title: Process Proxy Execution Via Squirrel.EXE
id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
related:
    - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
      type: similar
    - id: fa4b21c9-0057-4493-b289-2556416ae4d7
      type: obsolete
status: test
description: |
    Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
    - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2022-06-09
modified: 2025-10-07
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\squirrel.exe'
            - '\update.exe'
    selection_exec:
        CommandLine|contains:
            - '--processStart'
            - '--processStartAndWait'
            - '--createShortcut'
    filter_optional_discord:
        CommandLine|contains|all:
            - ':\Users\'
            - '\AppData\Local\Discord\Update.exe'
            - 'Discord.exe'
        CommandLine|contains:
            - '--createShortcut'
            - '--processStart'
    filter_optional_github_desktop:
        CommandLine|contains|all:
            - ':\Users\'
            - '\AppData\Local\GitHubDesktop\Update.exe'
            - 'GitHubDesktop.exe'
        CommandLine|contains:
            - '--createShortcut'
            - '--processStartAndWait'
    filter_optional_teams:
        CommandLine|contains|all:
            - ':\Users\'
            - '\AppData\Local\Microsoft\Teams\Update.exe'
            - 'Teams.exe'
        CommandLine|contains:
            - '--processStart'
            - '--createShortcut'
    filter_optional_yammer:
        CommandLine|contains|all:
            - ':\Users\'
            - '\AppData\Local\yammerdesktop\Update.exe'
            - 'Yammer.exe'
        CommandLine|contains:
            - '--processStart'
            - '--createShortcut'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
level: medium

title: Process Reconnaissance Via Wmic.EXE
id: 221b251a-357a-49a9-920a-271802777cc0
status: test
description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: frack113
date: 2022-01-01
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: 'process'
    filter_main_creation:
        CommandLine|contains|all:
            # Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`
            - 'call'
            - 'create'
    condition: all of selection* and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

title: Processes Accessing the Microphone and Webcam
id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
status: test
description: Potential adversaries accessing the microphone and webcam in an endpoint.
references:
    - https://twitter.com/duzvik/status/1269671601852813320
    - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-07
modified: 2021-11-27
tags:
    - attack.collection
    - attack.t1123
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4657
            - 4656
            - 4663
        ObjectName|contains:
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged'
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Program Executed Using Proxy/Local Command Via SSH.EXE
id: 7d6d30b8-5b91-4b90-a891-46cccaf29598
status: test
description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ssh/
    - https://github.com/LOLBAS-Project/LOLBAS/pull/211/files
    - https://gtfobins.github.io/gtfobins/ssh/
    - https://man.openbsd.org/ssh_config#ProxyCommand
    - https://man.openbsd.org/ssh_config#LocalCommand
author: frack113, Nasreddine Bencherchali
date: 2022-12-29
modified: 2025-10-16
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        # ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R'
        ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe'
    selection_cli_img:
        - Image|endswith: '\ssh.exe'
        - Product: 'OpenSSH for Windows'
        - Hashes|contains:
              - 'IMPHASH=55b4964d29aad5438b9e950052dbbbc0'
              - 'IMPHASH=334d66c33503ccbf647c15b47c27eef4'
              - 'IMPHASH=27b0da080ef92afb37983d30d839141e'
              - 'IMPHASH=977eb4c263d384e47daa0712d34713ab'
              - 'IMPHASH=3eaadce9ae43d5a918bb082065815c3b'
              - 'IMPHASH=980fe6cf0d996ab1eedf877222e722aa'
              - 'IMPHASH=5f959422308ac3d721010d66647e100e'
              - 'IMPHASH=a49aaa3d03d1cd9c8dc7fca60f7f480b'
              - 'IMPHASH=dd335f759b6d5d6a8382b71dd9d65791'
    selection_cli_flags:
        - CommandLine|contains: 'ProxyCommand='
        - CommandLine|contains|all:
              - 'PermitLocalCommand=yes'
              - ' LocalCommand'
    condition: selection_parent or all of selection_cli_*
falsepositives:
    - Legitimate usage for administration purposes
level: medium

