title: DLL Load By System Process From Suspicious Locations
id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
status: test
description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
references:
    - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2023-09-18
tags:
    - attack.stealth
    - attack.t1070
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|startswith: 'C:\Windows\'
        ImageLoaded|startswith:
            # TODO: Add more suspicious paths as you see fit in your env
            - 'C:\Users\Public\'
            - 'C:\PerfLogs\'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: DLL Loaded via CertOC.EXE
id: 242301bc-f92f-4476-8718-78004a6efd9f
related:
    - id: 84232095-ecca-4015-b0d7-7726507ee793
      type: similar
status: test
description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
references:
    - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2
    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Austin Songer @austinsonger
date: 2021-10-23
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certoc.exe'
        - OriginalFileName: 'CertOC.exe'
    selection_cli:
        CommandLine|contains|windash: ' -LoadDLL '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: DLL Names Used By SVR For GraphicalProton Backdoor
id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
status: test
description: Hunts known SVR-specific DLL names.
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: CISA
date: 2023-12-18
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\AclNumsInvertHost.dll'
            - '\AddressResourcesSpec.dll'
            - '\BlendMonitorStringBuild.dll'
            - '\ChildPaletteConnected.dll'
            - '\DeregisterSeekUsers.dll'
            - '\HandleFrequencyAll.dll'
            - '\HardSwapColor.dll'
            - '\LengthInMemoryActivate.dll'
            - '\ModeBitmapNumericAnimate.dll'
            - '\ModeFolderSignMove.dll'
            - '\ParametersNamesPopup.dll'
            - '\PerformanceCaptionApi.dll'
            - '\ScrollbarHandleGet.dll'
            - '\UnregisterAncestorAppendAuto.dll'
            - '\WowIcmpRemoveReg.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: DMSA Service Account Created in Specific OUs - PowerShell
id: 02122374-b74e-495c-b285-9e4da973f3d6
related:
    - id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
      type: similar
    - id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 # Process Creation Detection
      type: similar
status: experimental
description: |
    Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
    The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
    It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
    On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
    it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078.002
    - attack.t1098
logsource:
    category: ps_script
    product: windows
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-ADServiceAccount'
            - '-CreateDelegatedServiceAccount'
            - '-path'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: DNS Query Request By Regsvr32.EXE
id: 36e037c4-c228-4866-b6a3-48eb292b9955
related:
    - id: c7e91a02-d771-4a6d-a700-42587e0b1095
      type: derived
status: test
description: Detects DNS queries initiated by "Regsvr32.exe"
references:
    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
    - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2023-09-18
tags:
    - attack.execution
    - attack.stealth
    - attack.t1559.001
    - attack.t1218.010
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        Image|endswith: '\regsvr32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: DNS Query To AzureWebsites.NET By Non-Browser Process
id: e043f529-8514-4205-8ab0-7f7d2927b400
related:
    - id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
      type: derived
status: test
description: |
    Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
references:
    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|endswith: 'azurewebsites.net'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_defender:
        Image|endswith:
            - '\MsMpEng.exe' # Microsoft Defender executable
            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
    filter_optional_brave:
        Image|endswith: '\brave.exe'
        Image|startswith: 'C:\Program Files\BraveSoftware\'
    filter_optional_maxthon:
        Image|contains: '\AppData\Local\Maxthon\'
        Image|endswith: '\maxthon.exe'
    filter_optional_opera:
        Image|contains: '\AppData\Local\Programs\Opera\'
        Image|endswith: '\opera.exe'
    filter_optional_seamonkey:
        Image|startswith:
            - 'C:\Program Files\SeaMonkey\'
            - 'C:\Program Files (x86)\SeaMonkey\'
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|contains: '\AppData\Local\Vivaldi\'
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|startswith:
            - 'C:\Program Files\Naver\Naver Whale\'
            - 'C:\Program Files (x86)\Naver\Naver Whale\'
        Image|endswith: '\whale.exe'
    filter_optional_tor:
        Image|contains: '\Tor Browser\'
    filter_optional_whaterfox:
        Image|startswith:
            - 'C:\Program Files\Waterfox\'
            - 'C:\Program Files (x86)\Waterfox\'
        Image|endswith: '\Waterfox.exe'
    filter_optional_midori:
        Image|contains: '\AppData\Local\Programs\midori-ng\'
        Image|endswith: '\Midori Next Generation.exe'
    filter_optional_slimbrowser:
        Image|startswith:
            - 'C:\Program Files\SlimBrowser\'
            - 'C:\Program Files (x86)\SlimBrowser\'
        Image|endswith: '\slimbrowser.exe'
    filter_optional_flock:
        Image|contains: '\AppData\Local\Flock\'
        Image|endswith: '\Flock.exe'
    filter_optional_phoebe:
        Image|contains: '\AppData\Local\Phoebe\'
        Image|endswith: '\Phoebe.exe'
    filter_optional_falkon:
        Image|startswith:
            - 'C:\Program Files\Falkon\'
            - 'C:\Program Files (x86)\Falkon\'
        Image|endswith: '\falkon.exe'
    filter_optional_avant:
        Image|startswith:
            - 'C:\Program Files (x86)\Avant Browser\'
            - 'C:\Program Files\Avant Browser\'
        Image|endswith: '\avant.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Likely with other browser software. Apply additional filters for any other browsers you might use.
level: medium

