title: Whoami.EXE Execution From Privileged Process
id: 79ce34ca-af29-4d0e-b832-fc1b377020db
related:
    - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
      type: obsolete
status: test
description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
date: 2022-01-28
modified: 2023-12-04
tags:
    - attack.privilege-escalation
    - attack.discovery
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'whoami.exe'
        - Image|endswith: '\whoami.exe'
    selection_user:
        User|contains:
            - 'AUTHORI'
            - 'AUTORI'
            - 'TrustedInstaller'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Win Defender Restored Quarantine File
id: bc92ca75-cd42-4d61-9a37-9d5aa259c88b
status: test
description: Detects the restoration of files from the defender quarantine
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-06
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 1009 # The antimalware platform restored an item from quarantine.
    condition: selection
falsepositives:
    - Legitimate administrator activity restoring a file
level: high

title: WinDivert Driver Load
id: 679085d5-f427-4484-9f58-1dc30a7c426d
status: test
description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
references:
    - https://reqrypt.org/windivert-doc.html
    - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021-07-30
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.collection
    - attack.defense-impairment
    - attack.t1599.001
    - attack.t1557.001
logsource:
    category: driver_load
    product: windows
detection:
    selection:
        - ImageLoaded|contains:
              - '\WinDivert.sys'
              - '\WinDivert64.sys'
              # Other used names
              - '\NordDivert.sys'
              - '\lingtiwfp.sys'
              - '\eswfp.sys'
        - Hashes|contains:
              - 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087'
              - 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f'
              - 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276'
              - 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76'
              - 'IMPHASH=58623490691babe8330adc81cd04a663'
              - 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b'
              - 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96'
              - 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a'
              - 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a'
              - 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc'
              - 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342'
              - 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88'
              - 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38'
              - 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6'
              - 'IMPHASH=a74929edfc3289895e3f2885278947ae'
              - 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e'
              - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4'
              - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9'
    condition: selection
falsepositives:
    - Legitimate WinDivert driver usage
level: high

title: WinRAR Creating Files in Startup Locations
id: 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc
status: experimental
description: |
    Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
    This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
references:
    - https://github.com/mulwareX/CVE-2025-6218-POC
    - https://x.com/0x534c/status/1944694507787710685
    - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\WinRAR.exe'
            - '\Rar.exe'
        TargetFilename|contains: '\Start Menu\Programs\Startup\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Windows AMSI Related Registry Tampering Via CommandLine
id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981
related:
    - id: aa37cbb0-da36-42cb-a90f-fdf216fc7467 # AMSI Disabled via Registry Modification
      type: similar
status: experimental
description: |
    Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell.
    AMSI provides a generic interface for applications and services to integrate with antimalware products.
    Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
references:
    - https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md
    - https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
    - https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_key:
        CommandLine|contains|all:
            - '\Software\Microsoft\Windows Script\Settings'
            - 'AmsiEnable'
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_cmd:
        CommandLine|contains: 'add'
    selection_powershell_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_powershell_cmd:
        CommandLine|contains:
            - 'Set-ItemProperty'
            - 'New-ItemProperty'
            - 'sp '
    condition: selection_key and (all of selection_powershell_* or all of selection_reg_*)
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/info.yml
simulation:
    - type: atomic-red-team
      name: AMSI Bypass - Create AMSIEnable Reg Key
      technique: T1562.001
      atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0

title: Windows Binaries Write Suspicious Extensions
id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
related:
    - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
      type: derived
status: test
description: Detects Windows executables that write files with suspicious extensions
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: file_event
    product: windows
detection:
    selection_generic:
        Image|endswith:
            - '\csrss.exe'
            - '\lsass.exe'
            - '\RuntimeBroker.exe'
            - '\sihost.exe'
            - '\smss.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
        TargetFilename|endswith:
            - '.bat'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.iso'
            - '.ps1'
            - '.txt'
            - '.vbe'
            - '.vbs'
    selection_special:
        Image|endswith:
            - '\dllhost.exe'
            - '\rundll32.exe'
            - '\svchost.exe'
        TargetFilename|endswith:
            - '.bat'
            - '.hta'
            - '.iso'
            - '.ps1'
            - '.vbe'
            - '.vbs'
    filter_main_AppLockerPolicyTest:
        Image: 'C:\Windows\System32\dllhost.exe'
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\__PSScriptPolicyTest_'
        TargetFilename|endswith: '.ps1'
    filter_main_script_gpo_machine:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetFilename|contains|all:
            - 'C:\Windows\System32\GroupPolicy\DataStore\'
            - '\sysvol\'
            - '\Policies\'
            - '\Machine\Scripts\Startup\'
        TargetFilename|endswith:
            - '.ps1'
            - '.bat'
    filter_main_clipchamp:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetFilename|contains|all:
            - 'C:\Program Files\WindowsApps\Clipchamp'
            - '.ps1'
    filter_main_powershell_preview:
        Image:
            - 'C:\Windows\system32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
        TargetFilename|startswith:
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
            - 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
        TargetFilename|endswith: '.ps1'
    condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Windows Credential Guard Disabled - Registry
id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
related:
    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
      type: similar
status: experimental
description: |
    Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
references:
    - https://woshub.com/disable-credential-guard-windows/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\DeviceGuard\EnableVirtualizationBasedSecurity'
            - '\DeviceGuard\LsaCfgFlags'
            - '\Lsa\LsaCfgFlags'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/info.yml

