SOAR
Panther
1,713 rules · Sigma detections in Panther syntax
The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,742 rules (.zip, 1.7 MB)
Every Panther query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,713
high
Moderate
High FP
Suspicious Kerberos Ticket Request via CLI
Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.
Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to
perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse
techniques like silver ticket attacks.
view Sigma YAML
title: Suspicious Kerberos Ticket Request via CLI
id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
related:
- id: a861d835-af37-4930-bcd6-5b178bfb54df
type: similar
status: experimental
description: |
Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.
Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to
perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse
techniques like silver ticket attacks.
references:
- https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
- https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-18
tags:
- attack.credential-access
- attack.t1558.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
- '.GetRequest()'
condition: all of selection_*
falsepositives:
- Legitimate command line usage by administrators or security tools.
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets.
This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
view Sigma YAML
title: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
id: a861d835-af37-4930-bcd6-5b178bfb54df
related:
- id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
type: similar
status: test
description: |
Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets.
This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
- https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
author: frack113
date: 2021-12-28
modified: 2025-11-18
tags:
- attack.credential-access
- attack.t1558.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
- '.GetRequest()'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Kernel Dump Using Dtrace
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
view Sigma YAML
title: Suspicious Kernel Dump Using Dtrace
id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
status: test
description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
references:
- https://twitter.com/0gtweet/status/1474899714290208777?s=12
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
author: Florian Roth (Nextron Systems)
date: 2021-12-28
tags:
- attack.discovery
- attack.t1082
logsource:
product: windows
category: process_creation
detection:
selection_plain:
Image|endswith: '\dtrace.exe'
CommandLine|contains: 'lkd(0)'
selection_obfuscated:
CommandLine|contains|all:
- 'syscall:::return'
- 'lkd('
condition: 1 of selection*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml
Convert to SIEM query
high
Strong
High FP
Suspicious Key Manager Access
Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
view Sigma YAML
title: Suspicious Key Manager Access
id: a4694263-59a8-4608-a3a0-6f8d3a51664c
status: test
description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
references:
- https://twitter.com/NinjaParanoid/status/1516442028963659777
author: Florian Roth (Nextron Systems)
date: 2022-04-21
modified: 2023-02-09
tags:
- attack.credential-access
- attack.t1555.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'keymgr'
- 'KRShowKeyMgr'
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious LDAP-Attributes Used
Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
view Sigma YAML
title: Suspicious LDAP-Attributes Used
id: d00a9a72-2c09-4459-ad03-5e0a23351e36
status: test
description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
author: xknow @xknow_infosec
date: 2019-03-24
modified: 2022-10-05
tags:
- attack.t1001.003
- attack.command-and-control
logsource:
product: windows
service: security
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
selection:
EventID: 5136
AttributeValue|contains: '*'
AttributeLDAPDisplayName:
- 'primaryInternationalISDNNumber'
- 'otherFacsimileTelephoneNumber'
- 'primaryTelexNumber'
condition: selection
falsepositives:
- Companies, who may use these default LDAP-Attributes for personal information
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious LNK Command-Line Padding with Whitespace Characters
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
This rule flags suspicious use of such padding observed in real-world attacks.
view Sigma YAML
title: Suspicious LNK Command-Line Padding with Whitespace Characters
id: dd8756e7-a3a0-4768-b47e-8f545d1a751c
status: experimental
description: |
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
This rule flags suspicious use of such padding observed in real-world attacks.
references:
- https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
- https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
- https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-19
tags:
- attack.initial-access
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- ParentImage|endswith: '\explorer.exe'
- ParentCommandLine|contains: '.lnk'
selection_cmd:
- CommandLine|contains:
- ' ' # Padding of SPACE (0x20)
# - ' ' # Horizontal Tab (0x9)
- '\u0009'
- '\u000A' # Line Feed
- '\u0011'
- '\u0012'
- '\u0013'
- '\u000B' # Vertical Tab
- '\u000C' # \x0C
- '\u000D' # \x0D
- CommandLine|re: '\n\n\n\n\n\n' # In some cases \u000[ABCD] are represented as a newline in the eventlog
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious LSASS Access Via MalSecLogon
Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
view Sigma YAML
title: Suspicious LSASS Access Via MalSecLogon
id: 472159c5-31b9-4f56-b794-b766faa8b0a7
status: test
description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
references:
- https://twitter.com/SBousseaden/status/1541920424635912196
- https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml
- https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: '\svchost.exe'
GrantedAccess: '0x14c0'
CallTrace|contains: 'seclogon.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
view Sigma YAML
title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
related:
- id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
type: similar
status: experimental
description: |
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
references:
- https://blog.axelarator.net/hunting-for-edr-freeze/
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1003
- attack.t1685
logsource:
category: image_load
product: windows
detection:
selection_img:
Image|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\$Recycle.Bin\'
- '\Contacts\'
# - '\Desktop\'
- '\Documents\'
# - '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
# - '\AppData\Local\Temp\' some installers may load from here
selection_dll:
ImageLoaded|endswith:
- '\dbgcore.dll'
- '\dbghelp.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml
Convert to SIEM query
high
Moderate
High FP
Suspicious MSDT Parent Process
Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
view Sigma YAML
title: Suspicious MSDT Parent Process
id: 7a74da6b-ea76-47db-92cc-874ad90df734
status: test
description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
author: Nextron Systems
date: 2022-06-01
modified: 2023-02-06
tags:
- attack.stealth
- attack.t1036
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
# Note: office applications are covered by: 438025f9-5856-4663-83f7-52f878a70a50
selection_msdt:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious MSExchangeMailboxReplication ASPX Write
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
view Sigma YAML
title: Suspicious MSExchangeMailboxReplication ASPX Write
id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
status: test
description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
tags:
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\MSExchangeMailboxReplication.exe'
TargetFilename|endswith:
- '.aspx'
- '.asp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious MSHTA Child Process
Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
view Sigma YAML
title: Suspicious MSHTA Child Process
id: 03cc0c25-389f-4bf8-b48d-11878079f1ca
status: test
description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
references:
- https://www.trustedsec.com/july-2015/malicious-htas/
author: Michael Haag
date: 2019-01-16
modified: 2023-02-06
tags:
- attack.stealth
- attack.t1218.005
- car.2013-02-003
- car.2013-03-001
- car.2014-04-003
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\mshta.exe'
selection_child:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\bitsadmin.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wscript.exe'
- 'cscript.exe'
- 'Bash.exe'
- 'reg.exe'
- 'REGSVR32.EXE'
- 'bitsadmin.exe'
condition: all of selection*
falsepositives:
- Printer software / driver installations
- HP software
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Manipulation Of Default Accounts Via Net.EXE
Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
view Sigma YAML
title: Suspicious Manipulation Of Default Accounts Via Net.EXE
id: 5b768e71-86f2-4879-b448-81061cbae951
status: test
description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
references:
- https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2023-02-21
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_user_option:
CommandLine|contains: ' user '
selection_username:
CommandLine|contains:
# Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag
- ' Järjestelmänvalvoja ' # Finish
- ' Rendszergazda ' # Hungarian
- ' Администратор ' # Russian
- ' Administrateur ' # French
- ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish
- ' Administratör ' # Swedish
- ' Administrator ' # English
- ' guest '
- ' DefaultAccount '