title: Program Executions in Suspicious Folders
id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
status: test
description: Detects program executions in suspicious non-program folders related to malware or hacking activity
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-01-23
modified: 2021-11-27
tags:
    - attack.t1587
    - attack.t1584
    - attack.resource-development
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        exe|startswith:
            # Temporary folder
            - '/tmp/'
            # Web server
            - '/var/www/'              # Standard
            - '/home/*/public_html/'   # Per-user
            - '/usr/local/apache2/'    # Classical Apache
            - '/usr/local/httpd/'      # Old SuSE Linux 6.* Apache
            - '/var/apache/'           # Solaris Apache
            - '/srv/www/'              # SuSE Linux 9.*
            - '/home/httpd/html/'      # Redhat 6 or older Apache
            - '/srv/http/'             # ArchLinux standard
            - '/usr/share/nginx/html/' # ArchLinux nginx
            # Data dirs of typically exploited services (incomplete list)
            - '/var/lib/pgsql/data/'
            - '/usr/local/mysql/data/'
            - '/var/lib/mysql/'
            - '/var/vsftpd/'
            - '/etc/bind/'
            - '/var/named/'
    condition: selection
falsepositives:
    - Admin activity (especially in /tmp folders)
    - Crazy web applications
level: medium

title: Proxy Execution via Vshadow
id: d7c75059-2901-4578-b209-8837fd31c6a8
status: experimental
description: |
    Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.
    VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,
    attackers can leverage this parameter to proxy the execution of malware.
author: David Faiss
date: 2025-05-26
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/
    - https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
tags:
    - attack.stealth
    - attack.t1202
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\vshadow.exe'
        - OriginalFileName: 'vshadow.exe'
    selection_cli:
        CommandLine|contains: '-exec'
    condition: all of selection_*
falsepositives:
    - System backup or administrator tools
    - Legitimate administrative scripts
level: medium

title: PsExec Service Execution
id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5
related:
    - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
      type: obsolete
status: test
description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.youtube.com/watch?v=ro2QuZTIMBM
author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)
date: 2017-06-12
modified: 2023-02-28
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image: 'C:\Windows\PSEXESVC.exe'
        - OriginalFileName: 'psexesvc.exe'
    condition: selection
falsepositives:
    - Legitimate administrative tasks
level: medium

title: PsExec Service Installation
id: 42c575ea-e41e-41f1-b248-8093c3e82a28
status: test
description: Detects PsExec service installation and execution events
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2023-08-04
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ServiceName: 'PSEXESVC'
        - ImagePath|endswith: '\PSEXESVC.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: PsExec Tool Execution From Suspicious Locations - PipeName
id: 41504465-5e3a-4a5b-a5b4-2a0baadd4463
related:
    - id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
      type: derived
status: test
description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-04
modified: 2023-09-20
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: pipe_created
    product: windows
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName: '\PSEXESVC'
        Image|contains: # Add or remove locations depending on how and if you execute Psexec in your env
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\Desktop\'
            - '\Downloads\'
    condition: selection
falsepositives:
    - Rare legitimate use of psexec from the locations mentioned above. This will require initial tuning based on your environment.
level: medium

title: Psexec Execution
id: 730fc21b-eaff-474b-ad23-90fd265d4988
status: test
description: Detects user accept agreement execution in psexec commandline
references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2023-02-28
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1569
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\psexec.exe'
        - OriginalFileName: 'psexec.c'
    condition: selection
falsepositives:
    - Administrative scripts.
level: medium

title: Publisher Attachment File Dropped In Suspicious Location
id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1
status: test
description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
references:
    - https://twitter.com/EmericNasi/status/1623224526220804098
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\AppData\Local\Temp\'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - 'C:\Temp\'
        TargetFilename|endswith: '.pub'
    condition: selection
falsepositives:
    - Legitimate usage of ".pub" files from those locations
level: medium

title: Pubprn.vbs Proxy Execution
id: 1fb76ab8-fa60-4b01-bddd-71e89bf555da
status: test
description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
references:
    - https://lolbas-project.github.io/lolbas/Scripts/Pubprn/
author: frack113
date: 2022-05-28
tags:
    - attack.stealth
    - attack.t1216.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\pubprn.vbs'
            - 'script:'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Python Initiated Connection
id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6
status: test
description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python
    - https://pypi.org/project/scapy/
author: frack113
date: 2021-12-10
modified: 2025-03-05
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: network_connection
    product: windows
    definition: 'Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type'
detection:
    selection:
        Initiated: 'true'
        Image|contains|all:
            - '\python'
            - '.exe'
    filter_optional_conda:
        # Related to anaconda updates. Command example: "conda update conda"
        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
        ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe
        CommandLine|contains|all:
            - ':\ProgramData\Anaconda3\Scripts\conda-script.py'
            - 'update'
    filter_optional_conda_jupyter_notebook:
        # Related to anaconda opening an instance of Jupyter Notebook
        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
        ParentImage: C:\ProgramData\Anaconda3\python.exe
        CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py'
    filter_main_local_communication:
        # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances
        DestinationIp: 127.0.0.1
        SourceIp: 127.0.0.1
    filter_main_pip:
        CommandLine|contains|all:
            - 'pip.exe'
            - 'install'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.
level: medium

