title: File With Suspicious Extension Downloaded Via Bitsadmin
id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
status: test
description: Detects usage of bitsadmin downloading a file with a suspicious extension
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-05-30
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_extension:
        CommandLine|contains:
            - '.7z'
            - '.asax'
            - '.ashx'
            - '.asmx'
            - '.asp'
            - '.aspx'
            - '.bat'
            - '.cfm'
            - '.cgi'
            - '.chm'
            - '.cmd'
            - '.dll'
            - '.gif'
            - '.jpeg'
            - '.jpg'
            - '.jsp'
            - '.jspx'
            - '.log'
            - '.png'
            - '.ps1'
            - '.psm1'
            - '.rar'
            - '.scf'
            - '.sct'
            - '.txt'
            - '.vbe'
            - '.vbs'
            - '.war'
            - '.wsf'
            - '.wsh'
            - '.xll'
            - '.zip'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

title: File With Uncommon Extension Created By An Office Application
id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
status: test
description: Detects the creation of files with an executable or script extension by an Office application.
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-23
modified: 2025-10-17
tags:
    - attack.t1204.002
    - attack.execution
logsource:
    product: windows
    category: file_event
detection:
    # Note: Please add more file extensions to the logic of your choice.
    selection1:
        Image|endswith:
            - '\excel.exe'
            - '\msaccess.exe'
            - '\mspub.exe'
            - '\powerpnt.exe'
            - '\visio.exe'
            - '\winword.exe'
    selection2:
        TargetFilename|endswith:
            - '.bat'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.ocx'
            - '.proj'
            - '.ps1'
            - '.scf'
            - '.scr'
            - '.sys'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    filter_main_localassembly:
        TargetFilename|contains: '\AppData\Local\assembly\tmp\'
        TargetFilename|endswith: '.dll'
    filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
        TargetFilename|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Microsoft\Office\'
            - '\WebServiceCache\AllUsers'
        TargetFilename|endswith: '.com'
    filter_optional_webex:
        Image|endswith: '\winword.exe'
        TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\ODB-user@domain.com
        TargetFilename|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Microsoft\Office\'
            - '\BackstageInAppNavCache\'
        TargetFilename|endswith: '.com'
    condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: FileFix - Command Evidence in TypedPaths
id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
related:
    - id: 4be03877-d5b6-4520-85c9-a5911c0a656c
      type: similar
status: experimental
description: |
    Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
references:
    - https://x.com/russianpanda9xx/status/1940831134759506029
    - https://mrd0x.com/filefix-clickfix-alternative/
    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Alfie Champion (delivr.to), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-05
modified: 2025-11-19
tags:
    - attack.execution
    - attack.t1204.004
logsource:
    category: registry_set
    product: windows
detection:
    selection_base:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
        Details|contains|all:
            - '#'
            - 'http'
    selection_cmd:
        - Details|contains:
              # Add more suspicious keywords
              - 'account'
              - 'anti-bot'
              - 'botcheck'
              - 'captcha'
              - 'challenge'
              - 'confirmation'
              - 'fraud'
              - 'human'
              - 'identification'
              - 'identificator'
              - 'identity'
              - 'robot'
              - 'validation'
              - 'verification'
              - 'verify'
        - Details|contains:
              - '%comspec%'
              - 'bitsadmin'
              - 'certutil'
              - 'cmd'
              - 'cscript'
              - 'curl'
              - 'finger'
              - 'mshta'
              - 'powershell'
              - 'pwsh'
              - 'regsvr32'
              - 'rundll32'
              - 'schtasks'
              - 'wget'
              - 'wscript'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Findstr GPP Passwords
id: 91a2c315-9ee6-4052-a853-6f6a8238f90d
status: test
description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
author: frack113
date: 2021-12-27
modified: 2023-11-11
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'cpassword'
            - '\sysvol\'
            - '.xml'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml
simulation:
    - type: atomic-red-team
      name: GPP Passwords (findstr)
      technique: T1552.006
      atomic_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f

title: Finger.EXE Execution
id: af491bca-e752-4b44-9c86-df5680533dbc
related:
    - id: c082c2b0-525b-4dbc-9a26-a57dc4692074
      type: similar
    - id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
      type: similar
status: test
description: |
    Detects execution of the "finger.exe" utility.
    Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
    Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
references:
    - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
    - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
    - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
author: Florian Roth (Nextron Systems), omkar72, oscd.community
date: 2021-02-24
modified: 2024-06-27
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'finger.exe'
        - Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Admin activity (unclear what they do nowadays with finger.exe)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/info.yml