# The cases below are for when an attacker requests the net command via 'cmd /c....'
# First in double quotes
- ' "Järjestelmänvalvoja" ' # Finish
- ' "Rendszergazda" ' # Hungarian
- ' "Администратор" ' # Russian
- ' "Administrateur" ' # French
- ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish
- ' "Administratör" ' # Swedish
- ' "Administrator" ' # English
- ' "guest" '
- ' "DefaultAccount" '
# Second in single quotes
- " 'Järjestelmänvalvoja' " # Finish
- " 'Rendszergazda' " # Hungarian
- " 'Администратор' " # Russian
- " 'Administrateur' " # French
- " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish
- " 'Administratör' " # Swedish
- " 'Administrator' " # English
- " 'guest' "
- " 'DefaultAccount' "
filter:
CommandLine|contains|all:
- 'guest'
- '/active no'
condition: all of selection_* and not filter
falsepositives:
- Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Microsoft Office Child Process
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
view Sigma YAML
title: Suspicious Microsoft Office Child Process
id: 438025f9-5856-4663-83f7-52f878a70a50
related:
- id: c27515df-97a9-4162-8a60-dc0eeb51b775 # Speicifc OneNote rule due to its recent usage in phishing attacks
type: derived
- id: e1693bc8-7168-4eab-8718-cdcaa68a1738
type: derived
- id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
type: obsolete
- id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
type: obsolete
- id: 04f5363a-6bca-42ff-be70-0d28bf629ead
type: obsolete
status: test
description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
- https://github.com/splunk/security_content/blob/300af51b88ad5d5b27ce4f5f54e4d6e6a3a2c06d/detections/endpoint/office_spawning_control.yml
- https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
- https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
date: 2018-04-06
modified: 2023-04-24
tags:
- attack.execution
- attack.stealth
- attack.t1047
- attack.t1204.002
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\EQNEDT32.EXE'
- '\EXCEL.EXE'
- '\MSACCESS.EXE'
- '\MSPUB.exe'
- '\ONENOTE.EXE'
- '\POWERPNT.exe'
- '\VISIO.exe'
- '\WINWORD.EXE'
- '\wordpad.exe'
- '\wordview.exe'
selection_child_processes:
- OriginalFileName:
- 'bitsadmin.exe'
- 'CertOC.exe'
- 'CertUtil.exe'
- 'Cmd.Exe'
- 'CMSTP.EXE'
- 'cscript.exe'
- 'curl.exe'
- 'HH.exe'
- 'IEExec.exe'
- 'InstallUtil.exe'
- 'javaw.exe'
- 'Microsoft.Workflow.Compiler.exe'
- 'msdt.exe'
- 'MSHTA.EXE'
- 'msiexec.exe'
- 'Msxsl.exe'
- 'odbcconf.exe'
- 'pcalua.exe'
- 'PowerShell.EXE'
- 'RegAsm.exe'
- 'RegSvcs.exe'
- 'REGSVR32.exe'
- 'RUNDLL32.exe'
- 'schtasks.exe'
- 'ScriptRunner.exe'
- 'wmic.exe'
- 'WorkFolders.exe'
- 'wscript.exe'
- Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certoc.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cmstp.exe'
- '\control.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\ieexec.exe'
- '\installutil.exe'
- '\javaw.exe'
- '\mftrace.exe'
- '\Microsoft.Workflow.Compiler.exe'
- '\msbuild.exe'
- '\msdt.exe'
- '\mshta.exe'
- '\msidb.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\odbcconf.exe'
- '\pcalua.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regasm.exe'
- '\regsvcs.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\svchost.exe'
- '\verclsid.exe'
- '\wmic.exe'
- '\workfolders.exe'
- '\wscript.exe'
selection_child_susp_paths: # Idea: Laiali Kazalbach, Mohamed Elsayed (#4142)
Image|contains:
- '\AppData\'
- '\Users\Public\'
- '\ProgramData\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
- '\Windows\System32\Tasks\'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Microsoft Office Child Process - MacOS
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
view Sigma YAML
title: Suspicious Microsoft Office Child Process - MacOS
id: 69483748-1525-4a6c-95ca-90dc8d431b68
status: test
description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
references:
- https://redcanary.com/blog/applescript/
- https://objective-see.org/blog/blog_0x4B.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2023-02-04
tags:
- attack.execution
- attack.persistence
- attack.t1059.002
- attack.t1137.002
- attack.t1204.002
logsource:
product: macos
category: process_creation
detection:
selection:
ParentImage|contains:
- 'Microsoft Word'
- 'Microsoft Excel'
- 'Microsoft PowerPoint'
- 'Microsoft OneNote'
Image|endswith:
- '/bash'
- '/curl'
- '/dash'
- '/fish'
- '/osacompile'
- '/osascript'
- '/sh'
- '/zsh'
- '/python'
- '/python3'
- '/wget'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Microsoft OneNote Child Process
Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
view Sigma YAML
title: Suspicious Microsoft OneNote Child Process
id: c27515df-97a9-4162-8a60-dc0eeb51b775
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50 # Generic rule for suspicious office application child processes
type: derived
status: test
description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18
- https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0
author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
date: 2022-10-21
modified: 2023-02-10
tags:
- attack.t1566
- attack.t1566.001
- attack.initial-access
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\onenote.exe'
selection_opt_img:
- OriginalFileName:
- 'bitsadmin.exe'
- 'CertOC.exe'
- 'CertUtil.exe'
- 'Cmd.Exe'
- 'CMSTP.EXE'
- 'cscript.exe'
- 'curl.exe'
- 'HH.exe'
- 'IEExec.exe'
- 'InstallUtil.exe'
- 'javaw.exe'
- 'Microsoft.Workflow.Compiler.exe'
- 'msdt.exe'
- 'MSHTA.EXE'
- 'msiexec.exe'
- 'Msxsl.exe'
- 'odbcconf.exe'
- 'pcalua.exe'
- 'PowerShell.EXE'
- 'RegAsm.exe'
- 'RegSvcs.exe'
- 'REGSVR32.exe'
- 'RUNDLL32.exe'
- 'schtasks.exe'
- 'ScriptRunner.exe'
- 'wmic.exe'
- 'WorkFolders.exe'
- 'wscript.exe'
- Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certoc.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cmstp.exe'