title: Python Inline Command Execution
id: 899133d5-4d7c-4a7f-94ee-27355c879d90
status: test
description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
references:
    - https://docs.python.org/3/using/cmdline.html#cmdoption-c
    - https://www.revshells.com/
    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-10-07
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'python.exe'
        - Image|endswith:
              - 'python.exe' # no \ bc of e.g. ipython.exe
              - 'python3.exe'
              - 'python2.exe'
    selection_cli:
        CommandLine|contains: ' -c'
    filter_main_python_1: # Based on baseline
        ParentImage|startswith:
            - 'C:\Program Files\Python'
            - 'C:\Program Files (x86)\Python'
        ParentImage|endswith: '\python.exe'
        ParentCommandLine|contains: '-E -s -m ensurepip -U --default-pip'
    filter_main_python_trace: # Based on baseline
        ParentImage|startswith:
            - 'C:\Program Files\Python'
            - 'C:\Program Files (x86)\Python'
        CommandLine|contains|all:
            # CommandLine: \"C:\\Program Files\\Python312\\python.exe\" -W ignore::DeprecationWarning -c \"\nimport runpy\nimport sys\nsys.path = ['C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj\\\\pip-23.2.1-py3-none-any.whl'] + sys.path\nsys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj', '--upgrade', 'pip']\nrunpy.run_module(\\\"pip\\\", run_name=\\\"__main__\\\", alter_sys=True)\n\
            - '-W ignore::DeprecationWarning'
            - "['install', '--no-cache-dir', '--no-index', '--find-links',"
            - "'--upgrade', 'pip'"
    filter_optional_vscode:
        - ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
        - ParentImage:
              - 'C:\Program Files\Microsoft VS Code\Code.exe'
              - 'C:\Program Files (x86)\Microsoft VS Code\Code.exe'
    filter_optional_pip:
        CommandLine|contains|all:
            - '<pip-setuptools-caller>'
            - 'exec(compile('
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Python libraries that use a flag starting with "-c". Filter according to your environment
level: medium

title: Python Path Configuration File Creation - Linux
id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce
related:
    - id: e3652ba3-0ad8-4010-a957-b7ba369e7bac # Windows
      type: similar
    - id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS
      type: similar
status: test
description: |
    Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
    Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
    Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
references:
    - https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
    - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
    - https://docs.python.org/3/library/site.html
author: Andreas Braathen (mnemonic.io)
date: 2024-04-25
tags:
    - attack.execution
    - attack.t1059.006
    - detection.threat-hunting
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|re: '(?i)/lib/python3\.([5-9]|[0-9]{2})/site-packages/' # Unix and macOS
        TargetFilename|endswith: '.pth'
    condition: selection
falsepositives:
    - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
level: medium

title: Python Path Configuration File Creation - MacOS
id: 4f394635-13ef-4599-b677-3353e0f84f55
related:
    - id: e3652ba3-0ad8-4010-a957-b7ba369e7bac # Windows
      type: similar
    - id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce # Linux
      type: similar
status: test
description: |
    Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
    Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
    Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
references:
    - https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
    - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
    - https://docs.python.org/3/library/site.html
author: Andreas Braathen (mnemonic.io)
date: 2024-04-25
tags:
    - attack.execution
    - attack.t1059.006
    - detection.threat-hunting
logsource:
    product: macos
    category: file_event
detection:
    selection:
        TargetFilename|re: '(?i)/lib/python3\.([5-9]|[0-9]{2})/site-packages/' # Unix and macOS
        TargetFilename|endswith: '.pth'
    condition: selection
falsepositives:
    - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
level: medium

title: Python Path Configuration File Creation - Windows
id: e3652ba3-0ad8-4010-a957-b7ba369e7bac
related:
    - id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce # Linux
      type: similar
    - id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS
      type: similar
status: test
description: |
    Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
    Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
    Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
references:
    - https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
    - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
    - https://docs.python.org/3/library/site.html
author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-25
tags:
    - attack.execution
    - attack.t1059.006
    - detection.threat-hunting
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|re: '(?i)\\(venv|python(.+)?)\\lib\\site-packages\\' # Covers both Virtual envs and default paths
        TargetFilename|endswith: '.pth'
    filter_main_python:
        Image|endswith: '\python.exe'
        TargetFilename|endswith:
            - '\pywin32.pth' # VS Studio Python extension
            - '\distutils-precedence.pth'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
level: medium

