/E
            - "\u041a" # К/K
            - "\u041c" # М/M
            - "\u041d" # Н/H
            - "\u041e" # О/O
            - "\u0420" # Р/P
            - "\u0421" # С/C
            - "\u0422" # Т/T
            - "\u0425" # Х/X
            - "\u0405" # Ѕ/S
            - "\u0406" # І/I
            - "\u0408" # Ј/J
            - "\u04ae" # Ү/Y
            - "\u04c0" # Ӏ/I
            - "\u050C" # Ԍ/G
            - "\u051a" # Ԛ/Q
            - "\u051c" # Ԝ/W
            - "\u0391" # Α/A
            - "\u0392" # Β/B
            - "\u0395" # Ε/E
            - "\u0396" # Ζ/Z
            - "\u0397" # Η/H
            - "\u0399" # Ι/I
            - "\u039a" # Κ/K
            - "\u039c" # Μ/M
            - "\u039d" # Ν/N
            - "\u039f" # Ο/O
            - "\u03a1" # Ρ/P
            - "\u03a4" # Τ/T
            - "\u03a5" # Υ/Y
            - "\u03a7" # Χ/X
    selection_lower:
        TargetFilename|contains:
            - "\u0430" # а/a
            - "\u0435" # е/e
            - "\u043e" # о/o
            - "\u0440" # р/p
            - "\u0441" # с/c
            - "\u0445" # х/x
            - "\u0455" # ѕ/s
            - "\u0456" # і/i
            - "\u04cf" # ӏ/l
            - "\u0458" # ј/j
            - "\u04bb" # һ/h
            - "\u0501" # ԁ/d
            - "\u051b" # ԛ/q
            - "\u051d" # ԝ/w
            - "\u03bf" # ο/o
    condition: 1 of selection_*
falsepositives:
    - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium

title: Potential In-Memory Download And Compile Of Payloads
id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef
status: test
description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
references:
    - https://redcanary.com/blog/mac-application-bundles/
author: Sohan G (D4rkCiph3r), Red Canary (idea)
date: 2023-08-22
tags:
    - attack.command-and-control
    - attack.execution
    - attack.t1059.007
    - attack.t1105
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        CommandLine|contains|all:
            - 'osacompile'
            - 'curl'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential In-Memory Execution Using Reflection.Assembly
id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a
status: test
description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
author: frack113
date: 2022-12-25
tags:
    - attack.stealth
    - attack.t1620
logsource:
    product: windows
    category: ps_script
    definition: Script Block Logging must be enable
detection:
    selection:
        ScriptBlockText|contains: '[Reflection.Assembly]::load'
    condition: selection
falsepositives:
    - Legitimate use of the library
level: medium