- '\control.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\ieexec.exe'
- '\installutil.exe'
- '\javaw.exe'
- '\mftrace.exe'
- '\Microsoft.Workflow.Compiler.exe'
- '\msbuild.exe'
- '\msdt.exe'
- '\mshta.exe'
- '\msidb.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\odbcconf.exe'
- '\pcalua.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regasm.exe'
- '\regsvcs.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\svchost.exe'
- '\verclsid.exe'
- '\wmic.exe'
- '\workfolders.exe'
- '\wscript.exe'
selection_opt_explorer:
Image|endswith: '\explorer.exe'
CommandLine|contains:
- '.hta'
- '.vb'
- '.wsh'
- '.js'
- '.ps'
- '.scr'
- '.pif'
- '.bat'
- '.cmd'
selection_opt_paths:
Image|contains:
- '\AppData\'
- '\Users\Public\'
- '\ProgramData\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
- '\Windows\System32\Tasks\'
filter_teams:
Image|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
CommandLine|endswith: '-Embedding'
filter_onedrive:
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
Image|endswith: '\FileCoAuth.exe'
CommandLine|endswith: '-Embedding'
condition: selection_parent and 1 of selection_opt_* and not 1 of filter_*
falsepositives:
- File located in the AppData folder with trusted signature
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Modification Of Scheduled Tasks
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
Instead they modify the task after creation to include their malicious payload
view Sigma YAML
title: Suspicious Modification Of Scheduled Tasks
id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
related:
- id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog
type: similar
status: test
description: |
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
Instead they modify the task after creation to include their malicious payload
references:
- Internal Research
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2022-11-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /Change '
- ' /TN '
selection_susp_locations:
CommandLine|contains:
- '\AppData\Local\Temp'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
- '%ProgramData%'
- '%appdata%'
- '%comspec%'
- '%localappdata%'
selection_susp_images:
CommandLine|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
- 'powershell'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
- 'hh '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Mshta.EXE Execution Patterns
Detects suspicious mshta process execution patterns
view Sigma YAML
title: Suspicious Mshta.EXE Execution Patterns
id: e32f92d1-523e-49c3-9374-bdb13b46a3ba
status: test
description: Detects suspicious mshta process execution patterns
references:
- https://en.wikipedia.org/wiki/HTML_Application
- https://www.echotrail.io/insights/search/mshta.exe
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-17
modified: 2023-02-21
tags:
- attack.execution
- attack.t1106
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'MSHTA.EXE'
selection_susp:
# Suspicious parents
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
# Suspicious folders
CommandLine|contains:
- '\AppData\Local\'
- 'C:\ProgramData\'
- 'C:\Users\Public\'
- 'C:\Windows\Temp\'
filter_img:
# Filter legit Locations
- Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
# Suspicious extensions
- CommandLine|contains:
- '.htm'
- '.hta'
# Filter simple execution
- CommandLine|endswith:
- 'mshta.exe'
- 'mshta'
condition: all of selection_* or (selection_img and not filter_img)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Mstsc.EXE Execution With Local RDP File
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
view Sigma YAML
title: Suspicious Mstsc.EXE Execution With Local RDP File
id: 6e22722b-dfb1-4508-a911-49ac840b40f8
status: test
description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
references:
- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mstsc.exe'
- OriginalFileName: 'mstsc.exe'
selection_extension:
CommandLine|endswith:
- '.rdp'
- '.rdp"'
selection_paths:
# Note: This list of paths is better transformed into a whitelist where you only exclude legitimate locations you use in your env
CommandLine|contains:
- ':\Users\Public\'
- ':\Windows\System32\spool\drivers\color'
- ':\Windows\System32\Tasks_Migrated '
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- ':\Windows\Tracing\'
- '\AppData\Local\Temp\'
# - '\Desktop\' # Could be source of FP depending on the environment
- '\Downloads\' # Could be source of FP depending on the environment
condition: all of selection_*
falsepositives:
- Likelihood is related to how often the paths are used in the environment
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious NTLM Authentication on the Printer Spooler Service
Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
view Sigma YAML
title: Suspicious NTLM Authentication on the Printer Spooler Service
id: bb76d96b-821c-47cf-944b-7ce377864492
status: test
description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
references:
- https://twitter.com/med0x2e/status/1520402518685200384
- https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
author: Elastic (idea), Tobias Michalski (Nextron Systems)
date: 2022-05-04
modified: 2023-02-09
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.t1212
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'C:\windows\system32\davclnt.dll,DavSetCookie'
- 'http'
CommandLine|contains:
- 'spoolss'
- 'srvsvc'
- '/print/pipe/'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Named Error
Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
view Sigma YAML
title: Suspicious Named Error
id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365
status: test
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml
author: Florian Roth (Nextron Systems)