title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
    - https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden
date: 2019-04-03
modified: 2023-03-14
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection1:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
    false_positives:
        RelativeTargetName:
            - 'atsvc'
            - 'samr'
            - 'lsarpc'
            - 'lsass'
            - 'winreg'
            - 'netlogon'
            - 'srvsvc'
            - 'protected_storage'
            - 'wkssvc'
            - 'browser'
            - 'netdfs'
            - 'svcctl'
            - 'spoolss'
            - 'ntsvcs'
            - 'LSM_API_service'
            - 'HydraLsPipe'
            - 'TermSrv_API_service'
            - 'MsFteWds'
            - 'sql\query'
            - 'eventlog'
    condition: selection1 and not false_positives
falsepositives:
    - Update the excluded named pipe to filter out any newly observed legit named pipe
level: high

title: First Time Seen Remote Named Pipe - Zeek
id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
related:
    - id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
      type: derived
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
    - https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: zeek
    service: smb_files
detection:
    selection:
        path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
    filter_keywords:
        - 'samr'
        - 'lsarpc'
        - 'winreg'
        - 'netlogon'
        - 'srvsvc'
        - 'protected_storage'
        - 'wkssvc'
        - 'browser'
        - 'netdfs'
        - 'svcctl'
        - 'spoolss'
        - 'ntsvcs'
        - 'LSM_API_service'
        - 'HydraLsPipe'
        - 'TermSrv_API_service'
        - 'MsFteWds'
    condition: selection and not 1 of filter_*
falsepositives:
    - Update the excluded named pipe to filter out any newly observed legit named pipe
level: high

title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1189
    - attack.execution
    - attack.t1204.002
    - attack.t1036.005
logsource:
    category: proxy
detection:
    selection:
        - c-uri|contains: '/flash_install.php'
        - c-uri|endswith: '/install_flash_player.exe'
    filter:
        cs-host|endswith: '.adobe.com'
    condition: selection and not filter
falsepositives:
    - Unknown flash download locations
level: high

title: Folder Removed From Exploit Guard ProtectedFolders List - Registry
id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40
status: test
description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
references:
    - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-08
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_delete
    product: windows
detection:
    selection:
        EventType: DeleteValue
        TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders'
    condition: selection
falsepositives:
    - Legitimate administrators removing applications (should always be investigated)
level: high

title: Forfiles.EXE Child Process Masquerading
id: f53714ec-5077-420e-ad20-907ff9bb2958
status: test
description: |
    Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
references:
    - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2024-01-05
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Notes:
        #   - The parent must not have CLI options
        #   - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
        #   - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
        ParentCommandLine|endswith:
            - '.exe'
            - '.exe"'
        Image|endswith: '\cmd.exe'
        CommandLine|startswith: '/c echo "'
    filter_main_parent_not_sys:
        ParentImage|contains:
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
        ParentImage|endswith: '\forfiles.exe'
        Image|contains:
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
        Image|endswith: '\cmd.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
status: stable
description: |
  Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
  Might be used by ransomwares during the attack (seen by NotPetya and others).
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
    - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
    - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
author: Ecco, E.M. Anhaus, oscd.community
date: 2019-09-26
modified: 2023-09-09
tags:
    - attack.impact
    - attack.stealth
    - attack.t1070
    - attack.t1485
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\fsutil.exe'
        - OriginalFileName: 'fsutil.exe'
    selection_cli:
        CommandLine|contains:
            - 'deletejournal'        # usn deletejournal ==> generally ransomware or attacker
            - 'createjournal'        # usn createjournal ==> can modify config to set it to a tiny size
            - 'setZeroData'          # file setZeroData  ==> empties a file with zeroes
    condition: all of selection_*
falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
level: high

title: GAC DLL Loaded Via Office Applications
id: 90217a70-13fc-48e4-b3db-0d836c5824ac
status: test
description: Detects any GAC DLL being loaded by an Office Product
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
    condition: selection
falsepositives:
    - Legitimate macro usage. Add the appropriate filter according to your environment
level: high

title: Github High Risk Configuration Disabled
id: 8622c92d-c00e-463c-b09d-fd06166f6794
status: test
description: Detects when a user disables a critical security feature for an organization.
references:
    - https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
    - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository
    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-29
modified: 2024-07-22
tags:
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'business_advanced_security.disabled_for_new_repos'
            - 'business_advanced_security.disabled_for_new_user_namespace_repos'
            - 'business_advanced_security.disabled'
            - 'business_advanced_security.user_namespace_repos_disabled'
            - 'org.advanced_security_disabled_for_new_repos'
            - 'org.advanced_security_disabled_on_all_repos'
            - 'org.advanced_security_policy_selected_member_disabled'
            - 'org.disable_oauth_app_restrictions'
            - 'org.disable_two_factor_requirement'
            - 'repo.advanced_security_disabled'
    condition: selection
falsepositives:
    - Approved administrator/owner activities.
level: high