title: Windows Credential Guard Registry Tampering Via CommandLine
id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
related:
    - id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
      type: similar
    - id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
      type: similar
status: experimental
description: |
    Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.
    Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
    The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.
    Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
references:
    - https://woshub.com/disable-credential-guard-windows/
    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli:
        CommandLine|contains:
            # add/modify
            - 'add '
            - 'New-ItemProperty '
            - 'Set-ItemProperty '
            - 'si '  # SetItem Alias
            # delete
            - 'delete '
            - 'del '
            - 'Remove-ItemProperty '
            - 'rp '
    selection_key_base:
        CommandLine|contains:
            - '\Control\DeviceGuard'
            - '\Control\LSA'
            - 'Software\Policies\Microsoft\Windows\DeviceGuard'
    selection_key_specific:
        CommandLine|contains:
            - 'EnableVirtualizationBasedSecurity'
            - 'RequirePlatformSecurityFeatures'
            - 'LsaCfgFlags'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml

title: Windows Credential Guard Related Registry Value Deleted - Registry
id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
related:
    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
      type: similar
status: experimental
description: |
    Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
references:
    - https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50
    - https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_delete
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\DeviceGuard\EnableVirtualizationBasedSecurity'
            - '\DeviceGuard\LsaCfgFlags'
            - '\DeviceGuard\RequirePlatformSecurityFeatures'
            - '\Lsa\LsaCfgFlags'
    condition: selection
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/info.yml

title: Windows Defender AMSI Trigger Detected
id: ea9bf0fa-edec-4fb8-8b78-b119f2528186
status: stable
description: Detects triggering of AMSI by Windows Defender.
references:
    - https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
author: Bhabesh Raj
date: 2020-09-14
modified: 2022-12-07
tags:
    - attack.execution
    - attack.t1059
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software.
        SourceName: 'AMSI'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Windows Defender Configuration Changes
id: 801bd44f-ceed-4eb6-887c-11544633c0aa
related:
    - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
      type: similar
    - id: a3ab73f1-bd46-4319-8f06-4b20d0617886
      type: similar
    - id: 91903aba-1088-42ee-b680-d6d94fe002b0
      type: similar
status: stable
description: Detects suspicious changes to the Windows Defender configuration
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-06
modified: 2023-11-24
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5007 # The antimalware platform configuration changed.
        NewValue|contains:
            # TODO: Add more suspicious values
            - '\Windows Defender\DisableAntiSpyware '
            # - '\Windows Defender\Features\TamperProtection ' # Might produce FP
            - '\Windows Defender\Scan\DisableRemovableDriveScanning '
            - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan '
            - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen '
            - '\Real-Time Protection\SpyNetReporting '
            # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
            # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886
    condition: selection
falsepositives:
    - Administrator activity (must be investigated)
level: high

title: Windows Defender Context Menu Removed
id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
related:
    - id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
      type: similar
status: experimental
description: |
    Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
    This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
    Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
references:
    - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
    - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'powershell_ise.EXE'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_action:
        CommandLine|contains:
            - 'del'
            - 'Remove-Item'
            - 'ri '
    selection_reg_path:
        CommandLine|contains: '\shellex\ContextMenuHandlers\EPP'
    condition: all of selection_*
falsepositives:
    - May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment.
level: high

title: Windows Defender Definition Files Removed
id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
author: frack113
date: 2021-07-07
modified: 2023-07-18
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\MpCmdRun.exe'
        - OriginalFileName: MpCmdRun.exe
    selection_cli:
        CommandLine|contains|all:
            - ' -RemoveDefinitions'
            - ' -All'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Windows Defender Exploit Guard Tamper
id: a3ab73f1-bd46-4319-8f06-4b20d0617886
status: test
description: |
    Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
references:
    - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2022-12-06
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    allowed_apps_key:
        EventID: 5007 # The antimalware platform configuration changed.
        NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
    allowed_apps_path:
        NewValue|contains:
            # Add more paths you don't allow in your org
            - '\Users\Public\'
            - '\AppData\Local\Temp\'
            - '\Desktop\'
            - '\PerfLogs\'
            - '\Windows\Temp\'
    protected_folders:
        EventID: 5007 # The antimalware platform configuration changed.
        # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths
        OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
    condition: all of allowed_apps* or protected_folders
falsepositives:
    - Unlikely
level: high