date: 2018-02-20
modified: 2022-10-05
tags:
- attack.initial-access
- attack.t1190
logsource:
product: linux
service: syslog
detection:
keywords:
- ' dropping source port zero packet from '
- ' denied AXFR from '
- ' exiting (due to fatal error)'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Network Connection Binary No CommandLine
Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
view Sigma YAML
title: Suspicious Network Connection Binary No CommandLine
id: 20384606-a124-4fec-acbb-8bd373728613
status: test
description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
references:
- https://redcanary.com/blog/raspberry-robin/
author: Florian Roth (Nextron Systems)
date: 2022-07-03
tags:
- attack.stealth
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\regsvr32.exe'
- '\rundll32.exe'
- '\dllhost.exe'
CommandLine|endswith:
- '\regsvr32.exe'
- '\rundll32.exe'
- '\dllhost.exe'
filter_no_cmdline:
CommandLine: ''
filter_null: # e.g. Sysmon has no CommandLine field in network events with ID 3
CommandLine: null
condition: selection and not 1 of filter*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious New Service Creation
Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
view Sigma YAML
title: Suspicious New Service Creation
id: 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8
related:
- id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
type: derived
status: test
description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-14
modified: 2022-11-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_sc:
Image|endswith: '\sc.exe'
CommandLine|contains|all:
- 'create'
- 'binPath='
selection_posh:
CommandLine|contains|all:
- 'New-Service'
- '-BinaryPathName'
susp_binpath:
CommandLine|contains:
# Add more suspicious commands or binaries
- 'powershell'
- 'mshta'
- 'wscript'
- 'cscript'
- 'svchost'
- 'dllhost'
- 'cmd '
- 'cmd.exe /c'
- 'cmd.exe /k'
- 'cmd.exe /r'
- 'rundll32'
# Add more suspicious paths
- 'C:\Users\Public'
- '\Downloads\'
- '\Desktop\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- 'C:\Windows\TEMP\'
- '\AppData\Local\Temp'
condition: 1 of selection* and susp_binpath
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Nohup Execution
Detects execution of binaries located in potentially suspicious locations via "nohup"
view Sigma YAML
title: Suspicious Nohup Execution
id: 457df417-8b9d-4912-85f3-9dbda39c3645
related:
- id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
type: derived
status: test
description: Detects execution of binaries located in potentially suspicious locations via "nohup"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/nohup'
CommandLine|contains: '/tmp/'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Obfuscated PowerShell Code
Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
view Sigma YAML
title: Suspicious Obfuscated PowerShell Code
id: 8d01b53f-456f-48ee-90f6-bc28e67d4e35
status: test
description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
references:
- https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/
author: Florian Roth (Nextron Systems)
date: 2022-07-11
modified: 2023-02-14
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# -bxor 0x
- 'IAAtAGIAeABvAHIAIAAwAHgA'
- 'AALQBiAHgAbwByACAAMAB4A'
- 'gAC0AYgB4AG8AcgAgADAAeA'
# .Invoke() |
- 'AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg'
- 'AuAEkAbgB2AG8AawBlACgAKQAgAHwAI'
- 'ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC'
# {1}{0}" -f
# {0}{3}" -f
# {2}{0}" -f
- 'AHsAMQB9AHsAMAB9ACIAIAAtAGYAI'
- 'B7ADEAfQB7ADAAfQAiACAALQBmAC'
- 'AewAxAH0AewAwAH0AIgAgAC0AZgAg'
- 'AHsAMAB9AHsAMwB9ACIAIAAtAGYAI'
- 'B7ADAAfQB7ADMAfQAiACAALQBmAC'
- 'AewAwAH0AewAzAH0AIgAgAC0AZgAg'
- 'AHsAMgB9AHsAMAB9ACIAIAAtAGYAI'
- 'B7ADIAfQB7ADAAfQAiACAALQBmAC'
- 'AewAyAH0AewAwAH0AIgAgAC0AZgAg'
# {1}{0}' -f
# {0}{3}' -f
# {2}{0}' -f
- 'AHsAMQB9AHsAMAB9ACcAIAAtAGYAI'
- 'B7ADEAfQB7ADAAfQAnACAALQBmAC'
- 'AewAxAH0AewAwAH0AJwAgAC0AZgAg'
- 'AHsAMAB9AHsAMwB9ACcAIAAtAGYAI'
- 'B7ADAAfQB7ADMAfQAnACAALQBmAC'
- 'AewAwAH0AewAzAH0AJwAgAC0AZgAg'
- 'AHsAMgB9AHsAMAB9ACcAIAAtAGYAI'
- 'B7ADIAfQB7ADAAfQAnACAALQBmAC'
- 'AewAyAH0AewAwAH0AJwAgAC0AZgAg'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Outlook Child Process
Detects a suspicious process spawning from an Outlook process.
view Sigma YAML
title: Suspicious Outlook Child Process
id: 208748f7-881d-47ac-a29c-07ea84bf691d
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes
type: derived
- id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process
type: derived
status: test
description: Detects a suspicious process spawning from an Outlook process.
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team
date: 2022-02-28
modified: 2023-02-04
tags:
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\OUTLOOK.EXE'
Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mftrace.exe'
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- '\msdt.exe' # CVE-2022-30190
- '\mshta.exe'
- '\msiexec.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\wscript.exe'
# Several FPs with rundll32.exe
# We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely
# - '\rundll32.exe'
# filter_outlook_photoviewer: # https://twitter.com/Luke_Hamp/status/1495919717760237568
# ParentImage|endswith: '\OUTLOOK.EXE'
# Image|endswith: '\rundll32.exe'
# CommandLine|contains: '\PhotoViewer.dll'
# filter_outlook_printattachments: # https://twitter.com/KickaKamil/status/1496238278659485696
# ParentImage|endswith: '\OUTLOOK.EXE'
# Image|endswith: '\rundll32.exe'
# CommandLine|contains|all:
# - 'shell32.dll,Control_RunDLL'
# - '\SYSTEM32\SPOOL\DRIVERS\'
condition: selection # and not 1 of filter*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Outlook Macro Created
Detects the creation of a macro file for Outlook.