title: Python SQL Exceptions
id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
status: stable
description: Generic rule for SQL exceptions in Python according to PEP 249
references:
    - https://www.python.org/dev/peps/pep-0249/#exceptions
author: Thomas Patzke
date: 2017-08-12
modified: 2020-09-01
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: python
detection:
    keywords:
        - DataError
        - IntegrityError
        - ProgrammingError
        - OperationalError
    condition: keywords
falsepositives:
    - Application bugs
level: medium

title: Python Spawning Pretty TTY Via PTY Module
id: c4042d54-110d-45dd-a0e1-05c47822c937
related:
    - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
      type: similar
status: test
description: |
    Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
references:
    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
modified: 2024-11-04
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        - Image|endswith:
              - '/python'
              - '/python2'
              - '/python3'
        - Image|contains:
              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
              - '/python3.'
    selection_cli_import:
        CommandLine|contains:
            - 'import pty'
            - 'from pty '
    selection_cli_spawn:
        CommandLine|contains: 'spawn'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Python WebServer Execution - Linux
id: 3f0f5957-04f8-4792-ad89-192b0303bde6
status: experimental
description: |
    Detects the execution of Python web servers via command line interface (CLI).
    After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
    This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver
    - https://docs.python.org/3/library/http.server.html
    - https://docs.python.org/2/library/simplehttpserver.html
author: Mohamed LAKRI
date: 2025-10-17
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: linux
    category: process_creation
detection:
    selection_img:
        - Image|endswith:
              - '/python'
              - '/python2'
              - '/python3'
        - Image|contains:
              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
              - '/python3.'
    selection_module:
        CommandLine|contains:
            - 'http.server'
            - 'SimpleHTTPServer'
    condition: all of selection_*
falsepositives:
    - Testing or development activity
level: medium

title: Query Usage To Exfil Data
id: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2
status: test
description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
references:
    - https://twitter.com/MichalKoczwara/status/1553634816016498688
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-01-19
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: ':\Windows\System32\query.exe'
        CommandLine|contains:
            - 'session >'
            - 'process >'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
related:
    - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
      type: similar
status: experimental
description: |
    Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.
    In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP.
    In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
references:
    - https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
    - https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall
    - https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468
author: Daniel Koifman (KoifSec), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-15
tags:
    - attack.lateral-movement
    - attack.t1021.001
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\wmic.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'wmic.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli_method:
        CommandLine|contains:
            - 'rdtoggle'
            - 'Win32_TerminalServiceSetting'
    selection_cli_property:
        CommandLine|contains: 'SetAllowTSConnections'
    condition: all of selection_*
falsepositives:
    - Legitimate system administrators enabling RDP for remote support
    - System configuration scripts during deployment
level: medium

title: RDP Sensitive Settings Changed to Zero
id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
related:
    - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
      type: similar
    - id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
      type: similar
status: test
description: |
    Detects tampering of RDP Terminal Service/Server sensitive settings.
    Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
references:
    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022-09-29
modified: 2022-11-26
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled
            - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions
            - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: medium

title: RDS Database Security Group Modification
id: 14f3f1c8-02d5-43a2-a191-91ffb52d3015
status: test
description: |
    Detects changes to the security group entries for RDS databases.
    This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'rds.amazonaws.com'
        eventName:
            - 'AuthorizeDBSecurityGroupIngress'
            - 'CreateDBSecurityGroup'
            - 'DeleteDBSecurityGroup'
            - 'RevokeDBSecurityGroupIngress'
    condition: selection
falsepositives:
    - Creation of a new Database that needs new security group rules
level: medium

title: REGISTER_APP.VBS Proxy Execution
id: 1c8774a0-44d4-4db0-91f8-e792359c70bd
status: test
description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
references:
    - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\register_app.vbs'
            - '-register'
    condition: selection
falsepositives:
    - Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign
level: medium