title: Github Push Protection Disabled
id: ccd55945-badd-4bae-936b-823a735d37dd
status: test
description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
references:
    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
    - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'business_secret_scanning_custom_pattern_push_protection.disabled'
            - 'business_secret_scanning_push_protection.disable'
            - 'business_secret_scanning_push_protection.disabled_for_new_repos'
            - 'org.secret_scanning_custom_pattern_push_protection_disabled'
            - 'org.secret_scanning_push_protection_disable'
            - 'org.secret_scanning_push_protection_new_repos_disable'
            - 'repository_secret_scanning_custom_pattern_push_protection.disabled'
    condition: selection
falsepositives:
    - Allowed administrative activities.
level: high

title: Github Secret Scanning Feature Disabled
id: 3883d9a0-fd0f-440f-afbb-445a2a799bb8
status: test
description: Detects if the secret scanning feature is disabled for an enterprise or repository.
references:
    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
modified: 2024-07-19
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'business_secret_scanning.disable'
            - 'business_secret_scanning.disabled_for_new_repos'
            - 'repository_secret_scanning.disable'
            - 'secret_scanning_new_repos.disable'
            - 'secret_scanning.disable'
    condition: selection
falsepositives:
    - Allowed administrative activities.
level: high

title: Guacamole Two Users Sharing Session Anomaly
id: 1edd77db-0669-4fef-9598-165bda82826d
status: test
description: Detects suspicious session with two users present
references:
    - https://research.checkpoint.com/2020/apache-guacamole-rce/
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1212
logsource:
    product: linux
    service: guacamole
detection:
    selection:
        - '(2 users now present)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HKTL - SharpSuccessor Privilege Escalation Tool Execution
id: 38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8
status: experimental
description: |
    Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.
    Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
references:
    - https://github.com/logangoins/SharpSuccessor
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-06
tags:
    - attack.privilege-escalation
    - attack.t1068
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SharpSuccessor.exe'
        - OriginalFileName: 'SharpSuccessor.exe'
        - CommandLine|contains: 'SharpSuccessor'
        - CommandLine|contains|all:
              - ' add '
              - ' /impersonate'
              - ' /path'
              - ' /account'
              - ' /name'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
    - attack.execution
    - attack.initial-access
    - attack.stealth
    - attack.t1047
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218
    - attack.t1218.001
    - attack.t1218.010
    - attack.t1218.011
    - attack.t1566
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\hh.exe'
        Image|endswith:
            - '\CertReq.exe'
            - '\CertUtil.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\installutil.exe'
            - '\MSbuild.exe'
            - '\MSHTA.EXE'
            - '\msiexec.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HTTP Logging Disabled On IIS Server
id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
status: test
description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
author: frack113
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration: '/system.webServer/httpLogging/@dontLog'
        NewValue: 'true'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
references:
    - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-07-07
tags:
    - attack.initial-access
    - attack.t1190
    - attack.credential-access
    - attack.t1110
logsource:
    category: proxy
detection:
    selection:
        c-useragent|contains:
            # Vulnerability scanner and brute force tools
            - '(hydra)'
            - ' arachni/'
            - ' BFAC '
            - ' brutus '
            - ' cgichk '
            - 'core-project/1.0'
            - ' crimscanner/'
            - 'datacha0s'
            - 'dirbuster'
            - 'domino hunter'
            - 'dotdotpwn'
            - 'FHScan Core'
            - 'floodgate'
            - 'get-minimal'
            - 'gootkit auto-rooter scanner'
            - 'grendel-scan'
            - ' inspath '
            - 'internet ninja'
            - 'jaascois'
            - ' zmeu '
            - 'masscan'
            - ' metis '
            - 'morfeus fucking scanner'
            - 'n-stealth'
            - 'nsauditor'
            - 'pmafind'
            - 'security scan'
            - 'springenwerk'
            - 'teh forest lobster'
            - 'toata dragostea'
            - ' vega/'
            - 'voideye'
            - 'webshag'
            - 'webvulnscan'
            - ' whcc/'
            # SQL Injection
            - ' Havij'
            - 'absinthe'
            - 'bsqlbf'
            - 'mysqloit'
            - 'pangolin'
            - 'sql power injector'
            - 'sqlmap'
            - 'sqlninja'
            - 'uil2pn'
            # Hack tool
            - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - ADCSPwn Execution
id: cd8c163e-a19b-402e-bdd5-419ff5859f12
status: test
description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
references:
    - https://github.com/bats3c/ADCSPwn
author: Florian Roth (Nextron Systems)
date: 2021-07-31
modified: 2023-02-04
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1557.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' --adcs '
            - ' --port '
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
    - https://github.com/BloodHoundAD/BloodHound
    - https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Product|contains: 'SharpHound'
        - Description|contains: 'SharpHound'
        - Company|contains:
              - 'SpecterOps'
              - 'evil corp'
        - Image|contains:
              - '\Bloodhound.exe'
              - '\SharpHound.exe'
    selection_cli_1:
        CommandLine|contains:
            - ' -CollectionMethod All '
            - ' --CollectionMethods Session '
            - ' --Loop --Loopduration '
            - ' --PortScanTimeout '
            - '.exe -c All -d '
            - 'Invoke-Bloodhound'
            - 'Get-BloodHoundData'
    selection_cli_2:
        CommandLine|contains|all:
            - ' -JsonFolder '
            - ' -ZipFileName '
    selection_cli_3:
        CommandLine|contains|all:
            - ' DCOnly '
            - ' --NoSaveCache '
    condition: 1 of selection_*
falsepositives:
    - Other programs that use these command line option and accepts an 'All' parameter
level: high