title: Potential Initial Access via DLL Search Order Hijacking
id: dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
status: test
description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc
    - https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-21
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1566
    - attack.t1566.001
    - attack.initial-access
    - attack.t1574
    - attack.t1574.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # add more processes when you find them
            - '\winword.exe'
            - '\excel.exe'
            - '\powerpnt.exe'
            - '\MSACCESS.EXE'
            - '\MSPUB.EXE'
            - '\fltldr.exe'
            - '\cmd.exe'
            - '\certutil.exe'
            - '\mshta.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\curl.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|endswith: '.dll'
        TargetFilename|contains|all:
            - '\Users\'
            - '\AppData\'
        TargetFilename|contains:
            # add more suspicious paths when you find them
            - '\Microsoft\OneDrive\'
            - '\Microsoft OneDrive\'
            - '\Microsoft\Teams\'
            - '\Local\slack\app-'
            - '\Local\Programs\Microsoft VS Code\'
    filter:
        Image|endswith: '\cmd.exe'
        TargetFilename|contains|all:
            - '\Users\'
            - '\AppData\'
            - '\Microsoft\OneDrive\'
            - '\api-ms-win-core-'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Potential KamiKakaBot Activity - Lure Document Execution
id: 24474469-bd80-46cc-9e08-9fbe81bfaaca
status: test
description: |
    Detects the execution of a Word document via the WinWord Start Menu shortcut.
    This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
references:
    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-03-22
tags:
    - attack.execution
    - attack.t1059
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/c '
            - '.lnk ~'
            - 'Start Menu\Programs\Word'
        CommandLine|endswith: '.doc'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961
status: test
description: |
    Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
    This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
references:
    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
    - https://tria.ge/240123-rapteaahhr/behavioral1
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-03-22
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - ' /create '
            - 'shutdown /l /f'
            - 'WEEKLY'
    filter_main_system_user:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential Keylogger Activity
id: 965e2db9-eddb-4cf6-a986-7a967df651e4
status: test
description: Detects PowerShell scripts that contains reference to keystroke capturing functions
references:
    - https://twitter.com/ScumBots/status/1610626724257046529
    - https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content
    - https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content
    - https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1056.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Lateral Movement via Windows Remote Shell
id: 79df3f68-dccb-48e9-9171-b75cbc37c51d
status: experimental
description: |
    Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
references:
    - https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
    - https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement
author: Liran Ravich
date: 2025-10-22
tags:
    - attack.lateral-movement
    - attack.t1021.006
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" powershell
        ParentImage|endswith: '\winrshost.exe'
    filter_main_conhost:
        Image: 'C:\Windows\System32\conhost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate use of WinRM within the organization
level: medium

title: Potential Libvlc.DLL Sideloading
id: bf9808c4-d24f-44a2-8398-b65227d406b6
status: test
description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
references:
    - https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
    - https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html
author: X__Junior
date: 2023-04-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\libvlc.dll'
    filter_main_vlc:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\VideoLAN\VLC\'
            - 'C:\Program Files\VideoLAN\VLC\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives are expected if VLC is installed in non-default locations
level: medium

title: Potential Linux Amazon SSM Agent Hijacking
id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-03
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.t1219.002
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/amazon-ssm-agent'
        CommandLine|contains|all:
            - '-register '
            - '-code '
            - '-id '
            - '-region '
    condition: selection
falsepositives:
    - Legitimate activity of system administrators
level: medium

title: Potential Linux Process Code Injection Via DD Utility
id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
status: test
description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
references:
    - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
    - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
author: Joseph Kamau
date: 2023-12-01
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.009
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/dd'
        CommandLine|contains|all:
            - 'of='
            - '/proc/'
            - '/mem'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
id: 39ac1fb0-07f1-474b-b97e-c5c0eace0d79
status: test
description: |
    Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.

    MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.

    Hunting Opportunity

    Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
references:
    - https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
    - https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
author: '@kostastsale'
date: 2023-06-01
tags:
    - attack.execution
    - attack.t1059
    - cve.2023-34362
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\w3wp.exe'
        ParentCommandLine|contains: 'moveitdmz pool'
        Image|endswith: '\csc.exe'
    condition: selection
falsepositives:
    - Initial software installation and software updates.
level: medium

title: Potential Malicious AppX Package Installation Attempts
id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce
status: test
description: Detects potential installation or installation attempts of known malicious appx packages
references:
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
    - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-01-12
tags:
    - attack.stealth
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID:
            - 400
            - 401
        # Add more malicious package names
        # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
        PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9'
    condition: selection
falsepositives:
    - Rare occasions where a malicious package uses the exact same name and version as a legitimate application.
level: medium

title: Potential Memory Dumping Activity Via LiveKD
id: a85f7765-698a-4088-afa0-ecfbf8d01fa4
status: test
description: Detects execution of LiveKD based on PE metadata or image name
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\livekd.exe'
              - '\livekd64.exe'
        - OriginalFileName: 'livekd.exe'
    condition: selection
falsepositives:
    - Administration and debugging activity (must be investigated)
level: medium