title: DNS Query To Common Malware Hosting and Shortener Services
id: f8c1e80b-c73a-476a-ae24-6c72528b1521
status: experimental
description: |
    Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.
    These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.
    Such DNS activity can indicate potential delivery or command-and-control communication attempts.
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
author: Ahmed Nosir (@egycondor)
date: 2025-06-02
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains:
            - 'msapp.workers.dev'
            - 'trycloudflare.com'
            - 'infinityfreeapp.com'
            - 'my5353.com'
            - 'reurl.cc'
            - 'lihi.cc'
            - 'tinyurl.com'
    condition: selection
falsepositives:
    - Legitimate use of these services is possible but rare in enterprise environments
level: medium

title: DNS Query To Devtunnels Domain
id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
related:
    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
      type: similar
    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
      type: similar
    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
      type: similar
status: test
description: |
    Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
    - https://cydefops.com/devtunnels-unleashed
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1572
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|endswith: '.devtunnels.ms'
    condition: selection
falsepositives:
    - Legitimate use of Devtunnels will also trigger this.
level: medium

title: DNS Query To MEGA Hosting Website
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
related:
    - id: 66474410-b883-415f-9f8d-75345a0a66a6
      type: similar
status: test
description: Detects DNS queries for subdomains related to MEGA sharing website
references:
    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-26
modified: 2023-09-18
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains: 'userstorage.mega.co.nz'
    condition: selection
falsepositives:
    - Legitimate DNS queries and usage of Mega
level: medium

title: DNS Query To MEGA Hosting Website - DNS Client
id: 66474410-b883-415f-9f8d-75345a0a66a6
related:
    - id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
      type: similar
status: test
description: Detects DNS queries for subdomains related to MEGA sharing website
references:
    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection:
        EventID: 3008
        QueryName|contains: 'userstorage.mega.co.nz'
    condition: selection
falsepositives:
    - Legitimate DNS queries and usage of Mega
level: medium

title: DNS Query To Put.io - DNS Client
id: 8b69fd42-9dad-4674-abef-7fdef43ef92a
status: test
description: Detects DNS queries for subdomains related to "Put.io" sharing website.
references:
    - https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure
author: Omar Khaled (@beacon_exe)
date: 2024-08-23
tags:
    - attack.command-and-control
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection:
        EventID: 3008
        QueryName|contains:
            - 'api.put.io'
            - 'upload.put.io'
    condition: selection
falsepositives:
    - Legitimate DNS queries and usage of Put.io
level: medium