title: Windows Defender Grace Period Expired
id: 360a1340-398a-46b6-8d06-99b905dc69d2
related:
    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
      type: obsolete
status: stable
description: |
    Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2023-11-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5101 # The antimalware platform is expired.
    condition: selection
falsepositives:
    - Unknown
level: high

title: Windows Defender Malware And PUA Scanning Disabled
id: bc275be9-0bec-4d77-8c8f-281a2df6710f
related:
    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
      type: obsolete
status: stable
description: Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2023-11-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5010 # Scanning for malware and other potentially unwanted software is disabled.
    condition: selection
falsepositives:
    - Unknown
level: high

title: Windows Defender Real-time Protection Disabled
id: b28e58e4-2a72-4fae-bdee-0fbe904db642
related:
    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
      type: obsolete
status: stable
description: |
    Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2023-11-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5001 # Real-time protection is disabled.
    condition: selection
falsepositives:
    - Administrator actions (should be investigated)
    - Seen being triggered occasionally during Windows 8 Defender Updates
level: high

title: Windows Defender Service Disabled - Registry
id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a
status: test
description: Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry
references:
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
date: 2022-08-01
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\Services\WinDefend\Start'
        Details: 'DWORD (0x00000004)'
    condition: selection
falsepositives:
    - Administrator actions
level: high

title: Windows Defender Threat Detected
id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
status: stable
description: Detects actions taken by Windows Defender malware detection engines
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
author: Ján Trenčanský
date: 2020-07-28
tags:
    - attack.execution
    - attack.t1059
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID:
            - 1006 # The antimalware engine found malware or other potentially unwanted software.
            - 1015 # The antimalware platform detected suspicious behavior.
            - 1116 # The antimalware platform detected malware or other potentially unwanted software.
            - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Windows Defender Threat Severity Default Action Modified
id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
related:
    - id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
      type: similar
status: experimental
description: |
    Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
    allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
references:
    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\'
        TargetObject|endswith:
            - '\1' # Low severity
            - '\2' # Moderate severity
            - '\4' # High severity
            - '\5' # Severe severity
        Details:
            - 'DWORD (0x00000006)' # Allow
            - 'DWORD (0x00000009)' # NoAction
    condition: selection
falsepositives:
    - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.
    - Software installations that legitimately modify Defender settings (less common for these specific keys).
level: high

title: Windows Defender Virus Scanning Feature Disabled
id: 686c0b4b-9dd3-4847-9077-d6c1bbe36fcb
related:
    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
      type: obsolete
status: stable
description: Detects disabling of the Windows Defender virus scanning feature
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2023-11-22
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5012 # Scanning for viruses is disabled.
    condition: selection
falsepositives:
    - Unknown
level: high

title: Windows Event Log Access Tampering Via Registry
id: ba226dcf-d390-4642-b9af-b534872f1156
status: experimental
description: |
    Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell
    - https://www.youtube.com/watch?v=uSYvHUVU8xY
    - https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
author: X__Junior
date: 2025-01-16
modified: 2025-08-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-impairment
    - attack.t1547.001
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    # O:SYG:SYD:(D;;0x1;;;WD)
    # O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(D;;0x1;;;WD)
    selection_key_1:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
        TargetObject|endswith: '\CustomSD'
    selection_key_2:
        TargetObject|contains:
            - '\Policies\Microsoft\Windows\EventLog\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels'
        TargetObject|endswith: '\ChannelAccess'
    selection_details:
        - Details|contains: 'D:(D;'
        - Details|contains|all:
              - 'D:('
              - ')(D;'
    filter_main_trustedinstaller:
        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
    filter_main_tiworker:
        Image|startswith: 'C:\Windows\WinSxS\'
        Image|endswith: '\TiWorker.exe'
    filter_optional_empty:
        Image: ''
    filter_optional_null:
        Image: null
    condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrative activity, still unlikely
level: high

title: Windows EventLog Autologger Session Registry Modification Via CommandLine
id: d7b81144-b866-48a4-9bcc-275dc69d870e
related:
    - id: f37b4bce-49d0-4087-9f5b-58bffda77316
      type: similar
status: experimental
description: |
    Detects attempts to disable Windows EventLog autologger sessions via registry modification.
    The AutoLogger event tracing session records events that occur early in the operating system boot process.
    Applications and device drivers can use the AutoLogger session to capture traces before the user logs in.
    Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
    - https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
    - https://ptylu.github.io/content/report/report.html?report=25
    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\reg.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'reg.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli_action:
        CommandLine|contains:
            - 'add '
            - 'Set-ItemProperty'
            - 'New-ItemProperty'
            - 'si ' # Set-ItemProperty alias
    selection_cli_base:
        CommandLine|contains: '\Control\WMI\Autologger\'
    selection_cli_key:
        CommandLine|contains:
            - 'Start' # Key used to disable specific autologger session like EventLog-Application, EventLog-System etc.
            - 'Enabled' # Key used to disable specific provider of autologger session
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_autologger_session_registry_modification/info.yml
simulation:
    - type: atomic-red-team
      name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
      technique: T1562.001
      atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
    - type: atomic-red-team
      name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
      technique: T1562.001
      atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
    - type: atomic-red-team
      name: Disable EventLog-Application ETW Provider Via Registry - Cmd
      technique: T1562.001
      atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
    - type: atomic-red-team
      name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
      technique: T1562.001
      atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0