title: Potential Mfdetours.DLL Sideloading
id: d2605a99-2218-4894-8fd3-2afb7946514d
status: test
description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\mfdetours.dll'
    filter_main_legit_path:
        ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: medium

title: Potential Mftrace.EXE Abuse
id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e
status: test
description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
modified: 2023-08-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\mftrace.exe'
    condition: selection
falsepositives:
    - Legitimate use for tracing purposes
level: medium

title: Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
id: 02b18447-ea83-4b1b-8805-714a8a34546a
status: test
description: |
    Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory.
    The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
author: frack113
date: 2022-03-06
modified: 2023-08-03
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\OfflineScannerShell.exe'
        - OriginalFileName: 'OfflineScannerShell.exe'
    filter_main_legit_dir:
        CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\'
    filter_main_empty:
        CurrentDirectory: ''
    filter_main_null:
        CurrentDirectory: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential Network Sniffing Activity Using Network Tools
id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
status: test
description: |
    Detects potential network sniffing via use of network tools such as "tshark", "windump".
    Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
    An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-21
modified: 2023-02-20
tags:
    - attack.credential-access
    - attack.discovery
    - attack.t1040
logsource:
    category: process_creation
    product: windows
detection:
    selection_tshark:
        Image|endswith: '\tshark.exe'
        CommandLine|contains: '-i'
    selection_windump:
        Image|endswith: '\windump.exe'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration activity to troubleshoot network issues
level: medium

title: Potential Obfuscated Ordinal Call Via Rundll32
id: 43fa5350-db63-4b8f-9a01-789a427074e1
status: test
description: Detects execution of "rundll32" with potential obfuscated ordinal calls
references:
    - Internal Research
    - https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2023-05-17
modified: 2025-02-23
tags:
    - attack.stealth
    - attack.t1027.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
        - CommandLine|contains: 'rundll32'
    selection_cli:
        CommandLine|contains:
            - '#+'
            - '#-'
            # ordinal can be represented by adding any number of zeros in front ordinal number, for e.g. 000000024
            - '#0'
            # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around.
            # for e.g ordinal 24 can be also represented by 65560 (65536+24)
            - '#655'
            - '#656'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
id: da34e323-1e65-42db-83be-a6725ac2caa3
status: test
description: |
    Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
    Adversaries may attempt to capture network to gather information over the course of an operation.
    Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
    - https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
    - https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
author: frack113
date: 2024-05-12
tags:
    - attack.credential-access
    - attack.discovery
    - attack.t1040
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: 'Start-NetEventSession'
    condition: selection
falsepositives:
    - Legitimate network diagnostic scripts.
level: medium

title: Potential Pass the Hash Activity
id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
status: test
description: Detects the attack technique pass the hash which is used to move laterally inside the network
references:
    - https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events
author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
date: 2017-03-08
modified: 2023-12-15
tags:
    - attack.lateral-movement
    - attack.t1550.002
    - car.2016-04-004
logsource:
    product: windows
    service: security
    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
detection:
    selection:
        EventID:
            - 4624
            - 4625
        LogonType: 3
        LogonProcessName: 'NtLmSsp'
        WorkstationName|expand: '%Workstations%'
        ComputerName|expand: '%Workstations%'
    filter:
        TargetUserName: 'ANONYMOUS LOGON'
    condition: selection and not filter
falsepositives:
    - Administrator activity
level: medium

title: Potential Password Reconnaissance Via Findstr.EXE
id: 1a0f6f16-2099-4753-9a02-43b6ac7a1fa5
status: test
description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
references:
    - https://steflan-security.com/windows-privilege-escalation-credential-harvesting/
    - https://adsecurity.org/?p=2288
author: Josh Nickels
date: 2023-05-18
tags:
    - attack.credential-access
    - attack.t1552.001
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_cli:
        CommandLine|contains:
            - 'contraseña' # Spanish
            - 'hasło' # Polish
            - 'heslo' # Czech
            - 'parola' # Italian
            - 'passe' # French
            - 'passw' # German, English
            - 'senha' # Portuguese
            - 'senord' # Swedish
            - '密碼' # Cantonese
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential Password Spraying Attempt Using Dsacls.EXE
id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c
status: test
description: Detects possible password spraying attempts using Dsacls
references:
    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone
    - https://ss64.com/nt/dsacls.html
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-04
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\dsacls.exe'
        - OriginalFileName: "DSACLS.EXE"
    selection_cli:
        CommandLine|contains|all:
            - '/user:'
            - '/passwd:'
    condition: all of selection*
falsepositives:
    - Legitimate use of dsacls to bind to an LDAP session
level: medium