view Sigma YAML
title: Suspicious Outlook Macro Created
id: 117d3d3a-755c-4a61-b23e-9171146d094c
related:
- id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
- https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
filter:
Image|endswith: '\outlook.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Parent Double Extension File Execution
Detect execution of suspicious double extension files in ParentCommandLine
view Sigma YAML
title: Suspicious Parent Double Extension File Execution
id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c
related:
- id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine
type: derived
status: test
description: Detect execution of suspicious double extension files in ParentCommandLine
references:
- https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-06
modified: 2023-02-28
tags:
- attack.stealth
- attack.t1036.007
logsource:
category: process_creation
product: windows
detection:
selection:
- ParentImage|endswith:
- '.doc.lnk'
- '.docx.lnk'
- '.xls.lnk'
- '.xlsx.lnk'
- '.ppt.lnk'
- '.pptx.lnk'
- '.rtf.lnk'
- '.pdf.lnk'
- '.txt.lnk'
- '.doc.js'
- '.docx.js'
- '.xls.js'
- '.xlsx.js'
- '.ppt.js'
- '.pptx.js'
- '.rtf.js'
- '.pdf.js'
- '.txt.js'
- ParentCommandLine|contains:
- '.doc.lnk'
- '.docx.lnk'
- '.xls.lnk'
- '.xlsx.lnk'
- '.ppt.lnk'
- '.pptx.lnk'
- '.rtf.lnk'
- '.pdf.lnk'
- '.txt.lnk'
- '.doc.js'
- '.docx.js'
- '.xls.js'
- '.xlsx.js'
- '.ppt.js'
- '.pptx.js'
- '.rtf.js'
- '.pdf.js'
- '.txt.js'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Path In Keyboard Layout IME File Registry Value
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
view Sigma YAML
title: Suspicious Path In Keyboard Layout IME File Registry Value
id: 9d8f9bb8-01af-4e15-a3a2-349071530530
related:
- id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1
type: derived
status: test
description: |
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
references:
- https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
author: X__Junior (Nextron Systems)
date: 2023-11-21
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_registry:
TargetObject|contains|all:
- '\Control\Keyboard Layouts\'
- 'Ime File'
selection_folders_1:
Details|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Temporary Internet'
selection_folders_2:
- Details|contains|all:
- ':\Users\'
- '\Favorites\'
- Details|contains|all:
- ':\Users\'
- '\Favourites\'
- Details|contains|all:
- ':\Users\'
- '\Contacts\'
condition: selection_registry and 1 of selection_folders_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
view Sigma YAML
title: Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
id: 236d8e89-ed95-4789-a982-36f4643738ba
related:
- id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
type: derived
status: test
description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
references:
- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-14
tags:
- attack.execution
- attack.persistence
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_bin_img:
- Image|endswith: '\VMwareToolBoxCmd.exe'
- OriginalFileName: 'toolbox-cmd.exe'
selection_bin_cli:
CommandLine|contains|all:
- ' script '
- ' set '
selection_susp_paths:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Ping/Del Command Combination
Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
view Sigma YAML
title: Suspicious Ping/Del Command Combination
id: 54786ddc-5b8a-11ed-9b6a-0242ac120002
status: test
description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
references:
- https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
- https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Ilya Krestinichev
date: 2022-11-03
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
# Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
# Example: "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
selection_count:
CommandLine|contains|windash: ' -n '
selection_nul:
CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
selection_del_param:
CommandLine|contains|windash:
- ' -f '
- ' -q '
selection_all:
CommandLine|contains|all:
- 'ping' # Covers "ping" and "ping.exe"
- 'del '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Plink Port Forwarding
Detects suspicious Plink tunnel port forwarding to a local port
view Sigma YAML
title: Suspicious Plink Port Forwarding
id: 48a61b29-389f-4032-b317-b30de6b95314
status: test
description: Detects suspicious Plink tunnel port forwarding to a local port
references:
- https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
- https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
author: Florian Roth (Nextron Systems)
date: 2021-01-19
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1572
- attack.lateral-movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection:
Description: 'Command-line SSH, Telnet, and Rlogin client'
CommandLine|contains: ' -R '
condition: selection
falsepositives:
- Administrative activity using a remote port forwarding to a local port
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious PowerShell Download and Execute Pattern
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
view Sigma YAML
title: Suspicious PowerShell Download and Execute Pattern
id: e6c54d94-498c-4562-a37c-b469d8e9a275
related:
- id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
type: derived
status: test
description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
references:
- https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70
- https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
author: Florian Roth (Nextron Systems)
date: 2022-02-28
modified: 2022-03-01
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: # make sure that your backend applies the strings case-insensitive
- 'IEX ((New-Object Net.WebClient).DownloadString'
- 'IEX (New-Object Net.WebClient).DownloadString'
- 'IEX((New-Object Net.WebClient).DownloadString'
- 'IEX(New-Object Net.WebClient).DownloadString'
- ' -command (New-Object System.Net.WebClient).DownloadFile('
- ' -c (New-Object System.Net.WebClient).DownloadFile('
condition: selection
falsepositives:
- Software installers that pull packages from remote systems and execute them
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious PowerShell Encoded Command Patterns
Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
view Sigma YAML
title: Suspicious PowerShell Encoded Command Patterns
id: b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c
status: test
description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
references:
- https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
author: Florian Roth (Nextron Systems)
date: 2022-05-24
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.Exe'
- 'pwsh.dll'
selection_flags:
CommandLine|contains:
- ' -e '
- ' -en '
- ' -enc '
- ' -enco'
selection_encoded:
CommandLine|contains:
- ' JAB'
- ' SUVYI'
- ' SQBFAFgA'
- ' aWV4I'
- ' IAB'
- ' PAA'
- ' aQBlAHgA'
filter_gcworker:
ParentImage|contains:
- 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
- '\gc_worker.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Other tools that work with encoded scripts in the command line instead of script files