title: Windows Filtering Platform Blocked Connection From EDR Agent Binary
id: bacf58c6-e199-4040-a94f-95dea0f1e45a
status: test
description: |
    Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.
    Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
references:
    - https://github.com/netero1010/EDRSilencer
    - https://github.com/amjcyber/EDRNoiseMaker
    - https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
author: '@gott_cyber'
date: 2024-01-08
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Filtering Platform Connection needs to be enabled'
detection:
    selection:
        EventID: 5157
        Application|endswith:
            - '\AmSvc.exe' # Cybereason
            - '\cb.exe' # Carbon Black EDR
            - '\CETASvc.exe' # TrendMicro Apex One
            - '\CNTAoSMgr.exe' # TrendMicro Apex One
            - '\CrAmTray.exe' # Cybereason
            - '\CrsSvc.exe' # Cybereason
            - '\CSFalconContainer.exe' # CrowdStrike Falcon
            - '\CSFalconService.exe' # CrowdStrike Falcon
            - '\CybereasonAV.exe' # Cybereason
            - '\CylanceSvc.exe' # Cylance
            - '\cyserver.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\CyveraService.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\CyvrFsFlt.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\EIConnector.exe' # ESET Inspect
            - '\elastic-agent.exe' # Elastic EDR
            - '\elastic-endpoint.exe' # Elastic EDR
            - '\EndpointBasecamp.exe' # TrendMicro Apex One
            - '\ExecutionPreventionSvc.exe' # Cybereason
            - '\filebeat.exe' # Elastic EDR
            - '\fortiedr.exe' # FortiEDR
            - '\hmpalert.exe' # Sophos EDR
            - '\hurukai.exe' # Harfanglab EDR
            - '\LogProcessorService.exe' # SentinelOne
            - '\mcsagent.exe' # Sophos EDR
            - '\mcsclient.exe' # Sophos EDR
            - '\MsMpEng.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\MsSense.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\Ntrtscan.exe' # TrendMicro Apex One
            - '\PccNTMon.exe' # TrendMicro Apex One
            - '\QualysAgent.exe' # Qualys EDR
            - '\RepMgr.exe' # Carbon Black Cloud
            - '\RepUtils.exe' # Carbon Black Cloud
            - '\RepUx.exe' # Carbon Black Cloud
            - '\RepWAV.exe' # Carbon Black Cloud
            - '\RepWSC.exe' # Carbon Black Cloud
            - '\sedservice.exe' # Sophos EDR
            - '\SenseCncProxy.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SenseIR.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SenseNdr.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SenseSampleUploader.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus
            - '\SentinelAgent.exe' # SentinelOne
            - '\SentinelAgentWorker.exe' # SentinelOne
            - '\SentinelBrowserNativeHost.exe' # SentinelOne
            - '\SentinelHelperService.exe' # SentinelOne
            - '\SentinelServiceHost.exe' # SentinelOne
            - '\SentinelStaticEngine.exe' # SentinelOne
            - '\SentinelStaticEngineScanner.exe' # SentinelOne
            - '\sfc.exe' # Cisco Secure Endpoint (Formerly Cisco AMP)
            - '\sophos ui.exe' # Sophos EDR
            - '\sophosfilescanner.exe' # Sophos EDR
            - '\sophosfs.exe' # Sophos EDR
            - '\sophoshealth.exe' # Sophos EDR
            - '\sophosips.exe' # Sophos EDR
            - '\sophosLivequeryservice.exe' # Sophos EDR
            - '\sophosnetfilter.exe' # Sophos EDR
            - '\sophosntpservice.exe' # Sophos EDR
            - '\sophososquery.exe' # Sophos EDR
            - '\sspservice.exe' # Sophos EDR
            - '\TaniumClient.exe' # Tanium
            - '\TaniumCX.exe' # Tanium
            - '\TaniumDetectEngine.exe' # Tanium
            - '\TMBMSRV.exe' # TrendMicro Apex One
            - '\TmCCSF.exe' # TrendMicro Apex One
            - '\TmListen.exe' # TrendMicro Apex One
            - '\TmWSCSvc.exe' # TrendMicro Apex One
            - '\Traps.exe' # Palo Alto Networks Traps/Cortex XDR
            - '\winlogbeat.exe' # Elastic EDR
            - '\WSCommunicator.exe' # TrendMicro Apex One
            - '\xagt.exe' # Trellix EDR
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Windows Hypervisor Enforced Code Integrity Disabled
id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
related:
    - id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
      type: similar
status: test
description: |
    Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
references:
    - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
    - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2023-03-14
modified: 2024-07-05
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity'
            - '\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled'
            - '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml
simulation:
    - type: atomic-red-team
      name: Disable Hypervisor-Enforced Code Integrity (HVCI)
      technique: T1562.001
      atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020