title: DNS Query To Remote Access Software Domain From Non-Browser App
id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
related:
    - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
      type: obsolete
    - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
      type: obsolete
    - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
      type: obsolete
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
    - https://redcanary.com/blog/misbehaving-rats/
    - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
    - https://blog.sekoia.io/scattered-spider-laying-new-eggs/
    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
author: frack113, Connor Martin
date: 2022-07-11
modified: 2024-12-17
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: dns_query
detection:
    selection_generic:
        QueryName|endswith:
            - 'agent.jumpcloud.com'
            - 'agentreporting.atera.com'
            - 'ammyy.com'
            - 'api.parsec.app'
            - 'api.playanext.com'
            - 'api.splashtop.com'
            - 'app.atera.com'
            - 'assist.zoho.com'
            - 'authentication.logmeininc.com'
            - 'beyondtrustcloud.com'
            - 'cdn.kaseya.net'
            - 'client.teamviewer.com'
            - 'comserver.corporate.beanywhere.com'
            - 'control.connectwise.com'
            - 'downloads.zohocdn.com'
            - 'dwservice.net'
            - 'express.gotoassist.com'
            - 'getgo.com'
            - 'getscreen.me'  # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w
            - 'integratedchat.teamviewer.com'
            - 'join.zoho.com'
            - 'kickstart.jumpcloud.com'
            - 'license.bomgar.com'
            - 'logmein-gateway.com'
            - 'logmein.com'
            - 'logmeincdn.http.internapcdn.net'
            - 'n-able.com'
            - 'net.anydesk.com'
            - 'netsupportsoftware.com' # For NetSupport Manager RAT
            - 'parsecusercontent.com'
            - 'pubsub.atera.com'
            - 'relay.kaseya.net'
            - 'relay.screenconnect.com'
            - 'relay.splashtop.com'
            - 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
            - 'remotedesktop-pa.googleapis.com'
            - 'remoteutilities.com' # Usage of Remote Utilities RAT
            - 'secure.logmeinrescue.com'
            - 'services.vnc.com'
            - 'static.remotepc.com'
            - 'swi-rc.com'
            - 'swi-tc.com'
            - 'tailscale.com' # Scattered Spider threat group used this RMM tool
            - 'telemetry.servers.qetqo.com'
            - 'tmate.io'
            - 'twingate.com'  # Scattered Spider threat group used this RMM tool
            - 'zohoassist.com'
    selection_rustdesk:  # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
        QueryName|endswith: '.rustdesk.com'
        QueryName|startswith: 'rs-'
    # Exclude browsers for legitimate visits of the domains mentioned above
    # Add missing browsers you use and exclude the ones you don't
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_defender:
        Image|endswith:
            - '\MsMpEng.exe' # Microsoft Defender executable
            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
    filter_optional_brave:
        Image|endswith: '\brave.exe'
        Image|startswith: 'C:\Program Files\BraveSoftware\'
    filter_optional_maxthon:
        Image|contains: '\AppData\Local\Maxthon\'
        Image|endswith: '\maxthon.exe'
    filter_optional_opera:
        Image|contains: '\AppData\Local\Programs\Opera\'
        Image|endswith: '\opera.exe'
    filter_optional_seamonkey:
        Image|startswith:
            - 'C:\Program Files\SeaMonkey\'
            - 'C:\Program Files (x86)\SeaMonkey\'
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|contains: '\AppData\Local\Vivaldi\'
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|startswith:
            - 'C:\Program Files\Naver\Naver Whale\'
            - 'C:\Program Files (x86)\Naver\Naver Whale\'
        Image|endswith: '\whale.exe'
    filter_optional_tor:
        Image|contains: '\Tor Browser\'
    filter_optional_whaterfox:
        Image|startswith:
            - 'C:\Program Files\Waterfox\'
            - 'C:\Program Files (x86)\Waterfox\'
        Image|endswith: '\Waterfox.exe'
    filter_optional_midori:
        Image|contains: '\AppData\Local\Programs\midori-ng\'
        Image|endswith: '\Midori Next Generation.exe'
    filter_optional_slimbrowser:
        Image|startswith:
            - 'C:\Program Files\SlimBrowser\'
            - 'C:\Program Files (x86)\SlimBrowser\'
        Image|endswith: '\slimbrowser.exe'
    filter_optional_flock:
        Image|contains: '\AppData\Local\Flock\'
        Image|endswith: '\Flock.exe'
    filter_optional_phoebe:
        Image|contains: '\AppData\Local\Phoebe\'
        Image|endswith: '\Phoebe.exe'
    filter_optional_falkon:
        Image|startswith:
            - 'C:\Program Files\Falkon\'
            - 'C:\Program Files (x86)\Falkon\'
        Image|endswith: '\falkon.exe'
    filter_optional_avant:
        Image|startswith:
            - 'C:\Program Files (x86)\Avant Browser\'
            - 'C:\Program Files\Avant Browser\'
        Image|endswith: '\avant.exe'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Likely with other browser software. Apply additional filters for any other browsers you might use.
level: medium

title: DNS Query To Visual Studio Code Tunnels Domain
id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
related:
    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
      type: similar
    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
      type: similar
    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
      type: similar
status: test
description: |
    Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://cydefops.com/vscode-data-exfiltration
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|endswith: '.tunnels.api.visualstudio.com'
    condition: selection
falsepositives:
    - Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium

title: DNS TOR Proxies
id: a8322756-015c-42e7-afb1-436e85ed3ff5
related:
    - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
      type: similar
    - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
      type: similar
status: test
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: Saw Winn Naung , Azure-Sentinel
date: 2021-08-15
modified: 2025-09-12
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    service: dns
    product: zeek
detection:
    selection:
        query|endswith:
            - '.hiddenservice.net'
            - '.onion.ca'
            - '.onion.cab'
            - '.onion.casa'
            - '.onion.city'
            - '.onion.direct'
            - '.onion.dog'
            - '.onion.glass'
            - '.onion.gq'
            - '.onion.guide'
            - '.onion.in.net'
            - '.onion.ink'
            - '.onion.it'
            - '.onion.link'
            - '.onion.lt'
            - '.onion.lu'
            - '.onion.ly'
            - '.onion.mn'
            - '.onion.network'
            - '.onion.nu'
            - '.onion.pet'
            - '.onion.plus'
            - '.onion.pt'
            - '.onion.pw'
            - '.onion.rip'
            - '.onion.sh'
            - '.onion.si'
            - '.onion.to'
            - '.onion.top'
            - '.onion.ws'
            - '.onion'
            - '.s1.tor-gateways.de'
            - '.s2.tor-gateways.de'
            - '.s3.tor-gateways.de'
            - '.s4.tor-gateways.de'
            - '.s5.tor-gateways.de'
            - '.t2w.pw'
            - '.tor2web.ae.org'
            - '.tor2web.blutmagie.de'
            - '.tor2web.com'
            - '.tor2web.fi'
            - '.tor2web.io'
            - '.tor2web.org'
            - '.tor2web.xyz'
            - '.torlink.co'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: DNS-over-HTTPS Enabled by Registry
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
status: test
description: |
    Detects when a user enables DNS-over-HTTPS.
    This can be used to hide internet activity or be used to hide the process of exfiltrating data.
    With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
references:
    - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
    - https://github.com/elastic/detection-rules/issues/1371
    - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
    - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
author: Austin Songer
date: 2021-07-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.stealth
    - attack.defense-impairment
    - attack.t1140
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection_edge:
        TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
        Details: DWORD (0x00000001)
    selection_chrome:
        TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
        Details: 'secure'
    selection_firefox:
        TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
        Details: DWORD (0x00000001)
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: medium

title: DPAPI Domain Master Key Backup Attempt
id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
status: test
description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
references:
    - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2023-03-15
tags:
    - attack.credential-access
    - attack.t1003.004
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4692
    condition: selection
falsepositives:
    - If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.
level: medium

title: DarkGate - Autoit3.EXE File Creation By Uncommon Process
id: 1a433e1d-03d2-47a6-8063-ece992cf4e73
status: test
description: |
    Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
    This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
    process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
    processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
references:
    - https://github.security.telekom.com/2023/08/darkgate-loader.html
    - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
    - https://github.com/pr0xylife/DarkGate/tree/main
author: Micah Babinski
date: 2023-10-15
tags:
    - attack.command-and-control
    - attack.execution
    - attack.t1105
    - attack.t1059
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\Autoit3.exe'
            - '\curl.exe'
            - '\ExtExport.exe'
            - '\KeyScramblerLogon.exe'
            - '\wmprph.exe'
        TargetFilename|endswith: '\Autoit3.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: DarkGate - Drop DarkGate Loader In C:\Temp Directory
id: df49c691-8026-48dd-94d3-4ba6a79102a8
status: test
description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
references:
    - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
    - https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
author: Tomasz Dyduch, Josh Nickels
date: 2024-05-31
tags:
    - attack.execution
    - attack.t1059
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection_filename_suffix:
        TargetFilename|contains: ':\temp\'
        TargetFilename|endswith:
            - '.au3'
            - '\autoit3.exe'
    selection_image_suffix:
        Image|contains: ':\temp\'
        Image|endswith:
            - '.au3'
            - '\autoit3.exe'
    condition: 1 of selection_*
falsepositives:
    - Unlikely legitimate usage of AutoIT in temp folders.
level: medium

title: Data Exfiltration to Unsanctioned Apps
id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
status: test
description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.exfiltration
    - attack.t1537
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Data exfiltration to unsanctioned apps'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Data Exfiltration with Wget
id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
status: test
description: |
    Detects attempts to post the file with the usage of wget utility.
    The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
references:
    - https://linux.die.net/man/1/wget
    - https://gtfobins.github.io/gtfobins/wget/
author: 'Pawel Mazur'
date: 2021-11-18
modified: 2022-12-25
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: wget
        a1|startswith: '--post-file='
    condition: selection
falsepositives:
    - Legitimate usage of wget utility to post a file
level: medium

title: Data Export From MSSQL Table Via BCP.EXE
id: c615d676-f655-46b9-b913-78729021e5d7
status: test
description: |
    Detects the execution of the BCP utility in order to export data from the database.
    Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
references:
    - https://docs.microsoft.com/en-us/sql/tools/bcp-utility
    - https://asec.ahnlab.com/en/61000/
    - https://asec.ahnlab.com/en/78944/
    - https://www.huntress.com/blog/attacking-mssql-servers
    - https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
    - https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
    - https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
date: 2024-08-20
tags:
    - attack.execution
    - attack.exfiltration
    - attack.t1048
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bcp.exe'
        - OriginalFileName: 'BCP.exe'
    selection_cli:
        CommandLine|contains:
            - ' out ' # Export data from a table
            - ' queryout ' # Export data based on a SQL query
    condition: all of selection_*
falsepositives:
    - Legitimate data export operations.
level: medium