title: Rare Subscription-level Operations In Azure
id: c1182e02-49a3-481c-b3de-0fadc4091488
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
    - attack.t1003
    - attack.credential-access
logsource:
    product: azure
    service: activitylogs
detection:
    keywords:
        - Microsoft.DocumentDB/databaseAccounts/listKeys/action
        - Microsoft.Maps/accounts/listKeys/action
        - Microsoft.Media/mediaservices/listKeys/action
        - Microsoft.CognitiveServices/accounts/listKeys/action
        - Microsoft.Storage/storageAccounts/listKeys/action
        - Microsoft.Compute/snapshots/write
        - Microsoft.Network/networkSecurityGroups/write
    condition: keywords
falsepositives:
    - Valid change
level: medium

title: Rclone Activity via Proxy
id: 2c03648b-e081-41a5-b9fb-7d854a915091
status: test
description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
references:
    - https://rclone.org/
    - https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
author: Janantha Marasinghe
date: 2022-10-18
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'rclone/v'
    condition: selection
falsepositives:
    - Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
level: medium

title: Rclone Config File Creation
id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
status: test
description: Detects Rclone config files being created
references:
    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-26
modified: 2023-05-09
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains|all:
            - ':\Users\'
            - '\.config\rclone\'
    condition: selection
falsepositives:
    - Legitimate Rclone usage
level: medium

title: Read Contents From Stdin Via Cmd.EXE
id: 241e802a-b65e-484f-88cd-c2dc10f9206d
related:
    - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003
      type: obsolete
status: test
description: Detect the use of "<" to read and potentially execute a file via cmd.exe
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md
    - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-07
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd:
        - OriginalFileName: 'Cmd.Exe'
        - Image|endswith: '\cmd.exe'
    selection_cli:
        CommandLine|contains: '<'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Rebuild Performance Counter Values Via Lodctr.EXE
id: cc9d3712-6310-4320-b2df-7cb408274d53
status: test
description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
references:
    - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-15
modified: 2024-03-05
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\lodctr.exe'
        OriginalFileName: 'LODCTR.EXE'
    selection_cli:
        CommandLine|contains|windash: ' -r'
    condition: all of selection_*
falsepositives:
    - Legitimate usage by an administrator
level: medium

title: Recon Command Output Piped To Findstr.EXE
id: ccb5742c-c248-4982-8c5c-5571b9275ad3
related:
    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
      type: derived
status: test
description: |
    Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example.
    Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
    - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-07-06
modified: 2025-10-08
tags:
    - attack.discovery
    - attack.t1057
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # Note: Add additional CLI to increase and enhance coverage
            # Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend.
            - 'ipconfig*|*find'
            - 'net*|*find'
            - 'netstat*|*find'
            - 'ping*|*find'
            - 'systeminfo*|*find'
            - 'tasklist*|*find'
            - 'whoami*|*find'
    filter_optional_xampp:
        CommandLine|contains|all:
            - 'cmd.exe /c TASKLIST /V |'
            - 'FIND /I'
            - '\xampp\'
            - '\catalina_start.bat'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml

title: Recon Information for Export with Command Prompt
id: aa2efee7-34dd-446e-8a37-40790a66efd7
related:
    - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
      type: similar
status: test
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
author: frack113
date: 2021-07-30
modified: 2022-09-13
tags:
    - attack.collection
    - attack.t1119
logsource:
    product: windows
    category: process_creation
detection:
    selection_image:
        - Image|endswith:
              - '\tree.com'
              - '\WMIC.exe'
              - '\doskey.exe'
              - '\sc.exe'
        - OriginalFileName:
              - 'wmic.exe'
              - 'DOSKEY.EXE'
              - 'sc.exe'
    selection_redirect:
        ParentCommandLine|contains:
            - ' > %TEMP%\'
            - ' > %TMP%\'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Recon Information for Export with PowerShell
id: a9723fcc-881c-424c-8709-fd61442ab3c3
status: test
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
author: frack113
date: 2021-07-30
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1119
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_action:
        ScriptBlockText|contains:
            - 'Get-Service '
            - 'Get-ChildItem '
            - 'Get-Process '
    selection_redirect:
        ScriptBlockText|contains: '> $env:TEMP\'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: RegAsm.EXE Initiating Network Connection To Public IP
id: 0531e43a-d77d-47c2-b89f-5fe50321c805
status: test
description: Detects "RegAsm.exe" initiating a network connection to public IP adresses
references:
    - https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/
    - https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/
    - https://lolbas-project.github.io/lolbas/Binaries/Regasm/
author: frack113
date: 2024-04-25
tags:
    - attack.stealth
    - attack.t1218.009
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\regasm.exe'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Register New IFiltre For Persistence
id: b23818c7-e575-4d13-8012-332075ec0a2b
status: test
description: |
    Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.
    You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.
references:
    - https://persistence-info.github.io/Data/ifilters.html
    - https://twitter.com/0gtweet/status/1468548924600459267
    - https://github.com/gtworek/PSBits/tree/master/IFilter
    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2024-03-26
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection_ext:
        TargetObject|contains|all:
            - '\SOFTWARE\Classes\.'
            - '\PersistentHandler'
    selection_clsid:
        TargetObject|contains|all:
            - '\SOFTWARE\Classes\CLSID'
            - '\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}'
    filter_default_targets:
        TargetObject|contains:
            # TODO: Add the default extension PersistentHandler.
            # Note this could also offer blindspot as the attacker could use on of these and hijack them
            - '\CLSID\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\' # Office Open XML Format PowerPoint Persistent Handler
            - '\CLSID\{4887767F-7ADC-4983-B576-88FB643D6F79}\' # Office Open XML Format Excel Persistent Handler
            - '\CLSID\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\' # Office Open XML Format Word Persistent Handler
            - '\CLSID\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\' # Microsoft OneNote Windows Desktop Search IFilter Persistent handler
            - '\CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\' # Null persistent handler
            - '\CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\' # PDF Persistent Handler
            - '\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\' # rtf persistent handler
            - '\CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\' # Open Document Format ODT Persistent Handler
            - '\CLSID\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\' # Zip Persistent Handler
            - '\CLSID\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\' # Open Document Format ODS Persistent Handler
            - '\CLSID\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\' # Related to MIME Filter
            - '\CLSID\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\' # Related to MIME Filter
            - '\CLSID\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\' # Setting Content File Persistent Handler
            - '\CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}\' # Plain Text persistent handler
            - '\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\' # Wordpad OOXML Document Filter
            - '\CLSID\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\' # XML File Persistent Handler
            - '\CLSID\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\' # .url File Persistent Handler
            - '\CLSID\{9694E38A-E081-46ac-99A0-8743C909ACB6}\' # html persistent handler for mapi email
            - '\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\' # Microsoft Office Persistent Handler
            - '\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\' # Wordpad ODT Document Filter
            - '\CLSID\{B4132098-7A03-423D-9463-163CB07C151F}\' # Office Open XML Format Excel Persistent Handler
            - '\CLSID\{d044309b-5da6-4633-b085-4ed02522e5a5}\' # App Content File Persistent Handler
            - '\CLSID\{D169C14A-5148-4322-92C8-754FC9D018D8}\' # rtf persistent handler for mapi email
            - '\CLSID\{DD75716E-B42E-4978-BB60-1497B92E30C4}\' # text persistent handler for mapi email
            - '\CLSID\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\' # Open Document Format ODP Persistent Handler
            - '\CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8}\' # Microsoft OneNote Section persistent handler
            - '\CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}' # HTML File persistent handler
            # - '\CLSID\{F6F00E65-9CAF-43BB-809A-38AA4621BCF2}' # XMind Persistent Handler (not present by default)
            - '\CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\' # Office Outlook MSG Persistent Handler
    filter_generic_paths:
        Image|startswith:
            # Note: We assume if an attacker has access to one of these directories. Then he already has admin.
            - 'C:\Windows\System32\'
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
    condition: 1 of selection_* and not 1 of filter_*
falsepositives:
    - Legitimate registration of IFilters by the OS or software
level: medium

title: Registry Explorer Policy Modification
id: 1c3121ed-041b-4d97-a075-07f54f20fb4a
status: test
description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
author: frack113
date: 2022-03-18
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_set_1:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyDocuments'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu'
        Details: 'DWORD (0x00000001)'
    condition: selection_set_1
falsepositives:
    - Legitimate admin script
level: medium

title: Registry Hide Function from User
id: 5a93eb65-dffa-4543-b761-94aa60098fb6
status: test
description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: frack113
date: 2022-03-18
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_set_1:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume'
        Details: 'DWORD (0x00000001)'
    selection_set_0:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor'
        Details: 'DWORD (0x00000000)'
    condition: 1 of selection_set_*
falsepositives:
    - Legitimate admin script
level: medium