title: Windows Internet Hosted WebDav Share Mount Via Net.EXE
id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0
status: test
description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
references:
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-21
modified: 2023-07-25
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' use '
            - ' http'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Windows LAPS Credential Dump From Entra ID
id: a4b25073-8947-489c-a8dd-93b41c23f26d
status: test
description: Detects when an account dumps the LAPS password from Entra ID.
references:
    - https://twitter.com/NathanMcNulty/status/1785051227568632263
    - https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/
    - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487
author: andrewdanis
date: 2024-06-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098.005
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        category: 'Device'
        activityType|contains: 'Recover device local administrator password'
        additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id'
    condition: selection
falsepositives:
    - Approved activity performed by an Administrator.
level: high

title: Windows Shell/Scripting Application File Write to Suspicious Folder
id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
status: test
description: Detects Windows shells and scripting applications that write files to suspicious folders
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-20
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: file_event
    product: windows
detection:
    selection_1:
        Image|endswith:
            - '\bash.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\sh.exe'
            - '\wscript.exe'
        TargetFilename|startswith:
            - 'C:\PerfLogs\'
            - 'C:\Users\Public\'
    selection_2:
        Image|endswith:
            - '\certutil.exe'
            - '\forfiles.exe'
            - '\mshta.exe'
            # - '\rundll32.exe' # Potential FP
            - '\schtasks.exe'
            - '\scriptrunner.exe'
            - '\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
        TargetFilename|contains:
            - 'C:\PerfLogs\'
            - 'C:\Users\Public\'
            - 'C:\Windows\Temp\'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Windows Shell/Scripting Processes Spawning Suspicious Programs
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
references:
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2018-04-06
modified: 2023-05-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1059.001
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            # - '\cmd.exe'  # too many false positives
            - '\rundll32.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\wmiprvse.exe'
            - '\regsvr32.exe'
        Image|endswith:
            - '\schtasks.exe'
            - '\nslookup.exe'
            - '\certutil.exe'
            - '\bitsadmin.exe'
            - '\mshta.exe'
    filter_ccmcache:
        CurrentDirectory|contains: '\ccmcache\'
    filter_amazon:
        ParentCommandLine|contains:
            # FP - Amazon Workspaces
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
            - '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
            - '\nessus_' # Tenable/Nessus VA Scanner
    filter_nessus:
        CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
    filter_sccm_install:
        ParentImage|endswith: '\mshta.exe'
        Image|endswith: '\mshta.exe'
        ParentCommandLine|contains|all:
            - 'C:\MEM_Configmgr_'
            - '\splash.hta'
            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
        CommandLine|contains|all:
            - 'C:\MEM_Configmgr_'
            - '\SMSSETUP\BIN\'
            - '\autorun.hta'
            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
    condition: selection and not 1 of filter_*
falsepositives:
    - Administrative scripts
    - Microsoft SCCM
level: high