title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
id: 0e277796-5f23-4e49-a490-483131d4f6e1
related:
    - id: bdc64095-d59a-42a2-8588-71fd9c9d9abc # Unsigned Loading
      type: similar
status: test
description: |
    Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
    The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
    As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
    Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
references:
    - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
    - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
    - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019-10-27
modified: 2024-03-01
tags:
    - attack.credential-access
    - attack.t1003.001
    - detection.threat-hunting
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\dbghelp.dll'
            - '\dbgcore.dll'
        Image|endswith:
            - '\bash.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\dnx.exe'
            - '\excel.exe'
            - '\monitoringhost.exe'
            - '\msbuild.exe'
            - '\mshta.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\regsvcs.exe'
            - '\rundll32.exe'
            - '\sc.exe'
            - '\scriptrunner.exe'
            - '\winword.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            # - '\powershell.exe' # Note: Triggered by installing common software
            # - '\regsvr32.exe'  # Note: triggered by installing common software
            # - '\schtasks.exe'  # Note: triggered by installing software
            # - '\svchost.exe'  # Note: triggered by some services
    filter_main_tiworker:
        # Note: This filter requires "CommandLine" field enrichment
        CommandLine|startswith: 'C:\WINDOWS\WinSxS\'
        CommandLine|endswith: '\TiWorker.exe -Embedding'
    filter_main_generic:
        # Note: This filter requires "CommandLine" field enrichment
        Image|endswith: '\svchost.exe'
        CommandLine|endswith:
            - '-k LocalServiceNetworkRestricted'
            - '-k WerSvcGroup'
    filter_main_rundll32:
        # Note: This filter requires "CommandLine" field enrichment
        Image|endswith: '\rundll32.exe'
        CommandLine|contains:
            - '/d srrstr.dll,ExecuteScheduledSPPCreation'
            - 'aepdu.dll,AePduRunUpdate'
            - 'shell32.dll,OpenAs_RunDL'
            - 'Windows.Storage.ApplicationData.dll,CleanupTemporaryState'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Debugging scripts might leverage this DLL in order to dump process memory for further analysis.
level: medium

title: Default Credentials Usage
id: 1a395cbc-a84a-463a-9086-ed8a70e573c7
status: experimental
description: |
    Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
    Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
references:
    - https://www.cisecurity.org/controls/cis-controls-list/
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
    - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
author: Alexandr Yampolskyi, SOC Prime
date: 2019-03-26
modified: 2025-11-01
tags:
    - attack.initial-access
    # - CSC4
    # - CSC4.2
    # - NIST CSF 1.1 PR.AC-4
    # - NIST CSF 1.1 PR.AT-2
    # - NIST CSF 1.1 PR.MA-2
    # - NIST CSF 1.1 PR.PT-3
    # - ISO 27002-2013 A.9.1.1
    # - ISO 27002-2013 A.9.2.2
    # - ISO 27002-2013 A.9.2.3
    # - ISO 27002-2013 A.9.2.4
    # - ISO 27002-2013 A.9.2.5
    # - ISO 27002-2013 A.9.2.6
    # - ISO 27002-2013 A.9.3.1
    # - ISO 27002-2013 A.9.4.1
    # - ISO 27002-2013 A.9.4.2
    # - ISO 27002-2013 A.9.4.3
    # - ISO 27002-2013 A.9.4.4
    # - PCI DSS 3.2 2.1
    # - PCI DSS 3.2 7.1
    # - PCI DSS 3.2 7.2
    # - PCI DSS 3.2 7.3
    # - PCI DSS 3.2 8.1
    # - PCI DSS 3.2 8.2
    # - PCI DSS 3.2 8.3
    # - PCI DSS 3.2 8.7
logsource:
    product: qualys
detection:
    selection:
        host.scan.vuln:
            - 10693
            - 11507
            - 11633
            - 11804
            - 11821
            - 11847
            - 11867
            - 11931
            - 11935
            - 11950
            - 12541
            - 12558
            - 12559
            - 12560
            - 12562
            - 12563
            - 12565
            - 12587
            - 12590
            - 12599
            - 12702
            - 12705
            - 12706
            - 12907
            - 12928
            - 12929
            - 13053
            - 13178
            - 13200
            - 13218
            - 13241
            - 13253
            - 13274
            - 13296
            - 13301
            - 13327
            - 13373
            - 13374
            - 13409
            - 13530
            - 13532
            - 20065
            - 20073
            - 20081
            - 27202
            - 27358
            - 38702
            - 38719
            - 42045
            - 42417
            - 43029
            - 43220
            - 43221
            - 43222
            - 43223
            - 43225
            - 43246
            - 43431
            - 43484
            - 86857
            - 87098
            - 87106
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Defrag Deactivation
id: 958d81aa-8566-4cea-a565-59ccd4df27b0
status: test
description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
references:
    - https://securelist.com/apt-slingshot/84312/
author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
date: 2019-03-04
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - attack.s0111
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains:
            - '/delete'
            - '/change'
        CommandLine|contains|all:
            - '/TN'
            - '\Microsoft\Windows\Defrag\ScheduledDefrag'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Defrag Deactivation - Security
id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
related:
    - id: 958d81aa-8566-4cea-a565-59ccd4df27b0
      type: derived
status: test
description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
references:
    - https://securelist.com/apt-slingshot/84312/
author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
date: 2019-03-04
modified: 2022-11-27
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053
    - attack.s0111
    - detection.emerging-threats
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
detection:
    selection:
        EventID: 4701
        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Delete Defender Scan ShellEx Context Menu Registry Key
id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
related:
    - id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
      type: similar
status: experimental
description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
references:
    - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
    - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
modified: 2025-10-07
tags:
    - attack.defense-impairment
logsource:
    category: registry_delete
    product: windows
detection:
    selection:
        TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
    filter_main_defender:
        Image|startswith:
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\Program Files (x86)\Windows Defender\'
        Image|endswith: '\MsMpEng.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely as this weakens defenses and normally would not be done even if using another AV.
level: medium