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious PowerShell IEX Execution Patterns
Detects suspicious ways to run Invoke-Execution using IEX alias
view Sigma YAML
title: Suspicious PowerShell IEX Execution Patterns
id: 09576804-7a05-458e-a817-eb718ca91f54
status: test
description: Detects suspicious ways to run Invoke-Execution using IEX alias
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-24
modified: 2022-11-28
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_combined_1:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' | iex;'
- ' | iex '
- ' | iex}'
- ' | IEX ;'
- ' | IEX -Error'
- ' | IEX (new'
- ');IEX '
selection_combined_2:
CommandLine|contains:
- '::FromBase64String'
- '.GetString([System.Convert]::'
selection_standalone:
CommandLine|contains:
- ')|iex;$'
- ');iex($'
- ');iex $'
- ' | IEX | '
- ' | iex\"'
condition: all of selection_combined_* or selection_standalone
falsepositives:
- Legitimate scripts that use IEX
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious PowerShell Invocations - Generic
Detects suspicious PowerShell invocation command parameters
view Sigma YAML
title: Suspicious PowerShell Invocations - Generic
id: ed965133-513f-41d9-a441-e38076a0798f
related:
- id: 3d304fda-78aa-43ed-975c-d740798a49c1
type: derived
- id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
type: similar
status: test
description: Detects suspicious PowerShell invocation command parameters
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-03-12
modified: 2023-01-03
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_encoded:
ScriptBlockText|contains:
- ' -enc '
- ' -EncodedCommand '
- ' -ec '
selection_hidden:
ScriptBlockText|contains:
- ' -w hidden '
- ' -window hidden '
- ' -windowstyle hidden '
- ' -w 1 '
selection_noninteractive:
ScriptBlockText|contains:
- ' -noni '
- ' -noninteractive '
condition: all of selection*
falsepositives:
- Very special / sneaky PowerShell scripts
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious PowerShell Invocations - Generic - PowerShell Module
Detects suspicious PowerShell invocation command parameters
view Sigma YAML
title: Suspicious PowerShell Invocations - Generic - PowerShell Module
id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
related:
- id: 3d304fda-78aa-43ed-975c-d740798a49c1
type: derived
- id: ed965133-513f-41d9-a441-e38076a0798f
type: similar
status: test
description: Detects suspicious PowerShell invocation command parameters
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-03-12
modified: 2023-01-03
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_encoded:
ContextInfo|contains:
- ' -enc '
- ' -EncodedCommand '
- ' -ec '
selection_hidden:
ContextInfo|contains:
- ' -w hidden '
- ' -window hidden '
- ' -windowstyle hidden '
- ' -w 1 '
selection_noninteractive:
ContextInfo|contains:
- ' -noni '
- ' -noninteractive '
condition: all of selection*
falsepositives:
- Very special / sneaky PowerShell scripts
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious PowerShell Invocations - Specific
Detects suspicious PowerShell invocation command parameters
view Sigma YAML
title: Suspicious PowerShell Invocations - Specific
id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
related:
- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
type: obsolete
- id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
type: similar
- id: 536e2947-3729-478c-9903-745aaffe60d2
type: similar
status: test
description: Detects suspicious PowerShell invocation command parameters
references:
- Internal Research
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
date: 2017-03-05
modified: 2025-02-17
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_convert_b64:
ScriptBlockText|contains|all:
- '-nop'
- ' -w '
- 'hidden'
- ' -c '
- '[Convert]::FromBase64String'
selection_iex_selection:
ScriptBlockText|contains|all:
- ' -w '
- 'hidden'
- '-noni'
- '-nop'
- ' -c '
- 'iex'
- 'New-Object'
selection_enc_selection:
ScriptBlockText|contains|all:
- ' -w '
- 'hidden'
- '-ep'
- 'bypass'
- '-Enc'
selection_reg_selection:
ScriptBlockText|contains|all:
- 'powershell'
- 'reg'
- 'add'
ScriptBlockText|contains:
- '\software\microsoft\windows\currentversion\run'
- '\software\wow6432node\microsoft\windows\currentversion\run'
- '\software\microsoft\windows\currentversion\policies\explorer\run'
selection_webclient_selection:
ScriptBlockText|contains|all:
- 'bypass'
- '-noprofile'
- '-windowstyle'
- 'hidden'
- 'new-object'
- 'system.net.webclient'
- '.download'
selection_iex_webclient:
ScriptBlockText|contains|all:
- 'iex'
- 'New-Object'
- 'Net.WebClient'
- '.Download'
filter_chocolatey:
ScriptBlockText|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
- 'Write-ChocolateyWarning'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious PowerShell Invocations - Specific - PowerShell Module
Detects suspicious PowerShell invocation command parameters
view Sigma YAML
title: Suspicious PowerShell Invocations - Specific - PowerShell Module
id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
related:
- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
type: obsolete
- id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
type: similar
- id: 536e2947-3729-478c-9903-745aaffe60d2
type: similar
status: test
description: Detects suspicious PowerShell invocation command parameters
references:
- Internal Research
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
date: 2017-03-05
modified: 2025-02-17
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_convert_b64:
ContextInfo|contains|all:
- '-nop'
- ' -w '
- 'hidden'
- ' -c '
- '[Convert]::FromBase64String'
selection_iex:
ContextInfo|contains|all:
- ' -w '
- 'hidden'
- '-noni'
- '-nop'
- ' -c '
- 'iex'
- 'New-Object'
selection_enc:
ContextInfo|contains|all:
- ' -w '
- 'hidden'
- '-ep'
- 'bypass'
- '-Enc'
selection_reg:
ContextInfo|contains|all:
- 'powershell'
- 'reg'
- 'add'
ContextInfo|contains:
- '\software\microsoft\windows\currentversion\run'
- '\software\wow6432node\microsoft\windows\currentversion\run'
- '\software\microsoft\windows\currentversion\policies\explorer\run'
selection_webclient:
ContextInfo|contains|all:
- 'bypass'
- '-noprofile'
- '-windowstyle'
- 'hidden'
- 'new-object'
- 'system.net.webclient'
- '.download'
selection_iex_webclient:
ContextInfo|contains|all:
- 'iex'
- 'New-Object'
- 'Net.WebClient'
- '.Download'
filter_chocolatey:
ContextInfo|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- 'Write-ChocolateyWarning'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious PowerShell Parameter Substring
Detects suspicious PowerShell invocation with a parameter substring
view Sigma YAML
title: Suspicious PowerShell Parameter Substring
id: 36210e0d-5b19-485d-a087-c096088885f0
status: test
description: Detects suspicious PowerShell invocation with a parameter substring
references:
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
date: 2019-01-16
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -windowstyle h '
- ' -windowstyl h'
- ' -windowsty h'
- ' -windowst h'
- ' -windows h'
- ' -windo h'
- ' -wind h'
- ' -win h'