title: Windows Suspicious Child Process from Node.js - React2Shell
id: 271de298-cc0e-4842-acd8-079a0a99ea65
related:
    - id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
      type: similar
status: experimental
description: |
    Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).
    Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().
    If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.
    For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
references:
    - https://github.com/msanft/CVE-2025-55182
    - https://nodejs.org/api/child_process.html#class-childprocess
    - https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
    - https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
date: 2025-12-05
tags:
    - attack.execution
    - attack.t1059
    - attack.initial-access
    - attack.t1190
    - detection.emerging-threats
    - cve.2025-55182
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\node.exe'
        ParentCommandLine|contains:
            - '--experimental-https'
            - '--experimental-next-config-strip-types'
            - '\node_modules\next'
            - 'next dev'
            - 'next start'
            - 'next" start'
            - 'node_modules\\.bin\\\\..\\next' # We escape every backslash to avoid confusion
            - 'react-scripts start'
            - 'start-server.js'
    selection_generic_child_img:
        # Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method  is used to spawn suspicious processes
        - Image|endswith:
              - '\bash.exe'
              - '\bitsadmin.exe'
              - '\certutil.exe'
              - '\cscript.exe'
              - '\curl.exe'
              - '\ipconfig.exe'
              - '\mshta.exe'
              - '\net.exe'
              - '\net1.exe'
              - '\netsh.exe'
              - '\nslookup.exe'
              - '\OpenConsole.exe'
              - '\perl.exe'
              - '\ping.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\py.exe'
              - '\python.exe'
              - '\pythonw.exe'
              - '\pyw.exe'
              - '\reg.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\sc.exe'
              - '\sh.exe'
              - '\systeminfo.exe'
              - '\wget.exe'
              - '\whoami.exe'
              - '\wmic.exe'
              - '\wscript.exe'
              - '\wt.exe'
        - Image|contains: '\python'
    selection_generic_child_cli_susp_pattern:
        # Observed when child_process.execSync() is used to spawn suspicious processes
        # Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
        # In default, the cli will look something like `C:\WINDOWS\System32\cmd.exe /d /s /c "...susp..cli...."`
        CommandLine|contains:
            - '\net'
            - 'bitsadmin'
            - 'certutil '
            - 'conhost --headless'
            - 'cscript '
            - 'curl'
            - 'ipconfig'
            - 'java'
            - 'lua'
            - 'mshta'
            - 'netsh'
            - 'nslookup '
            - 'perl'
            - 'ping '
            - 'powershell'
            - 'pwsh'
            - 'python'
            - 'reg '
            - 'reg.exe'
            - 'regsvr32'
            - 'ruby'
            - 'rundll32'
            - 'sc.exe'
            - 'systeminfo'
            - 'wget'
            - 'whoami'
            - 'wmic'
            - 'wscript'
    selection_specific_cmd:
        Image|endswith: '\cmd.exe'
    selection_specific_cli:
        CommandLine|contains: '/d /s /c '
    filter_main_default_shell_flag:
        CommandLine|contains: '/d /s /c '
    filter_main_cli_git:
        CommandLine|contains: 'git config --local --get remote.origin.url'
    filter_main_cli_netstat:
        CommandLine|contains|all:
            - 'netstat -ano | findstr /C:'
            - ' | findstr LISTENING'
    filter_main_cli_mkcert_install:
        CommandLine|contains|all:
            - '\mkcert\'
            - ' -install '
    filter_main_cli_mkcert_caroot:
        CommandLine|contains|all:
            - '\mkcert\'
            - ' -CAROOT'
    condition:
        selection_parent and
        (
            1 of selection_generic_*
            or
            (selection_specific_cmd and not filter_main_default_shell_flag)
            or
            (all of selection_specific_* and not 1 of filter_main_cli_*)
        )
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/info.yml

title: Windows Vulnerable Driver Blocklist Disabled
id: d526c60a-e236-4011-b165-831ffa52ab70
related:
    - id: 22154f0e-5132-4a54-aa78-cc62f6def531
      type: similar
status: experimental
description: |
    Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
    and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
    particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
    This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
    Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-26
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control\CI\Config\VulnerableDriverBlocklistEnable'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unlikely and should be investigated immediately.
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml

title: Windows WebDAV User Agent
id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
status: test
description: Detects WebDav DownloadCradle
references:
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems)
date: 2018-04-06
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
        cs-method: 'GET'
    condition: selection
falsepositives:
    - Administrative scripts that download files from the Internet
    - Administrative scripts that retrieve certain website contents
    - Legitimate WebDAV administration
level: high

title: Windows Webshell Strings
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
status: test
description: Detects common commands used in Windows webshells
references:
    - https://bad-jubies.github.io/RCE-NOW-WHAT/
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-02-19
modified: 2022-11-18
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: webserver
detection:
    selection_method:
        cs-method: 'GET'
    selection_keywords:
        # The "%20" is URL encoded version of the space
        # The "%2B" is URL encoded version of the "+"
        - '=whoami'
        - '=net%20user'
        - '=net+user'
        - '=net%2Buser'
        - '=cmd%20/c%'
        - '=cmd+/c+'
        - '=cmd%2B/c%'
        - '=cmd%20/r%'
        - '=cmd+/r+'
        - '=cmd%2B/r%'
        - '=cmd%20/k%'
        - '=cmd+/k+'
        - '=cmd%2B/k%'
        - '=powershell%'
        - '=powershell+'
        - '=tasklist%'
        - '=tasklist+'
        - '=wmic%'
        - '=wmic+'
        - '=ssh%'
        - '=ssh+'
        - '=python%'
        - '=python+'
        - '=python3%'
        - '=python3+'
        - '=ipconfig'
        - '=wget%'
        - '=wget+'
        - '=curl%'
        - '=curl+'
        - '=certutil'
        - '=copy%20%5C%5C'
        - '=dsquery%'
        - '=dsquery+'
        - '=nltest%'
        - '=nltest+'
    condition: all of selection_*
falsepositives:
    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
    - User searches in search boxes of the respective website
level: high

title: Winlogon Notify Key Logon Persistence
id: bbf59793-6efb-4fa1-95ca-a7d288e52c88
status: test
description: |
    Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
    Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
author: frack113
date: 2021-12-30
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.004
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon'
        Details|endswith: '.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Winrs Local Command Execution
id: bcfece3d-56fe-4545-9931-3b8e92927db1
status: experimental
description: |
    Detects the execution of Winrs.exe where it is used to execute commands locally.
    Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
references:
    - https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs
author: Liran Ravich, Nasreddine Bencherchali
date: 2025-10-22
tags:
    - attack.lateral-movement
    - attack.stealth
    - attack.t1021.006
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        # Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" calc.exe
        - Image|endswith: '\winrs.exe'
        - OriginalFileName: 'winrs.exe'
    selection_local_ip:
        CommandLine|contains|windash:
            - '/r:localhost'
            - '/r:127.0.0.1'
            - '/r:[::1]'
            - '/remote:localhost'
            - '/remote:127.0.0.1'
            - '/remote:[::1]'
    filter_main_remote:
        CommandLine|contains|windash:
            - "/r:"
            - "/remote:"
    condition: all of selection_* or (selection_img and not 1 of filter_main_*)
falsepositives:
    - Unlikely
level: high