title: Potential Peach Sandstorm APT C2 Communication Activity
id: b8225208-81d0-4715-a822-12bcdd583e0f
status: test
description: Detects potential C2 communication activity related to Peach Sandstorm APT
references:
    - https://twitter.com/MsftSecIntel/status/1737895710169628824
    - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
author: X__Junior (Nextron Systems)
date: 2024-01-15
tags:
    - attack.command-and-control
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        cs-method: 'GET'
        c-uri|endswith:
            - '/api/Core/Command/Init'
            - '/api/Core/Command/Restart'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential PendingFileRenameOperations Tampering
id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
status: test
description: |
    Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
references:
    - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
    - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
    - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
    - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
author: frack113
date: 2023-01-27
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: registry_set
    product: windows
detection:
    selection_main:
        TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
    selection_susp_paths:
        Image|contains: '\Users\Public\'
            # - '\AppData\Local\Temp\'  # Commented out as it's used by legitimate installers
    selection_susp_images:
        Image|endswith:
            - '\reg.exe'
            - '\regedit.exe'
    condition: selection_main and 1 of selection_susp_*
falsepositives:
    - Installers and updaters may set currently in use files for rename or deletion after a reboot.
level: medium

title: Potential Persistence Attempt Via ErrorHandler.Cmd
id: 15904280-565c-4b73-9303-3291f964e7f9
status: test
description: |
    Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
    The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
references:
    - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
    - https://github.com/last-byte/PersistenceSniper
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-09
modified: 2022-12-19
tags:
    - attack.persistence
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\WINDOWS\Setup\Scripts\ErrorHandler.cmd'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Persistence Attempt Via Existing Service Tampering
id: 38879043-7e1e-47a9-8d46-6bec88e201df
status: test
description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
references:
    - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
author: Sreeman
date: 2020-09-29
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1543.003
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc:
        - CommandLine|contains|all:
              - 'sc '
              - 'config '
              - 'binpath='
        - CommandLine|contains|all:
              - 'sc '
              - 'failure'
              - 'command='
    selection_reg_img:
        - CommandLine|contains|all:
              - 'reg '
              - 'add '
              - 'FailureCommand'
        - CommandLine|contains|all:
              - 'reg '
              - 'add '
              - 'ImagePath'
    selection_reg_ext:
        CommandLine|contains:
            - '.sh'
            - '.exe'
            - '.dll'
            - '.bin$'
            - '.bat'
            - '.cmd'
            - '.js'
            - '.msh$'
            - '.reg$'
            - '.scr'
            - '.ps'
            - '.vb'
            - '.jar'
            - '.pl'
    condition: selection_sc or all of selection_reg_*
falsepositives:
    - Unknown
level: medium

title: Potential Persistence Attempt Via Run Keys Using Reg.EXE
id: de587dce-915e-4218-aac4-835ca6af6f70
status: test
description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
references:
    - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
    - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-06-28
modified: 2025-02-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - 'reg'
            - ' add '
        CommandLine|contains:
            - 'Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    condition: selection
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
    - Legitimate administrator sets up autorun keys for legitimate reasons.
    - Discord
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml

title: Potential Persistence Using DebugPath
id: df4dc653-1029-47ba-8231-3c44238cc0ae
status: test
description: Detects potential persistence using Appx DebugPath
references:
    - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
    - https://github.com/rootm0s/WinPwnage
author: frack113
date: 2022-07-27
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection_debug:
        TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'
        TargetObject|endswith: '\DebugPath'
    selection_default:
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'
        TargetObject|endswith: '\(Default)'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential Persistence Via AppCompat RegisterAppRestart Layer
id: b86852fb-4c77-48f9-8519-eb1b2c308b59
status: test
description: |
    Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
    This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
    This can be potentially abused as a persistence mechanism.
references:
    - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-01-01
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.011
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\'
        Details|contains: 'REGISTERAPPRESTART'
    condition: selection
falsepositives:
    - Legitimate applications making use of this feature for compatibility reasons
level: medium

title: Potential Persistence Via Custom Protocol Handler
id: fdbf0b9d-0182-4c43-893b-a1eaab92d085
status: test
description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
references:
    - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-30
modified: 2023-05-12
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|startswith: 'HKCR\'
        Details|startswith: 'URL:'
    filter_main_ms_trusted:
        Details|startswith: 'URL:ms-' # Microsoft Protocols usually start with "ms-"
    filter_main_generic_locations:
        Image|startswith: # Add more folders to avoid FP
            - 'C:\Program Files (x86)'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    # Uncomment This section to add specific Protocol Handler names that are know
    # filter_specific:
    #     Details: 'URL:'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment.
level: medium

title: Potential Persistence Via Disk Cleanup Handler - Registry
id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
status: test
description: |
    Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
    The disk cleanup manager is part of the operating system. It displays the dialog box […]
    The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
    Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
    Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
    Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
    - https://persistence-info.github.io/Data/diskcleanuphandler.html
    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-02-07
tags:
    - attack.persistence
logsource:
    product: windows
    category: registry_add
detection:
    selection:
        EventType: CreateKey
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
    filter_main_default_keys:
        # Default Keys
        TargetObject|endswith:
            - '\Active Setup Temp Folders'
            - '\BranchCache'
            - '\Content Indexer Cleaner'
            - '\D3D Shader Cache'
            - '\Delivery Optimization Files'
            - '\Device Driver Packages'
            - '\Diagnostic Data Viewer database files'
            - '\Downloaded Program Files'
            - '\DownloadsFolder'
            - '\Feedback Hub Archive log files'
            - '\Internet Cache Files'
            - '\Language Pack'
            - '\Microsoft Office Temp Files'
            - '\Offline Pages Files'
            - '\Old ChkDsk Files'
            - '\Previous Installations'
            - '\Recycle Bin'
            - '\RetailDemo Offline Content'
            - '\Setup Log Files'
            - '\System error memory dump files'
            - '\System error minidump files'
            - '\Temporary Files'
            - '\Temporary Setup Files'
            - '\Temporary Sync Files'
            - '\Thumbnail Cache'
            - '\Update Cleanup'
            - '\Upgrade Discarded Files'
            - '\User file versions'
            - '\Windows Defender'
            - '\Windows Error Reporting Files'
            - '\Windows ESD installation files'
            - '\Windows Upgrade Log Files'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate new entry added by windows
level: medium

title: Potential Persistence Via Event Viewer Events.asp
id: a1e11042-a74a-46e6-b07c-c4ce8ecc239b
status: test
description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
references:
    - https://twitter.com/nas_bench/status/1626648985824788480
    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks
    - https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
    - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-17
modified: 2023-03-05
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        # Covers both "\Policies\" and "\Software\" paths for both "Machine" and "User" level configs
        # Also "MicrosoftRedirectionProgramCommandLineParameters" key
        TargetObject|contains:
            - '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
            - '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL'
    filter_default_redirect_program:
        Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
        Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe'
    filter_default_redirect_program_cli:
        Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters'
        Details: '-url hcp://services/centers/support?topic=%%s'
    filter_url:
        Details: 'http://go.microsoft.com/fwlink/events.asp'
    filter_cleaner:
        Details: '(Empty)'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