- ' -wi h'
- ' -win h '
- ' -win hi '
- ' -win hid '
- ' -win hidd '
- ' -win hidde '
- ' -NoPr '
- ' -NoPro '
- ' -NoProf '
- ' -NoProfi '
- ' -NoProfil '
- ' -nonin '
- ' -nonint '
- ' -noninte '
- ' -noninter '
- ' -nonintera '
- ' -noninterac '
- ' -noninteract '
- ' -noninteracti '
- ' -noninteractiv '
- ' -ec '
- ' -encodedComman '
- ' -encodedComma '
- ' -encodedComm '
- ' -encodedCom '
- ' -encodedCo '
- ' -encodedC '
- ' -encoded '
- ' -encode '
- ' -encod '
- ' -enco '
- ' -en '
- ' -executionpolic '
- ' -executionpoli '
- ' -executionpol '
- ' -executionpo '
- ' -executionp '
- ' -execution bypass'
- ' -executio bypass'
- ' -executi bypass'
- ' -execut bypass'
- ' -execu bypass'
- ' -exec bypass'
- ' -exe bypass'
- ' -ex bypass'
- ' -ep bypass'
- ' /windowstyle h '
- ' /windowstyl h'
- ' /windowsty h'
- ' /windowst h'
- ' /windows h'
- ' /windo h'
- ' /wind h'
- ' /win h'
- ' /wi h'
- ' /win h '
- ' /win hi '
- ' /win hid '
- ' /win hidd '
- ' /win hidde '
- ' /NoPr '
- ' /NoPro '
- ' /NoProf '
- ' /NoProfi '
- ' /NoProfil '
- ' /nonin '
- ' /nonint '
- ' /noninte '
- ' /noninter '
- ' /nonintera '
- ' /noninterac '
- ' /noninteract '
- ' /noninteracti '
- ' /noninteractiv '
- ' /ec '
- ' /encodedComman '
- ' /encodedComma '
- ' /encodedComm '
- ' /encodedCom '
- ' /encodedCo '
- ' /encodedC '
- ' /encoded '
- ' /encode '
- ' /encod '
- ' /enco '
- ' /en '
- ' /executionpolic '
- ' /executionpoli '
- ' /executionpol '
- ' /executionpo '
- ' /executionp '
- ' /execution bypass'
- ' /executio bypass'
- ' /executi bypass'
- ' /execut bypass'
- ' /execu bypass'
- ' /exec bypass'
- ' /exe bypass'
- ' /ex bypass'
- ' /ep bypass'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious PowerShell Parent Process
Detects a suspicious or uncommon parent processes of PowerShell
view Sigma YAML
title: Suspicious PowerShell Parent Process
id: 754ed792-634f-40ae-b3bc-e0448d33f695
related:
- id: 692f0bec-83ba-4d04-af7e-e884a96059b6
type: derived
status: test
description: Detects a suspicious or uncommon parent processes of PowerShell
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
author: Teymur Kheirkhabarov, Harish Segar
date: 2020-03-20
modified: 2023-02-04
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
- ParentImage|contains: 'tomcat'
- ParentImage|endswith:
- '\amigo.exe'
- '\browser.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\httpd.exe'
- '\iexplore.exe'
- '\jbosssvc.exe'
- '\microsoftedge.exe'
- '\microsoftedgecp.exe'
- '\MicrosoftEdgeSH.exe'
- '\mshta.exe'
- '\nginx.exe'
- '\outlook.exe'
- '\php-cgi.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\safari.exe'
- '\services.exe'
- '\sqlagent.exe'
- '\sqlserver.exe'
- '\sqlservr.exe'
- '\vivaldi.exe'
- '\w3wp.exe'
selection_powershell:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- CommandLine|contains:
- '/c powershell' # FPs with sub processes that contained "powershell" somewhere in the command line
- '/c pwsh'
- Description: 'Windows PowerShell'
- Product: 'PowerShell Core 6'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
condition: all of selection_*
falsepositives:
- Other scripts
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
view Sigma YAML
title: Suspicious Printer Driver Empty Manufacturer
id: e0813366-0407-449a-9869-a2db1119dc41
status: test
description: Detects a suspicious printer driver installation with an empty Manufacturer value
references:
- https://twitter.com/SBousseaden/status/1410545674773467140
author: Florian Roth (Nextron Systems)
date: 2020-07-01
modified: 2023-08-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574
- cve.2021-1675
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\Control\Print\Environments\Windows x64\Drivers'
- '\Manufacturer'
Details: '(Empty)'
filter_cutepdf:
TargetObject|contains: '\CutePDF Writer v4.0\'
filter_vnc:
TargetObject|contains:
- '\VNC Printer (PS)\'
- '\VNC Printer (UD)\'
filter_pdf24:
TargetObject|contains: '\Version-3\PDF24\'
condition: selection and not 1 of filter_*
falsepositives:
- Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
view Sigma YAML
title: Suspicious PrinterPorts Creation (CVE-2020-1048)
id: cc08d590-8b90-413a-aff6-31d1a99678d7
status: test
description: Detects new commands that add new printer port which point to suspicious file
references:
- https://windows-internals.com/printdemon-cve-2020-1048/
author: EagleEye Team, Florian Roth
date: 2020-05-13
modified: 2021-11-27
tags:
- attack.persistence
- attack.execution
- attack.t1059.001
- cve.2020-1048
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: 'Add-PrinterPort -Name'
selection2:
CommandLine|contains:
- '.exe'
- '.dll'
- '.bat'
selection3:
CommandLine|contains: 'Generic / Text Only'
condition: (selection1 and selection2) or selection3
falsepositives:
- New printer port install on host
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques.
This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
view Sigma YAML
title: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
related:
- id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
type: similar
- id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
type: similar
status: experimental
description: |
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques.
This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
references:
- https://blog.axelarator.net/hunting-for-edr-freeze/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_access
product: windows
definition: |
Requires Sysmon Event ID 10 (ProcessAccess) with CallTrace enabled.
Example sysmon config snippet with grouping, as logging individual ProcessAccess events can generate excessive logs:
<ProcessAccess onmatch="include">
<Rule groupRelation="and">
<TargetImage condition="end with">\MsMpEng.exe</TargetImage>
<SourceImage condition="end with">\WerFaultSecure.exe</SourceImage>
</Rule>
</ProcessAccess>
detection:
selection:
SourceImage|endswith: '\WerFaultSecure.exe'
TargetImage|endswith: '\MsMpEng.exe'
CallTrace|contains:
- '\dbgcore.dll'
- '\dbghelp.dll'
condition: selection
falsepositives:
- Legitimate Windows Error Reporting operations
level: high
regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,
dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
view Sigma YAML
title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
related:
- id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
type: similar
status: experimental
description: |
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,
dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
references:
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1003.001
- attack.t1685
logsource:
category: process_access
product: windows
detection:
selection_lsass_calltrace:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains:
- 'dbgcore.dll'
- 'dbghelp.dll'
# The following selection is commented out and not enabled by default because any access to LSASS with dbgcore.dll or dbghelp.dll in the call trace from uncommon locations is assumed to be suspicious,
# but it may reduce false positives if the rule is too noisy. These GrantedAccess bits are commonly used for dumping LSASS memory.