title: Registry Manipulation via WMI Stdregprov
id: c453ab7a-1f5c-4716-a3b4-dea8135fb43a
status: experimental
description: |
    Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.
    This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.
    Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
references:
    - https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again
    - https://trustedsec.com/blog/command-line-underdog-wmic-in-action
    - https://trustedsec.com/blog/wmi-for-script-kiddies
author: Daniel Koifman (KoifSec)
date: 2025-07-30
tags:
    - attack.persistence
    - attack.execution
    - attack.discovery
    - attack.defense-impairment
    - attack.t1047
    - attack.t1112
    - attack.t1012
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:   # Example command simulated:  WMIC  /NameSpace:\\root\default Class StdRegProv Call CreateKey sSubKeyName=""SOFTWARE\Policies\DeleteMe""
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'call'
            - 'stdregprov'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative activity
level: medium

title: Registry Modification Attempt Via VBScript
id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
related:
    - id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
      type: similar
    - id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
      type: similar
status: experimental
description: |
    Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs.
    It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell.
    Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.
references:
    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
date: 2025-08-13
author: Swachchhanda Shrawan Poudel (Nextron Systems)
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
    - attack.t1059.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'CreateObject'
            - 'Wscript.shell'
            - '.RegWrite'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Registry Modification Attempt Via VBScript - PowerShell
id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
related:
    - id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
      type: similar
    - id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
      type: similar
status: experimental
description: |
    Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands.
    Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools.
    This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.
references:
    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
    - https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad
date: 2025-08-13
author: Swachchhanda Shrawan Poudel (Nextron Systems)
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
    - attack.t1059.005
logsource:
    category: ps_script
    product: windows
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'CreateObject'
            - 'Wscript.shell'
            - '.RegWrite'
    condition: selection
falsepositives:
    - Some legitimate admin or install scripts may use these processes for registry modifications.
level: medium

title: Registry Modification of MS-settings Protocol Handler
id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
related:
    - id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
      type: similar
status: test
description: |
    Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.
    Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-12-20
modified: 2026-01-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548.002
    - attack.t1546.001
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_pwsh_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
    selection_reg_cli:
        CommandLine|contains: 'add'
    selection_pwsh_cli:
        CommandLine|contains:
            - 'New-ItemProperty'
            - 'Set-ItemProperty'
            - 'ni '
            - 'sp '
    selection_cli_key:
        CommandLine|contains: '\ms-settings\shell\open\command'
    condition: (all of selection_reg_* or all of selection_pwsh_*) and selection_cli_key
falsepositives:
    - Unknown
level: medium

title: Registry Modification to Hidden File Extension
id: 5df86130-4e95-4a54-90f7-26541b40aec2
status: test
description: Hides the file extension through modification of the registry
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd
    - https://unit42.paloaltonetworks.com/ransomware-families/
    - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A
author: frack113
date: 2022-01-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.t1137
logsource:
    category: registry_set
    product: windows
detection:
    selection_HideFileExt:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt'
        Details: 'DWORD (0x00000001)'
    selection_Hidden:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
        Details: 'DWORD (0x00000002)'
    condition: 1 of selection_*
falsepositives:
    - Administrative scripts
level: medium

title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
id: 1c2a3268-3881-414a-80af-a5b313b14c0e
status: test
description: |
    Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace.
    The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
    These can be used for example in decrypting malicious payload for defense evasion.
references:
    - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
    - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/
author: Andreas Braathen (mnemonic.io)
date: 2023-12-01
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1059.001
    - attack.t1027.010
    - attack.t1547.001
    - detection.threat-hunting
logsource:
    product: windows
    category: registry_set
detection:
    selection_key:
        TargetObject|contains: '\Shell\Open\Command'
    selection_value_img:
        Details|contains:
            - 'powershell'
            - 'pwsh'
    selection_value_namespace:
        Details|contains: 'System.Security.Cryptography.'
    selection_value_classes:
        Details|contains:
            - '.AesCryptoServiceProvider'
            - '.DESCryptoServiceProvider'
            - '.DSACryptoServiceProvider'
            - '.RC2CryptoServiceProvider'
            - '.Rijndael'
            - '.RSACryptoServiceProvider'
            - '.TripleDESCryptoServiceProvider'
    condition: all of selection_*
falsepositives:
    - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders.
level: medium