title: Potential Persistence Via Logon Scripts - Registry
id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
status: test
description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md
author: Tom Ueltschi (@c_APT_ure)
date: 2019-01-12
modified: 2025-10-26
tags:
    - attack.privilege-escalation
    - attack.t1037.001
    - attack.persistence
    - attack.lateral-movement
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'UserInitMprLogonScript'
    condition: selection
falsepositives:
    - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml
simulation:
    - type: atomic-red-team
      name: Logon Scripts
      technique: T1037.001
      atomic_guid: d6042746-07d4-4c92-9ad8-e644c114a231

title: Potential Persistence Via Microsoft Compatibility Appraiser
id: f548a603-c9f2-4c89-b511-b089f7e94549
related:
    - id: 73a883d0-0348-4be4-a8d8-51031c2564f8
      type: derived
status: test
description: |
    Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
    In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
references:
    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Sreeman
date: 2020-09-29
modified: 2023-02-10
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'run '
            - '\Application Experience\Microsoft Compatibility Appraiser'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential Persistence Via Netsh Helper DLL
id: 56321594-9087-49d9-bf10-524fe8479452
related:
    - id: c90362e0-2df3-4e61-94fe-b37615814cb1
      type: similar
    - id: e7b18879-676e-4a0e-ae18-27039185a8e7
      type: similar
status: test
description: |
    Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md
    - https://github.com/outflanknl/NetshHelperBeacon
    - https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
author: Victor Sergeev, oscd.community
date: 2019-10-25
modified: 2023-11-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.007
    - attack.s0108
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'netsh.exe'
        - Image|endswith: '\netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'add'
            - 'helper'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential Persistence Via Netsh Helper DLL - Registry
id: c90362e0-2df3-4e61-94fe-b37615814cb1
related:
    - id: 56321594-9087-49d9-bf10-524fe8479452
      type: similar
    - id: e7b18879-676e-4a0e-ae18-27039185a8e7
      type: similar
status: test
description: |
    Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
references:
    - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
author: Anish Bogati
date: 2023-11-28
modified: 2025-10-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.007
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
        Details|contains: '.dll'
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        Details:
            - 'ipmontr.dll'
            - 'iasmontr.dll'
            - 'ippromon.dll'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate helper added by different programs and the OS
level: medium

title: Potential Persistence Via New AMSI Providers - Registry
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
status: test
description: |
    Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections.
    Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content.
    This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.
references:
    - https://persistence-info.github.io/Data/amsi.html
    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2025-10-26
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\AMSI\Providers\'
            - '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\'
    filter_optional_avast:
        Image:
            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
            - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
        TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
    filter_optional_avg:
        Image:
            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
            - 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
        TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
    filter_optional_avira:
        Image: 'C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe'
        TargetObject|contains: '\{00000001-3DCC-4B48-A82E-E2071FE58E05}'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate security products adding their own AMSI providers. Filter these according to your environment.
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml

title: Potential Persistence Via Notepad++ Plugins
id: 54127bd4-f541-4ac3-afdb-ea073f63f692
status: test
description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
references:
    - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2025-09-01
tags:
    - attack.persistence
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Notepad++\plugins\'
        TargetFilename|endswith: '.dll'
    filter_gup:
        Image|endswith: '\Notepad++\updater\gup.exe'
    filter_install:
        # This filter is for Sigma dataset you could remove it or change when using the rule in your own env
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Temp\'
        Image|endswith:
            - '\target.exe'
            - 'Installer.x64.exe'
    filter_main_installer:
        Image|contains: '\npp.'
        Image|endswith: '.exe'
        TargetFilename:
            - 'C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll'
            - 'C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll'
            - 'C:\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll'
            - 'C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll'
    condition: selection and not 1 of filter_*
falsepositives:
    - Possible FPs during first installation of Notepad++
    - Legitimate use of custom plugins by users in order to enhance notepad++ functionalities
level: medium