title: Wmiprvse Wbemcomn DLL Hijack
id: 7707a579-e0d8-4886-a853-ce47e4575aaa
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith: '\wmiprvse.exe'
        ImageLoaded|endswith: '\wbem\wbemcomn.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Wusa.EXE Executed By Parent Process Located In Suspicious Location
id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99
status: test
description: |
    Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
    Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
references:
    - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
author: X__Junior (Nextron Systems)
date: 2023-11-26
modified: 2024-08-15
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\wusa.exe'
    selection_paths_1:
        ParentImage|contains:
            # Note: Add additional suspicious locations to increase coverage
            - ':\Perflogs\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\Appdata\Local\Temp\'
            - '\Temporary Internet'
    selection_paths_2:
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - ParentImage|contains|all:
              - ':\Users\'
              - '\Pictures\'
    filter_main_msu:
        # Note: We exclude MSU extension files. A better approach is to baseline installation of updates in your env to avoid false negatives.
        CommandLine|contains: '.msu'
    condition: selection_img and 1 of selection_paths_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Xwizard.EXE Execution From Non-Default Location
id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
status: test
description: |
    Detects the execution of Xwizard tool from a non-default directory.
    When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
    - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
author: Christian Burkard (Nextron Systems)
date: 2021-09-20
modified: 2024-08-15
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\xwizard.exe'
        - OriginalFileName: 'xwizard.exe'
    filter_main_legit_location:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Windows installed on non-C drive
level: high

title: smbexec.py Service Installation
id: 52a85084-6989-40c3-8f32-091e12e13f09
status: test
description: Detects the use of smbexec.py tool by detecting a specific service installation
references:
    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
    - https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
    - https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name
author: Omer Faruk Celik
date: 2018-03-20
modified: 2023-11-09
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1021.002
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service_name:
        ServiceName: 'BTOBTO'
    selection_service_image:
        ImagePath|contains:
            - '.bat & del '
            - '__output 2^>^&1 >'
    condition: selection_eid and 1 of selection_service_*
falsepositives:
    - Unknown
level: high

title: .Class Extension URI Ending Request
id: 53c15703-b04c-42bb-9055-1937ddfb3392
status: test
description: |
    Detects requests to URI ending with the ".class" extension in proxy logs.
    This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.
references:
    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades)
date: 2021-12-21
modified: 2024-02-26
tags:
    - attack.initial-access
    - detection.threat-hunting
logsource:
    category: proxy
detection:
    selection:
        c-uri|endswith: '.class'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: 7Zip Compressing Dump Files
id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
related:
    - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
      type: derived
status: test
description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
references:
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
modified: 2026-06-05
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Description|contains: '7-Zip'
        - Image|endswith:
              - '\7z.exe'
              - '\7zr.exe'
              - '\7za.exe'
        - OriginalFileName:
              - '7z.exe'
              - '7za.exe'
              - '7zr.exe'
    selection_extension:
        CommandLine|contains:
            - '.dmp'
            - '.dump'
            - '.hdmp'
    condition: all of selection_*
falsepositives:
    - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally
    - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting
level: medium

title: A New Trust Was Created To A Domain
id: 0255a820-e564-4e40-af2b-6ac61160335c
status: stable
description: Addition of domains is seldom and should be verified for legitimacy.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706
author: Thomas Patzke
date: 2019-12-03
modified: 2024-01-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4706
    condition: selection
falsepositives:
    - Legitimate extension of domain structure
level: medium

title: A Rule Has Been Deleted From The Windows Firewall Exception List
id: c187c075-bb3e-4c62-b4fa-beae0ffc211f
status: test
description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2024-08-29
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2006 # A rule has been deleted in the Windows Defender Firewall exception list
            - 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11)
    filter_main_generic:
        ModifyingApplication|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\WinSxS\'
    filter_main_svchost:
        ModifyingApplication: 'C:\Windows\System32\svchost.exe'
    filter_optional_msmpeng:
        ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        ModifyingApplication|endswith: '\MsMpEng.exe'
    filter_main_null:
        ModifyingApplication: null
    filter_main_empty:
        ModifyingApplication: ''
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: medium