title: Deleted Data Overwritten Via Cipher.EXE
id: 4b046706-5789-4673-b111-66f25fe99534
status: test
description: |
    Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
    Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
    Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
author: frack113
date: 2021-12-26
modified: 2023-02-21
tags:
    - attack.impact
    - attack.t1485
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'CIPHER.EXE'
        - Image|endswith: '\cipher.exe'
    selection_cli:
        CommandLine|contains: ' /w:'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml
simulation:
    - type: atomic-red-team
      name: Overwrite deleted data on C drive
      technique: T1485
      atomic_guid: 321fd25e-0007-417f-adec-33232252be19

title: Denied Access To Remote Desktop
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
status: test
description: |
  This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
  Often, this event can be generated by attackers when searching for available windows servers in the network.
references:
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
author: Pushkarev Dmitry
date: 2020-06-27
modified: 2021-11-27
tags:
    - attack.lateral-movement
    - attack.t1021.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4825
    condition: selection
falsepositives:
    - Valid user was not added to RDP group
level: medium

title: Deployment AppX Package Was Blocked By AppLocker
id: 6ae53108-c3a0-4bee-8f45-c7591a2c337f
status: test
description: Detects an appx package deployment that was blocked by AppLocker policy.
references:
    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
author: frack113
date: 2023-01-11
tags:
    - attack.stealth
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 412
    condition: selection
falsepositives:
    - Unlikely, since this event notifies about blocked application deployment. Tune your applocker rules to avoid blocking legitimate applications.
level: medium

title: Deployment Of The AppX Package Was Blocked By The Policy
id: e021bbb5-407f-41f5-9dc9-1864c45a7a51
status: test
description: |
    Detects an appx package deployment that was blocked by the local computer policy.
    The following events indicate that an AppX package deployment was blocked by a policy:
    - Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
    - Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
    - Event ID 453: Package blocked by a platform policy.
    - Event ID 454: Package blocked by a platform policy.
references:
    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
author: frack113
date: 2023-01-11
tags:
    - attack.defense-impairment
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID:
            - 441 # The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
            - 442 # Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
            - 453 # Package blocked by a platform policy
            - 454 # Package blocked by a platform policy
    condition: selection
falsepositives:
    - Unlikely, since this event notifies about blocked application deployment. Tune your applocker rules to avoid blocking legitimate applications.
level: medium

title: Desktop.INI Created by Uncommon Process
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: test
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
    - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
date: 2020-03-19
modified: 2025-12-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.009
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '\desktop.ini'
    filter_main_generic:
        Image|startswith:
            - 'C:\Windows\'
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_main_upgrade:
        TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
    filter_optional_jetbrains:
        Image|startswith: 'C:\Users\'
        Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
        TargetFilename|contains: '\JetBrains\apps\'
    filter_optional_onedrive:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\OneDrive\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Operations performed through Windows SCCM or equivalent
    - Read only access list authority
level: medium

title: Detected Windows Software Discovery
id: e13f668e-7f95-443d-98d2-1816a7648a7b
related:
    - id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
      type: derived
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
    - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-10-09
tags:
    - attack.discovery
    - attack.t1518
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'    # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
        CommandLine|contains|all:
            - 'query'
            - '\software\'
            - '/v'
            - 'svcversion'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

title: Detected Windows Software Discovery - PowerShell
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
    - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-12-02
tags:
    - attack.discovery
    - attack.t1518
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
            - 'get-itemProperty'
            - '\software\'
            - 'select-object'
            - 'format-table'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

title: Detection of PowerShell Execution via Sqlps.exe
id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
status: test
description: |
  This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
  Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
    - https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
    - https://twitter.com/bryon_/status/975835709587075072
author: 'Agro (@agro_sev) oscd.community'
date: 2020-10-10
modified: 2022-12-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\sqlps.exe'
    selection_image:
        - Image|endswith: '\sqlps.exe'
        - OriginalFileName: 'sqlps.exe'
    filter_image:
        ParentImage|endswith: '\sqlagent.exe'
    condition: selection_parent or (selection_image and not filter_image)
falsepositives:
    - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
level: medium

title: Device Installation Blocked
id: c9eb55c3-b468-40ab-9089-db2862e42137
status: test
description: Detects an installation of a device that is forbidden by the system policy
references:
    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423
author: frack113
date: 2022-10-14
tags:
    - attack.initial-access
    - attack.t1200
logsource:
    service: security
    product: windows
detection:
    selection:
        EventID: 6423
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Device Registration or Join Without MFA
id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
status: test
description: Monitor and alert for device registration or join events where MFA was not performed.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        ResourceDisplayName: 'Device Registration Service'
        conditionalAccessStatus: 'success'
    filter_mfa:
        AuthenticationRequirement: 'multiFactorAuthentication'
    condition: selection and not filter_mfa
falsepositives:
    - Unknown
level: medium

title: DeviceCredentialDeployment Execution
id: b8b1b304-a60f-4999-9a6e-c547bde03ffd
status: test
description: |
    Detects the execution of DeviceCredentialDeployment to hide a process from view.
references:
    - https://github.com/LOLBAS-Project/LOLBAS/pull/147
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\DeviceCredentialDeployment.exe'
    condition: selection
falsepositives:
    - Unlikely
level: medium

title: Dfsvc.EXE Network Connection To Non-Local IPs
id: 3c21219b-49b5-4268-bce6-c914ed50f09c
status: test
description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
modified: 2024-03-12
tags:
    - attack.execution
    - attack.t1203
    - detection.threat-hunting
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\dfsvc.exe'
        Initiated: 'true'
    filter_main_local_ip:
        DestinationIp|cidr: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '169.254.0.0/16'  # link-local address
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives are expected from ClickOnce manifests hosted on public IPs and domains. Apply additional filters for the accepted IPs in your environement as necessary
level: medium

title: Direct Autorun Keys Modification
id: 24357373-078f-44ed-9ac4-6d334a668a11
status: test
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-10-25
modified: 2026-01-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli_add:
        CommandLine|contains: 'add'     # to avoid intersection with discovery tactic rules
    selection_cli_keys:
        CommandLine|contains:           # need to improve this list, there are plenty of ASEP reg keys
            - '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce"
            - '\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
            - '\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
            - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
            - '\software\Microsoft\Windows NT\CurrentVersion\Windows'
            - '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
    condition: all of selection_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
    - Legitimate administrator sets up autorun keys for legitimate reasons.
    - Discord
level: medium

title: DirectorySearcher Powershell Exploitation
id: 1f6399cf-2c80-4924-ace1-6fcff3393480
status: test
description: Enumerates Active Directory to determine computers that are joined to the domain
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
author: frack113
date: 2022-02-12
tags:
    - attack.discovery
    - attack.t1018
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-Object '
            - 'System.DirectoryServices.DirectorySearcher'
            - '.PropertiesToLoad.Add'
            - '.findall()'
            - 'Properties.name'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Disable Administrative Share Creation at Startup
id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
status: test
description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
author: frack113
date: 2022-01-16
modified: 2024-03-25
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Services\LanmanServer\Parameters\'
        TargetObject|endswith:
            - '\AutoShareWks'
            - '\AutoShareServer'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml
simulation:
    - type: atomic-red-team
      name: Disable Administrative Share Creation at Startup
      technique: T1070.005
      atomic_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8

title: Disable Exploit Guard Network Protection on Windows Defender
id: bf9e1387-b040-4393-9851-1598f8ecfae9
status: test
description: Detects disabling Windows Defender Exploit Guard Network Protection
references:
    - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride'
        Details: 'DWORD (00000001)'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Disable Internal Tools or Feature in Registry
id: e2482f8d-3443-4237-b906-cc145d87a076
status: test
description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
    - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
    - https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
    - https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
    - https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
date: 2022-03-18
modified: 2025-06-04
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_set_1:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL'
            - 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter'
            - 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD'
        Details: 'DWORD (0x00000001)'
    selection_set_0:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'
            - 'Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled'
            - 'SYSTEM\CurrentControlSet\Control\Storage\Write Protection'
            - 'SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect'
        Details: 'DWORD (0x00000000)'
    condition: 1 of selection_set_*
falsepositives:
    - Legitimate admin script
level: medium

title: Disable Microsoft Defender Firewall via Registry
id: 974515da-6cc5-4c95-ae65-f97f9150ec7f
status: test
description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
author: frack113
date: 2022-01-09
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
        # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall
        # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
        TargetObject|contains: '\Services\SharedAccess\Parameters\FirewallPolicy\'
        TargetObject|endswith: '\EnableFirewall'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml
simulation:
    - type: atomic-red-team
      name: Disable Microsoft Defender Firewall via Registry
      technique: T1562.004
      atomic_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612

title: Disable Or Stop Services
id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
status: test
description: |
    Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
    Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.
references:
    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
modified: 2025-03-18
tags:
    - attack.defense-impairment
    - attack.t1685
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/service'
            - '/systemctl'
            - '/chkconfig'
        CommandLine|contains:
            - ' stop '
            - ' disable '
    filter_main_legit_snapd:
        Image|endswith: '/systemctl'
        CommandLine|contains:
            - '--no-reload disable snap-snapd-'
            - ' stop snap-snapd-'
    filter_main_ssh_preinstall:
        Image|endswith: '/systemctl'
        ParentCommandLine|contains: 'tmp.ci/preinst upgrade'
        CommandLine|contains|all:
            - ' stop '
            - 'ssh.'
    filter_main_ubuntu_upgrade:
        ParentCommandLine|contains: '/dpkg/info/ubuntu-pro-client.prerm upgrade'
        Image|endswith: '/systemctl'
    filter_optional_aws_agent:
        Image|endswith: '/systemctl'
        CommandLine|endswith: 'snap.amazon-ssm-agent.amazon-ssm-agent.service'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administration activities
    - Some false positives are to be expected. Apply additional filters as needed before pushing to production.
level: medium

title: Disable Privacy Settings Experience in Registry
id: 0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b
status: test
description: Detects registry modifications that disable Privacy Settings Experience
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md
author: frack113
date: 2022-10-02
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Windows\OOBE\DisablePrivacyExperience'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Legitimate admin script
level: medium

title: Disable Security Tools
id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
status: test
description: Detects disabling security tools
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: macos
detection:
    launchctl_unload:
        Image: '/bin/launchctl'
        CommandLine|contains: 'unload'
    security_plists:
        CommandLine|contains:
            - 'com.objective-see.lulu.plist'                     # Objective-See firewall management utility
            - 'com.objective-see.blockblock.plist'               # Objective-See persistence locations watcher/blocker
            - 'com.google.santad.plist'                          # google santa
            - 'com.carbonblack.defense.daemon.plist'             # carbon black
            - 'com.carbonblack.daemon.plist'                     # carbon black
            - 'at.obdev.littlesnitchd.plist'                     # Objective Development Software firewall management utility
            - 'com.tenablesecurity.nessusagent.plist'            # Tenable Nessus
            - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
            - 'com.crowdstrike.falcond.plist'                    # Crowdstrike Falcon
            - 'com.crowdstrike.userdaemon.plist'                 # Crowdstrike Falcon
            - 'osquery'                                          # facebook osquery
            - 'filebeat'                                         # elastic log file shipper
            - 'auditbeat'                                        # elastic auditing agent/log shipper
            - 'packetbeat'                                       # elastic network logger/shipper
            - 'td-agent'                                         # fluentd log shipper
    disable_gatekeeper:
        Image: '/usr/sbin/spctl'
        CommandLine|contains: 'disable'
    condition: (launchctl_unload and security_plists) or disable_gatekeeper
falsepositives:
    - Legitimate activities
level: medium

title: Disable Tamper Protection on Windows Defender
id: 93d298a1-d28f-47f1-a468-d971e7796679
status: test
description: Detects disabling Windows Defender Tamper Protection
references:
    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows Defender\Features\TamperProtection'
        Details: DWORD (0x00000000)
    filter_msmpeng_client: # only disabled temporarily during updates
        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        Image|endswith: '\MsMpEng.exe'
    filter_msmpeng_domain_controller: # only disabled temporarily during updates
        Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

title: Disable Windows Firewall by Registry
id: e78c408a-e2ea-43cd-b5ea-51975cf358c0
status: test
description: Detect set EnableFirewall to 0 to disable the Windows firewall
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - \SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
            - \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
        Details: DWORD (0x00000000)
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Disable Windows Security Center Notifications
id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6
status: test
description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml
simulation:
    - type: atomic-red-team
      name: Disable Windows Security Center Notifications
      technique: T1112
      atomic_guid: 45914594-8df6-4ea9-b3cc-7eb9321a807e