title: Potential Persistence Via PowerShell User Profile Using Add-Content
id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
status: test
description: Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-18
modified: 2023-05-04
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.013
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_add:
        ScriptBlockText|contains: 'Add-Content $profile'
    selection_options:
        ScriptBlockText|contains:
            # Note: You can add more suspicious values
            - '-Value "IEX '
            - '-Value "Invoke-Expression'
            - '-Value "Invoke-WebRequest'
            - '-Value "Start-Process'
            - "-Value 'IEX "
            - "-Value 'Invoke-Expression"
            - "-Value 'Invoke-WebRequest"
            - "-Value 'Start-Process"
    condition: all of selection_*
falsepositives:
    - Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session
level: medium

title: Potential Persistence Via Scrobj.dll COM Hijacking
id: fe20dda1-6f37-4379-bbe0-a98d400cae90
status: test
description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
author: frack113
date: 2022-08-20
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'InprocServer32\(Default)'
        Details: 'C:\WINDOWS\system32\scrobj.dll'
    condition: selection
falsepositives:
    - Legitimate use of the dll.
level: medium

title: Potential Persistence Via Shim Database Modification
id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45
status: test
description: |
    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
    The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb
    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113
date: 2021-12-30
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.011
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
    filter_main_empty_string:
        Details: ''
    filter_main_empty_value:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate custom SHIM installations will also trigger this rule
level: medium

title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
related:
    - id: 236d8e89-ed95-4789-a982-36f4643738ba
      type: derived
status: test
description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
references:
    - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
    - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-14
tags:
    - attack.execution
    - attack.persistence
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\VMwareToolBoxCmd.exe'
        - OriginalFileName: 'toolbox-cmd.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' script '
            - ' set '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential Persistence Via Visual Studio Tools for Office
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
status: test
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
references:
    - https://twitter.com/_vivami/status/1347925307643355138
    - https://vanmieghem.io/stealth-outlook-persistence/
author: Bhabesh Raj
date: 2021-01-10
modified: 2026-01-09
tags:
    - attack.t1137.006
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Software\Microsoft\Office\Outlook\Addins\'
            - '\Software\Microsoft\Office\Word\Addins\'
            - '\Software\Microsoft\Office\Excel\Addins\'
            - '\Software\Microsoft\Office\Powerpoint\Addins\'
            - '\Software\Microsoft\VSTO\Security\Inclusion\'
    filter_main_system:
        Image:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\regsvr32.exe'
            - 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
    filter_main_office_click_to_run:
        Image|startswith:
            - 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_integrator:
        Image:
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
    filter_main_office_apps:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
            - 'C:\Program Files\Microsoft Office\Root\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
            - 'C:\PROGRA~2\MICROS~2\Office'
        Image|endswith:
            - '\excel.exe'
            - '\Integrator.exe'
            - '\OneNote.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\Teams.exe'
            - '\visio.exe'
            - '\winword.exe'
    filter_main_vsto:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
            - 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
        Image|endswith: '\VSTOInstaller.exe'
    filter_optional_avg:
        Image:
            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
            - 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
    filter_optional_avast:
        Image:
            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
            - 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate Addin Installation
level: medium

title: Potential PetitPotam Attack Via EFS RPC Calls
id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
status: test
description: |
    Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
    The usage of this RPC function should be rare if ever used at all.
    Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
     View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
references:
    - https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp
    - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
    - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
    - https://threatpost.com/microsoft-petitpotam-poc/168163/
author: '@neu5ron, @Antonlovesdnb, Mike Remen'
date: 2021-08-17
modified: 2022-11-28
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1557.001
    - attack.t1187
logsource:
    product: zeek
    service: dce_rpc
detection:
    selection:
        operation|startswith: 'efs'
    condition: selection
falsepositives:
    - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
level: medium