# Uncomment if you observe false positives with the default rule.
# selection_granted_access:
# GrantedAccess|contains:
# - '0x1fffff'
# - '0x10'
# - '0x1010'
# - '0x1410'
# - '0x1438'
selection_susp_location:
SourceImage|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\$Recycle.Bin\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Documents\'
- '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Possibly during software installation or update processes
level: high
regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml
Convert to SIEM query
high
Strong
Medium FP
Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
view Sigma YAML
title: Suspicious Process By Web Server Process
id: 8202070f-edeb-4d31-a010-a26c72ac5600
status: test
description: |
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
references:
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-11-26
tags:
- attack.persistence
- attack.initial-access
- attack.t1505.003
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\php.exe'
- '\tomcat.exe'
- '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
- '\w3wp.exe'
- '\ws_TomcatService.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentCommandLine|contains:
- 'CATALINA_HOME'
- 'catalina.home'
- 'catalina.jar'
selection_anomaly_children:
Image|endswith:
- '\arp.exe'
- '\at.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\dsget.exe'
- '\hostname.exe'
- '\nbtstat.exe'
- '\net.exe'
- '\net1.exe'
- '\netdom.exe'
- '\netsh.exe'
- '\nltest.exe'
- '\ntdsutil.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\qprocess.exe'
- '\query.exe'
- '\qwinsta.exe'
- '\reg.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\sh.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wusa.exe'
filter_main_fp_1:
ParentImage|endswith: '\java.exe'
CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
filter_main_fp_2:
ParentImage|endswith: '\java.exe'
CommandLine|contains|all:
- 'sc query'
- 'ADManager Plus'
condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
falsepositives:
- Particular web applications may spawn a shell process legitimately
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Process Created Via Wmic.EXE
Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
view Sigma YAML
title: Suspicious Process Created Via Wmic.EXE
id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
related:
- id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic
type: derived
status: test
description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
references:
- https://thedfirreport.com/2020/10/08/ryuks-return/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-12
modified: 2023-02-14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'process '
- 'call '
- 'create '
CommandLine|contains:
# Add more susupicious paths and binaries as you see fit in your env
- 'rundll32'
- 'bitsadmin'
- 'regsvr32'
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'powershell'
- 'pwsh'
- 'certutil'
- 'cscript'
- 'wscript'
- 'mshta'
- '\Users\Public\'
- '\Windows\Temp\'
- '\AppData\Local\'
- '%temp%'
- '%tmp%'
- '%ProgramData%'
- '%appdata%'
- '%comspec%'
- '%localappdata%'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Process Execution From Fake Recycle.Bin Folder
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
view Sigma YAML
title: Suspicious Process Execution From Fake Recycle.Bin Folder
id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
related:
- id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
type: derived
status: test
description: Detects process execution from a fake recycle bin folder, often used to avoid security solution.
references:
- https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
- https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
author: X__Junior (Nextron Systems)
date: 2023-07-12
modified: 2023-12-11
tags:
- attack.persistence
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
# e.g. C:\$RECYCLER.BIN
- 'RECYCLERS.BIN\'
- 'RECYCLER.BIN\'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Process Masquerading As SvcHost.EXE
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
view Sigma YAML
title: Suspicious Process Masquerading As SvcHost.EXE
id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
related:
- id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
type: similar
- id: e4a6b256-3e47-40fc-89d2-7a477edd6915
type: similar
status: test
description: |
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
references:
- https://tria.ge/240731-jh4crsycnb/behavioral2
- https://redcanary.com/blog/threat-detection/process-masquerading/
author: Swachchhanda Shrawan Poudel
date: 2024-08-07
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
filter_main_img_location:
Image:
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
filter_main_ofn:
OriginalFileName: 'svchost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml
Convert to SIEM query
high
Strong
Medium FP
Suspicious Process Parents
Detects suspicious parent processes that should not have any children or should only have a single possible child program
view Sigma YAML
title: Suspicious Process Parents
id: cbec226f-63d9-4eca-9f52-dfb6652f24df
status: test
description: Detects suspicious parent processes that should not have any children or should only have a single possible child program
references:
- https://twitter.com/x86matthew/status/1505476263464607744?s=12
- https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
author: Florian Roth (Nextron Systems)
date: 2022-03-21
modified: 2022-09-08
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\minesweeper.exe'
- '\winver.exe'
- '\bitsadmin.exe'
selection_special:
ParentImage|endswith:
- '\csrss.exe'
- '\certutil.exe'
# - '\schtasks.exe'
- '\eventvwr.exe'
- '\calc.exe'
- '\notepad.exe'
filter_special:
Image|endswith:
- '\WerFault.exe'
- '\wermgr.exe'
- '\conhost.exe' # csrss.exe, certutil.exe
- '\mmc.exe' # eventvwr.exe
- '\win32calc.exe' # calc.exe
- '\notepad.exe'
filter_null:
Image: null
condition: selection or ( selection_special and not 1 of filter_* )
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Process Patterns NTDS.DIT Exfil
Detects suspicious process patterns used in NTDS.DIT exfiltration
view Sigma YAML
title: Suspicious Process Patterns NTDS.DIT Exfil
id: 8bc64091-6875-4881-aaf9-7bd25b5dda08
status: test
description: Detects suspicious process patterns used in NTDS.DIT exfiltration
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://pentestlab.blog/tag/ntds-dit/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
- https://github.com/zcgonvh/NTDSDumpEx
- https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2022-11-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: process_creation
detection:
selection_tool:
# https://github.com/zcgonvh/NTDSDumpEx
- Image|endswith:
- '\NTDSDump.exe'
- '\NTDSDumpEx.exe'
- CommandLine|contains|all:
# ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv
- 'ntds.dit'
- 'system.hiv'
- CommandLine|contains: 'NTDSgrab.ps1'
selection_oneliner_1:
# powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
CommandLine|contains|all:
- 'ac i ntds'
- 'create full'
selection_onliner_2:
# cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
CommandLine|contains|all:
- '/c copy '
- '\windows\ntds\ntds.dit'
selection_onliner_3:
# ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\data\" "quit" "quit"
CommandLine|contains|all:
- 'activate instance ntds'
- 'create full'
selection_powershell:
CommandLine|contains|all:
- 'powershell'
- 'ntds.dit'
set1_selection_ntds_dit:
CommandLine|contains: 'ntds.dit'
set1_selection_image_folder:
- ParentImage|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
- Image|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: 1 of selection* or all of set1*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1401-1450 of 1,713