title: ADExplorer Writing Complete AD Snapshot Into .dat File
id: 0a1255c5-d732-4b62-ac02-b5152d34fb83
related:
    - id: 9212f354-7775-4e28-9c9f-8f0a4544e664
      type: similar
status: experimental
description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
    - https://trustedsec.com/blog/adexplorer-on-engagements
author: Arnim Rupp (Nextron Systems), Thomas Patzke
date: 2025-07-09
tags:
    - attack.discovery
    - attack.t1087.002
    - attack.t1069.002
    - attack.t1482
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\ADExp.exe'
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
            - '\ADExplorer64a.exe'
        TargetFilename|endswith: '.dat'
    condition: selection
falsepositives:
    - Legitimate use of ADExplorer by administrators creating .dat snapshots
level: medium

title: ADFS Database Named Pipe Connection By Uncommon Tool
id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
status: test
description: |
    Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).
    Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
    - https://o365blog.com/post/adfs/
    - https://github.com/Azure/SimuLand
author: Roberto Rodriguez @Cyb3rWard0g
date: 2021-10-08
modified: 2023-11-30
tags:
    - attack.collection
    - attack.t1005
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName: '\MICROSOFT##WID\tsql\query'
    filter_main_generic:
        Image|endswith:
            - ':\Windows\System32\mmc.exe'
            - ':\Windows\system32\svchost.exe'
            - ':\Windows\System32\wsmprovhost.exe'
            - ':\Windows\SysWOW64\mmc.exe'
            - ':\Windows\SysWOW64\wsmprovhost.exe'
            - ':\Windows\WID\Binn\sqlwriter.exe'
            - '\AzureADConnect.exe'
            - '\Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
            - '\Microsoft.IdentityServer.ServiceHost.exe'
            - '\Microsoft.Tri.Sensor.exe'
            - '\sqlservr.exe'
            - '\tssdis.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: ADS Zone.Identifier Deleted By Uncommon Application
id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
related:
    - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
      type: similar
status: test
description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
references:
    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
modified: 2025-07-04
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|endswith: ':Zone.Identifier'
    filter_main_generic:
        # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
        Image:
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\explorer.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_optional_browsers_chrome:
        Image:
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_browsers_firefox:
        Image:
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_browsers_msedge:
        Image:
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other third party applications not listed.
level: medium

title: ADSI-Cache File Creation By Uncommon Tool
id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
status: test
description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
references:
    - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
    - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
    - https://github.com/fox-it/LDAPFragger
author: xknow @xknow_infosec, Tim Shelton
date: 2019-03-24
modified: 2023-10-18
tags:
    - attack.t1001.003
    - attack.command-and-control
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
        TargetFilename|endswith: '.sch'
    filter_main_generic:
        - Image|endswith:
              - ':\Program Files\Cylance\Desktop\CylanceSvc.exe'
              - ':\Windows\CCM\CcmExec.exe'
              - ':\windows\system32\dllhost.exe'
              - ':\Windows\system32\dsac.exe'
              - ':\Windows\system32\efsui.exe'
              - ':\windows\system32\mmc.exe'
              - ':\windows\system32\svchost.exe'
              - ':\Windows\System32\wbem\WmiPrvSE.exe'
              - ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
        - Image|contains:
              - ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
              - ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe
    filter_main_office:
        Image|contains|all:
            - ':\Program Files\'
            - '\Microsoft Office'
        Image|endswith: '\OUTLOOK.EXE'
    filter_optional_ldapwhoami:
        Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
    filter_optional_citrix:
        # Example:
        #   TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch
        Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
level: medium

title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
status: test
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
references:
    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020-10-06
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    contains_format_pretty_arg:
        CommandLine|contains:
            - 'format:pretty'
            - 'format:"pretty"'
            - 'format:"text"'
            - 'format:text'
    image_from_system_folder:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    contains_winrm:
        CommandLine|contains: 'winrm'
    condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
falsepositives:
    - Unlikely
level: medium

title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
related:
    - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
      type: derived
status: test
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
references:
    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020-10-06
modified: 2022-11-28
tags:
    - attack.stealth
    - attack.t1216
logsource:
    product: windows
    category: file_event
detection:
    system_files:
        TargetFilename|endswith:
            - 'WsmPty.xsl'
            - 'WsmTxt.xsl'
    in_system_folder:
        TargetFilename|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: system_files and not in_system_folder
falsepositives:
    - Unlikely
level: medium

title: AWS Bucket Deleted
id: 39c9f26d-6e3b-4dbb-9c7a-4154b0281112
status: experimental
description: |
    Detects the deletion of S3 buckets in AWS CloudTrail logs.
    Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
references:
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html
    - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html
author: Ivan Saakov, Nasreddine Bencherchali
date: 2025-10-19
tags:
    - attack.stealth
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_event_name:
        eventName: 'DeleteBucket'
    selection_status_success:
        errorCode: 'Success'
    selection_status_null:
        errorCode: null
    condition: selection_event_name and 1 of selection_status_*
falsepositives:
    - During maintenance operations or testing, authorized administrators may delete S3 buckets as part of routine data management or cleanup activities.
level: medium