title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
status: test
description: |
    Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
    Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
    In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
references:
    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
author: Alejandro Houspanossian ('@lekz86')
date: 2024-01-02
tags:
    - attack.command-and-control
    - attack.execution
    - attack.stealth
    - attack.t1059.003
    - attack.t1105
    - attack.t1218
    - detection.emerging-threats
logsource:
    product: windows
    category: process_creation
detection:
    selection_cmd:
        CommandLine|contains|all:
            - 'cmd'
            - '/c'
    selection_pipes:
        CommandLine|contains:
            - ' & '
            - ' || '
    selection_commands_1:
        CommandLine|contains:
            - ' curl'
            - ' wget'
            - ' timeout '
            - ' ping '
    selection_commands_2:
        CommandLine|contains:
            - ' rundll32'
            - ' mkdir '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential PowerShell Console History Access Attempt via History File
id: f4ff7323-b5fc-4323-8b52-6b9408e15788
status: experimental
description: |
    Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).
    This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
references:
    - https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html
author: Luc Génaux
date: 2025-04-03
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'ConsoleHost_history.txt'
            - '(Get-PSReadLineOption).HistorySavePath'
    condition: selection
falsepositives:
    - Legitimate access of the console history file is possible
level: medium

title: Potential PowerShell Downgrade Attack
id: b3512211-c67e-4707-bedc-66efc7848863
related:
    - id: 6331d09b-4785-4c13-980f-f96661356249
      type: derived
status: test
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-
author: Harish Segar (rule)
date: 2020-03-20
modified: 2023-01-04
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - ' -version 2 '
            - ' -versio 2 '
            - ' -versi 2 '
            - ' -vers 2 '
            - ' -ver 2 '
            - ' -ve 2 '
            - ' -v 2 '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential PowerShell Execution Policy Tampering
id: fad91067-08c5-4d1a-8d8c-d96a21b37814
related:
    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry
      type: similar
    - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
      type: similar
    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock
      type: similar
status: test
description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-12-14
tags:
    - attack.defense-impairment
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            # Note for future readers: For PowerShell 7+ the ExecutionPolicy is handled via a setting file due to the fact that PWSH7 is available for mac and linux
            # Attackers can create a per-user setting file (powershell.config.json) and set the execution policy there
            # Learn more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-7.3
            - '\ShellIds\Microsoft.PowerShell\ExecutionPolicy'
            - '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy'
        Details|contains:
            - 'Bypass'
            - 'Unrestricted'
    filter_main_svchost:
        # Note: We filter out "svchost" to avoid FP with changes using "gpedit" for example.
        Image|contains:
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential Privileged System Service Operation - SeLoadDriverPrivilege
id: f63508a0-c809-4435-b3be-ed819394d612
status: test
description: |
    Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.
    With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.
    This user right does not apply to Plug and Play device drivers.
    If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.
    This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
references:
    - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2026-03-29
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: security
detection:
    selection_1:
        EventID: 4673
        PrivilegeList: 'SeLoadDriverPrivilege'
        Service: '-'
    filter_main_exact:
        ProcessName:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\HelpPane.exe'
            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
            - 'C:\Windows\System32\Dism.exe'
            - 'C:\Windows\System32\fltMC.exe'
            - 'C:\Windows\System32\mmc.exe'
            - 'C:\Windows\System32\rundll32.exe'
            - 'C:\Windows\System32\RuntimeBroker.exe'
            - 'C:\Windows\System32\ShellHost.exe'
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\System32\SystemSettingsBroker.exe'
            - 'C:\Windows\System32\wimserv.exe'
    filter_optional_others:
        ProcessName|endswith:
            - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
            - '\Google\Chrome\Application\chrome.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\procmon.exe'
            - '\procmon64.exe'
    filter_main_startswith:
        ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft'
    filter_optional_dropbox:
        ProcessName|startswith:
            - 'C:\Program Files (x86)\Dropbox\'
            - 'C:\Program Files\Dropbox\'
        ProcessName|endswith: '\Dropbox.exe'
    condition: selection_1 and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers.
level: medium