title: Registry Tampering by Potentially Suspicious Processes
id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
related:
    - id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
      type: similar
    - id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
      type: similar
status: experimental
description: |
    Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.
    These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry
    without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.
references:
    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-08-13
modified: 2026-04-14
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
    - attack.t1059.005
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        Image|endswith:
            # Add more suspicious processes
            - '\mshta.exe'
            - '\wscript.exe'
            - '\cscript.exe'
    filter_main_binary_data:
        Details: 'Binary Data'
    filter_main_null:
        Details: null
    filter_main_wscript_legit_1:
        Image|endswith: '\wscript.exe'
        TargetObject|contains:
            - 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\'
            - '\Services\bam\State\UserSettings\S-1-'
            - 'Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\'
            - 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\'
    filter_main_wscript_legit_2:
        Image|endswith: '\wscript.exe'
        TargetObject|contains: '\wscript.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some legitimate admin or install scripts may use these processes for registry modifications.
level: medium

title: Registry-Free Process Scope COR_PROFILER
id: 23590215-4702-4a70-8805-8dc9e58314a2
status: test
description: |
    Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.
    The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).
    These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.
    (Citation: Microsoft Profiling Mar 2017)
    (Citation: Microsoft COR_PROFILER Feb 2013)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler
author: frack113
date: 2021-12-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.012
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - '$env:COR_ENABLE_PROFILING'
            - '$env:COR_PROFILER'
            - '$env:COR_PROFILER_PATH'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium

title: Regsvr32 DLL Execution With Uncommon Extension
id: 50919691-7302-437f-8e10-1fe088afa145
status: test
description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
references:
    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems)
date: 2019-07-17
modified: 2023-05-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.stealth
    - attack.t1574
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\regsvr32.exe'
        - OriginalFileName: 'REGSVR32.EXE'
    filter_main_legit_ext:
        CommandLine|contains:
            # Note: For better accuracy you might not want to use contains
            - '.ax'
            - '.cpl'
            - '.dll' # Covers ".dll.mui"
            - '.ocx'
    filter_optional_pascal:
        CommandLine|contains: '.ppl'
    filter_optional_avg:
        CommandLine|contains: '.bav'
    filter_main_null_4688:
        CommandLine: null
    filter_main_empty_4688:
        CommandLine: ''
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other legitimate extensions currently not in the list either from third party or specific Windows components.
level: medium

title: Regsvr32 Execution From Potential Suspicious Location
id: 9525dc73-0327-438c-8c04-13c0e037e9da
related:
    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
      type: obsolete
status: test
description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
references:
    - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
    - attack.stealth
    - attack.t1218.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\regsvr32.exe'
        - OriginalFileName: 'REGSVR32.EXE'
    selection_cli:
        CommandLine|contains:
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
    condition: all of selection_*
falsepositives:
    - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary.
level: medium

title: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
id: ce2c44b5-a6ac-412a-afba-9e89326fa972
related:
    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
      type: similar
status: test
description: |
    Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location.
    When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'.
references:
    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
    - https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection
    - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
    - https://ss64.com/nt/regsvr32.html
author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-17
tags:
    - attack.stealth
    - attack.t1218
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        - Image|endswith: '\regsvr32.exe'
        - OriginalFileName: 'REGSVR32.EXE'
    selection_cmdline:
        CommandLine|contains:
            - ' /s '
            - ' /e '
    filter_main_paths:
        - CommandLine|contains:
              - ':\Program Files (x86)'
              - ':\Program Files\'
              - ':\Windows\System32\'
              - ':\Windows\SysWOW64\'
        - CurrentDirectory|contains:
              - ':\Program Files (x86)'
              - ':\Program Files\'
              - ':\Windows\System32\'
              - ':\Windows\SysWOW64\'
    filter_main_other_flags:
        # Note: We filter other flags to keep the logic of the rule
        CommandLine|contains:
            - ' /i:'
            - '/U '
    filter_main_rpcproxy:
        ParentCommandLine|endswith: ':\Windows\System32\RpcProxy\RpcProxy.dll'
        CommandLine: 'regsvr32 /s rpcproxy.dll'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Legitimate usage as part of application installation, but less likely from e.g. temporary paths.
level: medium

title: RemCom Service File Creation
id: 7eff1a7f-dd45-4c20-877a-f21e342a7611
status: test
description: Detects default RemCom service filename which indicates RemCom service installation and execution
references:
    - https://github.com/kavika13/RemCom/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-04
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\RemComSvc.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: RemCom Service Installation
id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf
status: test
description: Detects RemCom service installation and execution events
references:
    - https://github.com/kavika13/RemCom/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ServiceName: 'RemComSvc'
        - ImagePath|endswith: '\RemComSvc.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium