title: Renamed Vmnat.exe Execution
id: 7b4f794b-590a-4ad4-ba18-7964a2832205
status: test
description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
references:
    - https://twitter.com/malmoeb/status/1525901219247845376
author: elhoim
date: 2022-09-09
modified: 2023-02-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'vmnat.exe'
    filter_rename:
        Image|endswith: 'vmnat.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high

title: Renamed VsCode Code Tunnel Execution - File Indicator
id: d102b8f5-61dc-4e68-bd83-9a3187c67377
status: test
description: |
    Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
    - attack.command-and-control
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\code_tunnel.json'
    filter_main_legit_name:
        # Note: There might be other legitimate names for VsCode. Please add them if found
        Image|endswith:
            - '\code-tunnel.exe'
            - '\code.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Renamed ZOHO Dctask64 Execution
id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
status: test
description: |
    Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
    This binary can be abused for DLL injection, arbitrary command and process execution.
references:
    - https://twitter.com/gN3mes1s/status/1222088214581825540
    - https://twitter.com/gN3mes1s/status/1222095963789111296
    - https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1036
    - attack.t1055.001
    - attack.t1202
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Hashes|contains:
            - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
            - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
            - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
            - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
    filter_main_legit_name:
        Image|endswith: '\dctask64.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Replay Attack Detected
id: 5a44727c-3b85-4713-8c44-4401d5499629
status: test
description: Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
references:
    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649
author: frack113
date: 2022-10-14
tags:
    - attack.credential-access
    - attack.t1558
logsource:
    service: security
    product: windows
detection:
    selection:
        EventID: 4649
    condition: selection
falsepositives:
    - Unknown
level: high

title: Restore Public AWS RDS Instance
id: c3f265c7-ff03-4056-8ab2-d486227b4599
status: test
description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
author: faloker
date: 2020-02-12
modified: 2022-10-09
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: rds.amazonaws.com
        responseElements.publiclyAccessible: 'true'
        eventName: RestoreDBInstanceFromDBSnapshot
    condition: selection_source
falsepositives:
    - Unknown
level: high

title: Restricted Software Access By SRP
id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442
status: test
description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy
references:
    - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
author: frack113
date: 2023-01-12
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1072
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name: 'Microsoft-Windows-SoftwareRestrictionPolicies'
        EventID:
            - 865 # Access to %1 has been restricted by your Administrator by the default software restriction policy level
            - 866 # Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3.
            - 867 # Access to %1 has been restricted by your Administrator by software publisher policy.
            - 868 # Access to %1 has been restricted by your Administrator by policy rule %2.
            - 882 # Access to %1 has been restricted by your Administrator by policy rule %2.
    condition: selection
falsepositives:
    - Unknown
level: high

title: RestrictedAdminMode Registry Value Tampering
id: d6ce7ebd-260b-4323-9768-a9631c8d4db2
related:
    - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation
      type: similar
status: test
description: |
    Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
    RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
    This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
    - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
author: frack113
date: 2023-01-13
modified: 2024-08-23
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin'
    condition: selection
falsepositives:
    - Unknown
level: high

title: RestrictedAdminMode Registry Value Tampering - ProcCreation
id: 28ac00d6-22d9-4a3c-927f-bbd770104573
related:
    - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry
      type: similar
status: test
description: |
    Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
    RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
    This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
    - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: frack113
date: 2023-01-13
modified: 2025-08-28
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - '\System\CurrentControlSet\Control\Lsa'
            - 'DisableRestrictedAdmin'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Roles Activated Too Frequently
id: 645fd80d-6c07-435b-9e06-7bc1b5656cba
status: test
description: Identifies when the same privilege role has multiple activations by the same user.
references:
    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: azure
    service: pim
detection:
    selection:
        riskEventType: 'sequentialActivationRenewalsAlertIncident'
    condition: selection
falsepositives:
    - Investigate where if active time period for a role is set too short.
level: high

title: Roles Activation Doesn't Require MFA
id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0
status: test
description: Identifies when a privilege role can be activated without performing mfa.
references:
    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: azure
    service: pim
detection:
    selection:
        riskEventType: 'noMfaOnRoleActivationAlertIncident'
    condition: selection
falsepositives:
    - Investigate if user is performing MFA at sign-in.
level: high

title: Roles Are Not Being Used
id: 8c6ec464-4ae4-43ac-936a-291da66ed13d
status: test
description: Identifies when a user has been assigned a privilege role and are not using that role.
references:
    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: azure
    service: pim
detection:
    selection:
        riskEventType: 'redundantAssignmentAlertIncident'
    condition: selection
falsepositives:
    - Investigate if potential generic account that cannot be removed.
level: high

title: Roles Assigned Outside PIM
id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb
status: test
description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
references:
    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
logsource:
    product: azure
    service: pim
detection:
    selection:
        riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration'
    condition: selection
falsepositives:
    - Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.
level: high

title: Root Certificate Installed From Susp Locations
id: 5f6a601c-2ecb-498b-9c33-660362323afa
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
    - https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-01-16
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'Import-Certificate'
            - ' -FilePath '
            - 'Cert:\LocalMachine\Root'
        CommandLine|contains:
            - '\AppData\Local\Temp\'
            - ':\Windows\TEMP\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Perflogs\'
            - ':\Users\Public\'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: RottenPotato Like Attack Pattern
id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
status: test
description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
references:
    - https://twitter.com/SBousseaden/status/1195284233729777665
author: '@SBousseaden, Florian Roth'
date: 2019-11-15
modified: 2022-12-22
tags:
    - attack.collection
    - attack.privilege-escalation
    - attack.credential-access
    - attack.t1557.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 3
        TargetUserName: 'ANONYMOUS LOGON'
        WorkstationName: '-'
        IpAddress:
            - '127.0.0.1'
            - '::1'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Run PowerShell Script from ADS
id: 45a594aa-1fbd-4972-a809-ff5a99dd81b8
status: test
description: Detects PowerShell script execution from Alternate Data Stream (ADS)
references:
    - https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1
author: Sergey Soldatov, Kaspersky Lab, oscd.community
date: 2019-10-30
modified: 2022-07-14
tags:
    - attack.stealth
    - attack.t1564.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains|all:
            - 'Get-Content'
            - '-Stream'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Run PowerShell Script from Redirected Input Stream
id: c83bf4b5-cdf0-437c-90fa-43d734f7c476
status: test
description: Detects PowerShell script execution via input stream redirect
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml
    - https://twitter.com/Moriarty_Meng/status/984380793383370752
author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
date: 2020-10-17
modified: 2021-11-27
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|re: '\s-\s*<'
    condition: selection
falsepositives:
    - Unknown
level: high

title: RunDLL32 Spawning Explorer
id: caa06de8-fdef-4c91-826a-7f9e163eef4b
status: test
description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim, CD_ROM_
date: 2022-04-27
modified: 2022-05-25
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\rundll32.exe'
        Image|endswith: '\explorer.exe'
    filter:
        ParentCommandLine|contains: '\shell32.dll,Control_RunDLL'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: RunMRU Registry Key Deletion
id: c11aecef-9c37-45a6-9c07-bc0782f963fd
related:
    - id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
      type: similar
status: experimental
description: |
    Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.
    In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
    Adversaries may delete this key to cover their tracks after executing commands.
references:
    - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-25
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' del'
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: RunMRU Registry Key Deletion - Registry
id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55
related:
    - id: c11aecef-9c37-45a6-9c07-bc0782f963fd
      type: similar
status: experimental
description: |
    Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
    In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
    Adversaries may delete this key to cover their tracks after executing commands.
references:
    - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-25
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    category: registry_delete
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/info.yml

title: Rundll32 Execution Without CommandLine Parameters
id: 1775e15e-b61b-4d14-a1a3-80981298085a
status: test
description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
references:
    - https://www.cobaltstrike.com/help-opsec
    - https://twitter.com/ber_m1ng/status/1397948048135778309
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2023-08-31
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|endswith:
            - '\rundll32.exe'
            - '\rundll32.exe"'
            - '\rundll32'
    filter:
        ParentImage|contains:
            - '\AppData\Local\'
            - '\Microsoft\Edge\'
    condition: selection and not filter
falsepositives:
    - Possible but rare
level: high

title: Rundll32 Execution Without Parameters
id: 5bb68627-3198-40ca-b458-49f973db8752
status: test
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
references:
    - https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-31
modified: 2023-02-28
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1570
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - 'rundll32.exe'
            - 'rundll32'
    condition: selection
falsepositives:
    - False positives may occur if a user called rundll32 from CLI with no options
level: high

title: Rundll32 Registered COM Objects
id: f1edd233-30b5-4823-9e6a-c4171b24d316
status: test
description: load malicious registered COM objects
references:
    - https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md
author: frack113
date: 2022-02-13
modified: 2023-02-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains:
            - '-sta '
            - '-localserver '
        CommandLine|contains|all:
            - '{'
            - '}'
    condition: all of selection_*
falsepositives:
    - Legitimate use
level: high

title: Rundll32 UNC Path Execution
id: 5cdb711b-5740-4fb2-ba88-f7945027afac
status: test
description: Detects rundll32 execution where the DLL is located on a remote location (share)
references:
    - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-10
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.stealth
    - attack.t1021.002
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
        - CommandLine|contains: 'rundll32'
    selection_cli:
        CommandLine|contains: ' \\\\'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
id: b64a026b-8deb-4c1d-92fd-98893209dff1
status: test
description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
author: frack113
date: 2021-12-28
modified: 2023-08-17
tags:
    - attack.initial-access
    - attack.persistence
    - attack.t1133
logsource:
    category: registry_set
    product: windows
detection:
    chrome_ext:
        TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'
        TargetObject|endswith: 'update_url'
    chrome_vpn:
        TargetObject|contains:
            - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
            - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN
            - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN
            - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN
            - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN
            - gjknjjomckknofjidppipffbpoekiipm # VPN Free
            - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN
            - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN
            - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN
            - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN
            - bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro
            - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free
            - jljopmgdobloagejpohpldgkiellmfnc # PP VPN
            - lochiccbgeohimldjooaakjllnafhaid # IP Unblock
            - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN
            - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN
            - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN
            - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy
            - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN
            - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER
            - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN
            - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy
            - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional
            - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN
            - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN
            - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN
            - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN
            - hipncndjamdcmphkgngojegjblibadbe # RusVPN
            - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN
            - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN
            - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN
            - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN
            - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy
            - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN
            - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN
            - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker
            - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN
            - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN
            - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome
            - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN
            - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN
            - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access
            - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC
            - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe
            - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN
            - kcndmbbelllkmioekdagahekgimemejo # VPN.AC
            - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN
            - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN
            - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn
            - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN
            - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN
            - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy
            - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN
            - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy
            - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN
            - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN
            - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN
            - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master
            - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites
            - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN
            - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN
            - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA
            - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT
            - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn
            - apcfdffemoinopelidncddjbhkiblecc # Soul VPN
            - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN
            - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy
            - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN
            - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN
            - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN
            - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN
            - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server
            - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy
            - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN
            - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN
            - eidnihaadmmancegllknfbliaijfmkgo # Push VPN
            - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN
            - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN
            - chioafkonnhbpajpengbalkececleldf # BullVPN
            - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN
            - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow
            - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN
            - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN
            - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN
            - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet
            - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN
            - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN
            - bnijmipndnicefcdbhgcjoognndbgkep # Veee
            - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser
            - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN
            - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN
            - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN
            - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic
            - almalgbpmcfpdaopimbdchdliminoign # Urban Shield
            - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN
            - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind
            - bniikohfmajhdcffljgfeiklcbgffppl # Upnet
            - lejgfmmlngaigdmmikblappdafcmkndb # uVPN
            - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN
            - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard
            - pooljnboifbodgifngpppfklhifechoe # GeoProxy
            - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN
            - aakchaleigkohafkfjfjbblobjifikek # ProxFlow
            - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp
            - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega
            - bfidboloedlamgdmenmlbipfnccokknp # PureVPN
    condition: all of chrome_*
falsepositives:
    - Unknown
level: high

title: SAM Registry Hive Handle Request
id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
status: test
description: Detects handles requested to SAM registry hive
references:
    - https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2021-11-27
tags:
    - attack.discovery
    - attack.t1012
    - attack.credential-access
    - attack.t1552.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4656
        ObjectType: 'Key'
        ObjectName|endswith: '\SAM'
    condition: selection
falsepositives:
    - Unknown
level: high

title: SAML Token Issuer Anomaly
id: e3393cba-31f0-4207-831e-aef90ab17a8c
status: test
description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.t1606
    - attack.credential-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'tokenIssuerAnomaly'
    condition: selection
falsepositives:
    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high

title: SMB Create Remote File Admin Share
id: b210394c-ba12-4f89-9117-44a2464b9511
status: test
description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
references:
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml
    - https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file
author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
date: 2020-08-06
modified: 2025-10-17
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName|endswith: 'C$'
        AccessMask: '0x2'
    filter_main_subjectusername:
        SubjectUserName|endswith: '$'
    filter_optional_local_ip:
        IpAddress: '::1'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: SNAKE Malware Covert Store Registry Key
id: d0fa35db-0e92-400e-aa16-d32ae2521618
status: test
description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
references:
    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-11
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: 'SECURITY\Policy\Secrets\n'
    condition: selection
level: high

title: SNAKE Malware WerFault Persistence File Creation
id: 64827580-e4c3-4c64-97eb-c72325d45399
status: test
description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
references:
    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
modified: 2023-05-18
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\WinSxS\'
        TargetFilename|endswith: '\WerFault.exe'
    filter_main_system_location:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: SOURGUM Actor Behaviours
id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
status: test
description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
references:
    - https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
    - https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml
    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
author: MSTIC, FPT.EagleEye
date: 2021-06-15
modified: 2022-10-09
tags:
    - attack.t1546
    - attack.t1546.015
    - attack.persistence
    - attack.privilege-escalation
    - detection.emerging-threats
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|contains:
            - 'windows\system32\Physmem.sys'
            - 'Windows\system32\ime\SHARED\WimBootConfigurations.ini'
            - 'Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
            - 'Windows\system32\ime\IMETC\WimBootConfigurations.ini'
    registry_image:
        Image|contains:
            - 'windows\system32\filepath2'
            - 'windows\system32\ime'
        CommandLine|contains: 'reg add'
    registry_key:
        CommandLine|contains:
            - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32'
            - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32'
    condition: selection or all of registry_*
falsepositives:
    - Unknown
level: high

title: SQL Injection Strings In URI
id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
status: test
description: Detects potential SQL injection attempts via GET requests in access logs.
references:
    - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
    - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
    - https://brightsec.com/blog/sql-injection-payloads/
    - https://github.com/payloadbox/sql-injection-payload-list
    - https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)
date: 2020-02-22
modified: 2023-09-04
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'GET'
    keywords:
        - '@@version'
        - '%271%27%3D%271'
        - '=select '
        - '=select('
        - '=select%20'
        - 'concat_ws('
        - 'CONCAT(0x'
        - 'from mysql.innodb_table_stats'
        - 'from%20mysql.innodb_table_stats'
        - 'group_concat('
        - 'information_schema.tables'
        - 'json_arrayagg('
        - 'or 1=1#'
        - 'or%201=1#'
        - 'order by '
        - 'order%20by%20'
        - 'select * '
        - 'select database()'
        - 'select version()'
        - 'select%20*%20'
        - 'select%20database()'
        - 'select%20version()'
        - 'select%28sleep%2810%29'
        - 'SELECTCHAR('
        - 'table_schema'
        - 'UNION ALL SELECT'
        - 'UNION SELECT'
        - 'UNION%20ALL%20SELECT'
        - 'UNION%20SELECT'
        - "'1'='1"
    filter_main_status:
        sc-status: 404
    condition: selection and keywords and not 1 of filter_main_*
falsepositives:
    - Java scripts and CSS Files
    - User searches in search boxes of the respective website
    - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high

title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: TropChaud
date: 2022-12-19
modified: 2023-01-19
tags:
    - attack.credential-access
    - attack.t1539
    - attack.t1555.003
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_sql:
        - Product: SQLite
        - Image|endswith:
              - '\sqlite.exe'
              - '\sqlite3.exe'
    selection_chromium:
        CommandLine|contains:
            - '\User Data\' # Most common folder for user profile data among Chromium browsers
            - '\Opera Software\' # Opera
            - '\ChromiumViewer\' # Sleipnir (Fenrir)
    selection_data:
        CommandLine|contains:
            - 'Login Data' # Passwords
            - 'Cookies'
            - 'Web Data' # Credit cards, autofill data
            - 'History'
            - 'Bookmarks'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: SQLite Firefox Profile Data DB Access
id: 4833155a-4053-4c9c-a997-777fcea0baa7
status: test
description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows
    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: frack113
date: 2022-04-08
modified: 2023-01-19
tags:
    - attack.credential-access
    - attack.t1539
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_sql:
        - Product: SQLite
        - Image|endswith:
              - '\sqlite.exe'
              - '\sqlite3.exe'
    selection_firefox:
        CommandLine|contains:
            - 'cookies.sqlite'
            - 'places.sqlite' # Bookmarks, history
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: SafeBoot Registry Key Deleted Via Reg.EXE
id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
related:
    - id: d7662ff6-9e97-4596-a61d-9839e32dee8d
      type: similar
status: test
description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
references:
    - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-08-08
modified: 2023-02-04
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: 'reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_delete:
        CommandLine|contains|all:
            - ' delete '
            - '\SYSTEM\CurrentControlSet\Control\SafeBoot'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
id: 8400629e-79a9-4737-b387-5db940ab2367
status: test
description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to  CVE-2019-0708 RDP RCE aka BlueKeep
references:
    - https://twitter.com/AdamTheAnalyst/status/1134394070045003776
    - https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
author: Florian Roth (Nextron Systems), Adam Bradbury (idea)
date: 2019-06-02
modified: 2022-12-25
tags:
    - attack.lateral-movement
    - attack.t1210
    - car.2013-07-002
    - detection.emerging-threats
    - cve.2019-0708
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4625
        TargetUserName: AAAAAAA
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Scheduled Task Creation Masquerading as System Processes
id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
status: experimental
description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
references:
    - https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.stealth
    - attack.t1053.005
    - attack.t1036.004
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli:
        CommandLine|contains|windash: ' /create '
        CommandLine|contains:
            - ' audiodg'
            - ' conhost'
            - ' dwm.exe'
            - ' explorer'
            - ' lsass'
            - ' lsm'
            - ' mmc'
            - ' msiexec'
            - ' regsvr32'
            - ' rundll32'
            - ' services'
            - ' spoolsv'
            - ' svchost'
            - ' taskeng'
            - ' taskhost'
            - ' wininit'
            - ' winlogon'
    condition: all of selection_*
falsepositives:
    - Legitimate system administration tasks scheduling trusted system processes.
level: high

title: Scheduled Task Executing Encoded Payload from Registry
id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
status: test
description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
references:
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-12
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli_create:
        CommandLine|contains: '/Create'
    selection_cli_encoding:
        CommandLine|contains:
            - 'FromBase64String'
            - 'encodedcommand'
    selection_cli_get:
        CommandLine|contains:
            - 'Get-ItemProperty'
            - ' gp ' # Alias
    selection_cli_hive:
        CommandLine|contains:
            - 'HKCU:'
            - 'HKLM:'
            - 'registry::'
            - 'HKEY_'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Scheduled TaskCache Change by Uncommon Program
id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
status: test
description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://labs.f-secure.com/blog/scheduled-task-tampering/
author: Syed Hasan (@syedhasan009)
date: 2021-06-18
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053
    - attack.t1053.005
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_other:
        TargetObject|contains:
            - 'Microsoft\Windows\UpdateOrchestrator'
            - 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
            - 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index'
    filter_main_mousocoreworker:
        Image|endswith: 'C:\Windows\System32\MoUsoCoreWorker.exe'
    filter_main_services:
        Image|endswith: 'C:\Windows\System32\services.exe'
    filter_main_tiworker:
        Image|startswith: 'C:\Windows\'
        Image|endswith: '\TiWorker.exe'
    filter_main_svchost:
        Image: 'C:\WINDOWS\system32\svchost.exe'
    filter_main_ngen:
        Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\
        Image|endswith: '\ngen.exe'
        TargetObject|contains:
            - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'
            - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN'
    filter_main_office:
        Image:
            - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe'
            - 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe'
            - 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
            - 'C:\Program Files (x86)\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
    filter_main_msiexec:
        Image: 'C:\Windows\System32\msiexec.exe'
    filter_main_explorer:
        Image: 'C:\Windows\explorer.exe'
        TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\'
    filter_main_system:
        Image: 'System'
    filter_main_runtimebroker:
        Image: 'C:\Windows\System32\RuntimeBroker.exe'
    filter_optional_dropbox_updater:
        Image:
            - 'C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe'
            - 'C:\Program Files\Dropbox\Update\DropboxUpdate.exe'
    filter_optional_edge:
        Image|endswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
            - 'C:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
    filter_optional_onedrive:
        Image|endswith:
            - 'C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe'
            - 'C:\Program Files\Microsoft OneDrive\OneDrive.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
id: 8fa65166-f463-4fd2-ad4f-1436133c52e1
related:
    - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
      type: similar
status: test
description: Hunts for known SVR-specific scheduled task names
author: CISA
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
date: 2023-12-18
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    service: security
    product: windows
detection:
    selection:
        EventID:
            - 4698
            - 4699
            - 4702
        TaskName:
            - '\defender'
            - '\Microsoft\DefenderService'
            - '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
            - '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
            - '\Microsoft\Windows\ATPUpd'
            - '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
            - '\Microsoft\Windows\DefenderUPDService'
            - '\Microsoft\Windows\IISUpdateService'
            - '\Microsoft\Windows\Speech\SpeechModelInstallTask'
            - '\Microsoft\Windows\WiMSDFS'
            - '\Microsoft\Windows\Windows Defender\Defender Update Service'
            - '\Microsoft\Windows\Windows Defender\Service Update'
            - '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
            - '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
            - '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
            - '\Microsoft\Windows\WindowsDefenderService'
            - '\Microsoft\Windows\WindowsDefenderService2'
            - '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
            - '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
            - '\WindowUpdate'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
related:
    - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog
      type: similar
status: test
description: Hunts for known SVR-specific scheduled task names
author: CISA
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
date: 2023-12-18
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    product: windows
    service: taskscheduler
    definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
    selection:
        EventID:
            - 129 # Task Created
            - 140 # Task Updated
            - 141 # Task Deleted
        TaskName:
            - '\defender'
            - '\Microsoft\DefenderService'
            - '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
            - '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
            - '\Microsoft\Windows\ATPUpd'
            - '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
            - '\Microsoft\Windows\DefenderUPDService'
            - '\Microsoft\Windows\IISUpdateService'
            - '\Microsoft\Windows\Speech\SpeechModelInstallTask'
            - '\Microsoft\Windows\WiMSDFS'
            - '\Microsoft\Windows\Windows Defender\Defender Update Service'
            - '\Microsoft\Windows\Windows Defender\Service Update'
            - '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
            - '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
            - '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
            - '\Microsoft\Windows\WindowsDefenderService'
            - '\Microsoft\Windows\WindowsDefenderService2'
            - '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
            - '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
            - '\WindowUpdate'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Schtasks Creation Or Modification With SYSTEM Privileges
id: 89ca78fd-b37c-4310-b3d3-81a023f83936
status: test
description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
references:
    - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2025-02-15
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_root:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains:
            - ' /change '
            - ' /create '
    selection_run:
        CommandLine|contains: '/ru '
    selection_user:
        CommandLine|contains:
            - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
            - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
    filter_optional_teamviewer:
        # FP from test set in SIGMA
        # Cannot use ParentImage on all OSes for 4688 events
        # ParentImage|contains|all:
        #     - '\AppData\Local\Temp\'
        #     - 'TeamViewer_.exe'
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - '/TN TVInstallRestore'
            - '\TeamViewer_.exe'
    filter_optional_office:
        CommandLine|contains|all:
            # https://answers.microsoft.com/en-us/msoffice/forum/all/office-15-subscription-heartbeat-task-created-on/43ab5e53-a9fb-47c6-8c14-44889974b9ff
            - 'Subscription Heartbeat'
            - '\HeartbeatConfig.xml'
            - '\Microsoft Shared\OFFICE'
    filter_optional_avira:
        CommandLine|contains:
            - '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
            - ':\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe'
            - '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: Schtasks From Suspicious Folders
id: 8a8379b8-780b-4dbf-b1e9-31c8d112fefb
status: test
description: Detects scheduled task creations that have suspicious action command and folder combinations
references:
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
author: Florian Roth (Nextron Systems)
date: 2022-04-15
modified: 2022-11-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_create:
        CommandLine|contains: ' /create '
    selection_command:
        CommandLine|contains:
            - 'powershell'
            - 'pwsh'
            - 'cmd /c '
            - 'cmd /k '
            - 'cmd /r '
            - 'cmd.exe /c '
            - 'cmd.exe /k '
            - 'cmd.exe /r '
    selection_all_folders:
        CommandLine|contains:
            - 'C:\ProgramData\'
            - '%ProgramData%'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: ScreenConnect - SlashAndGrab Exploitation Indicators
id: 05164d17-8e11-4d7d-973e-9e4962436b87
status: test
description: |
    Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - TargetFilename|contains|all:
              - 'C:\Windows\Temp\ScreenConnect\'
              - '\LB3.exe'
        - TargetFilename|contains:
              - 'C:\mpyutd.msi'
              - 'C:\perflogs\RunSchedulerTaskOnce.ps1'
              - 'C:\ProgramData\1.msi'
              - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi'
              - 'C:\ProgramData\update.dat'
              - 'C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe'
              - 'C:\Windows\Help\Help\SentinelAgentCore.dll'
              - 'C:\Windows\Help\Help\SentinelUI.exe'
              - 'C:\Windows\spsrv.exe'
              - 'C:\Windows\Temp\svchost.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Script Event Consumer Spawning Process
id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
status: test
description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
references:
    - https://redcanary.com/blog/child-processes/
    - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
author: Sittikorn S
date: 2021-06-21
modified: 2022-07-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\scrcons.exe'
        Image|endswith:
            - '\svchost.exe'
            - '\dllhost.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\schtasks.exe'
            - '\regsvr32.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\msiexec.exe'
            - '\msbuild.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Script Interpreter Execution From Suspicious Folder
id: 1228c958-e64e-4e71-92ad-7d429f4138ba
status: test
description: |
    Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity.
    Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.
references:
    - https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military
    - https://learn.microsoft.com/en-us/windows/win32/shell/csidl
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-08
modified: 2026-02-17
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_proc_image:
        Image|endswith:
            - '\cscript.exe'
            - '\mshta.exe'
            - '\wscript.exe'
    selection_proc_flags:
        CommandLine|contains:
            - ' -ep bypass '
            - ' -ExecutionPolicy bypass '
            - ' -w hidden '
            - '/e:javascript '
            - '/e:Jscript '
            - '/e:vbscript '
    selection_proc_original:
        OriginalFileName:
            - 'cscript.exe'
            - 'mshta.exe'
            - 'wscript.exe'
    selection_folders_1:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - '\%Public%'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming\Temp'
            - '\Temporary Internet'
            - '\Windows\Temp'
            - '\Start Menu\Programs\Startup\'
            - '%TEMP%'
            - '%TMP%'
            - '%LocalAppData%\Temp'
    selection_folders_2:
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Documents\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Music\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Pictures\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Videos\'
    filter_optional_chocolatey_installer:
        ParentImage:
            - 'C:\Windows\System32\Msiexec.exe'
            - 'C:\Windows\SysWOW64\Msiexec.exe'
        Image|endswith: '\powershell.exe'
        CommandLine|contains|all:
            - '-NoProfile -ExecutionPolicy Bypass -Command'
            - 'AppData\Local\Temp\'
            - 'Install-Chocolatey.ps1'
    condition: 1 of selection_proc_* and 1 of selection_folders_* and not 1 of filter_optional_*
falsepositives:
    - Various legitimate software have been observed to use similar techniques for installation or update purposes;thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
level: high

title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
    - id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.credential-access
    - attack.t1552
    - attack.execution
    - attack.collection
    - attack.t1005
    - attack.t1059.004
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentImage|endswith:
         # Add more script interpreters as needed
            - '/node'
            - '/bun'
    selection_child:
        - Image|endswith:
              - '/trufflehog'
              - '/gitleaks'
        - CommandLine|contains:
              - 'trufflehog'
              - 'gitleaks'
    condition: all of selection_*
falsepositives:
    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high

title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
    - id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.credential-access
    - attack.t1552
    - attack.collection
    - attack.execution
    - attack.t1005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
           # Add more script interpreters as needed
            - '\node.exe'
            - '\bun.exe'
    selection_child:
        - Image|endswith:
              - 'trufflehog.exe'
              - 'gitleaks.exe'
        - CommandLine|contains:
              - 'trufflehog'
              - 'gitleaks'
    condition: all of selection_*
falsepositives:
    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml

title: Sdiagnhost Calling Suspicious Child Process
id: f3d39c45-de1a-4486-a687-ab126124f744
status: test
description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
references:
    - https://twitter.com/nao_sec/status/1530196847679401984
    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
    - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
    - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
author: Nextron Systems, @Kostastsale
date: 2022-06-01
modified: 2024-08-23
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sdiagnhost.exe'
        Image|endswith:
            # Add more suspicious LOLBins
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
            - '\mshta.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\taskkill.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            # - '\csc.exe'   # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
            - '\calc.exe'  # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
    filter_main_cmd_bits:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'bits'
    filter_main_powershell_noprofile:
        Image|endswith: '\powershell.exe'
        CommandLine|endswith:
            - '-noprofile -'
            - '-noprofile'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Security Event Logging Disabled via MiniNt Registry Key - Process
id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462
related:
    - id: 8839e550-52d7-4958-9f2f-e13c1e736838 # Disable Security Events Logging Adding Reg Key MiniNt - Registry Set
      type: similar
status: experimental
description: |
    Detects attempts to disable security event logging by adding the `MiniNt` registry key.
    This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.
    Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
references:
    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1112
    - car.2022-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg_img:
        # Example: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_cmd:
        CommandLine|contains|all:
            - ' add '
            - '\SYSTEM\CurrentControlSet\Control\MiniNt'
    selection_powershell_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\powershell_ise.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_powershell_cmd1:
        CommandLine|contains:
            - 'New-Item '
            - 'ni '
    selection_powershell_cmd2:
        CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt'
    condition: all of selection_reg_* or all of selection_powershell_*
falsepositives:
    - Highly Unlikely
level: high

title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set
id: 8839e550-52d7-4958-9f2f-e13c1e736838
related:
    - id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key
      type: similar
status: experimental
description: |
    Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.
    Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.
    Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
references:
    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1112
    - car.2022-03-001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)'
    condition: selection
falsepositives:
    - Highly Unlikely
level: high