title: HackTool - CACTUSTORCH Remote Thread Creation
id: 2e4e488a-6164-4811-9ea1-f960c7359c40
status: test
description: Detects remote thread creation from CACTUSTORCH as described in references.
references:
    - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
    - https://github.com/mdsecactivebreach/CACTUSTORCH
author: '@SBousseaden (detection), Thomas Patzke (rule)'
date: 2019-02-01
modified: 2023-05-05
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1055.012
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\System32\cscript.exe'
            - '\System32\wscript.exe'
            - '\System32\mshta.exe'
            - '\winword.exe'
            - '\excel.exe'
        TargetImage|contains: '\SysWOW64\'
        StartModule: null
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Certify Execution
id: 762f2482-ff21-4970-8939-0aa317a886bb
status: test
description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
references:
    - https://github.com/GhostPack/Certify
author: pH-T (Nextron Systems)
date: 2023-04-17
modified: 2023-04-25
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1649
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\Certify.exe'
        - OriginalFileName: 'Certify.exe'
        - Description|contains: 'Certify'
    selection_cli_commands:
        CommandLine|contains:
            - '.exe cas '
            - '.exe find '
            - '.exe pkiobjects '
            - '.exe request '
            - '.exe download '
    selection_cli_options:
        CommandLine|contains:
            - ' /vulnerable'
            - ' /template:'
            - ' /altname:'
            - ' /domain:'
            - ' /path:'
            - ' /ca:'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Unknown
level: high

title: HackTool - Certipy Execution
id: 6938366d-8954-4ddc-baff-c830b3ba8fcd
status: test
description: |
    Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
references:
    - https://github.com/ly4k/Certipy
    - https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
author: pH-T (Nextron Systems), Sittikorn Sangrattanapitak
date: 2023-04-17
modified: 2024-10-08
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1649
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\Certipy.exe'
        - OriginalFileName: 'Certipy.exe'
        - Description|contains: 'Certipy'
    selection_cli_commands:
        CommandLine|contains:
            - ' account '
            - ' auth '
            # - ' ca ' # Too short to be used with just one CLI
            - ' cert '
            - ' find '
            - ' forge '
            - ' ptt '
            - ' relay '
            - ' req '
            - ' shadow '
            - ' template '
    selection_cli_flags:
        CommandLine|contains:
            - ' -bloodhound'
            - ' -ca-pfx '
            - ' -dc-ip '
            - ' -kirbi'
            - ' -old-bloodhound'
            - ' -pfx '
            - ' -target'
            - ' -template'
            - ' -username '
            - ' -vulnerable'
            - 'auth -pfx'
            - 'shadow auto'
            - 'shadow list'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Unlikely
level: high

title: HackTool - CobaltStrike BOF Injection Pattern
id: 09706624-b7f6-455d-9d02-adee024cee1d
status: test
description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
references:
    - https://github.com/boku7/injectAmsiBypass
    - https://github.com/boku7/spawn
author: Christian Burkard (Nextron Systems)
date: 2021-08-04
modified: 2023-11-28
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1106
    - attack.t1685
logsource:
    category: process_access
    product: windows
detection:
    selection:
        CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$'
        GrantedAccess:
            - '0x1028'
            - '0x1fffff'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
id: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac
related:
    - id: 953b895e-5cc9-454b-b183-7f3db555452e
      type: obsolete
    - id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
      type: obsolete
    - id: 37325383-740a-403d-b1a2-b2b4ab7992e7
      type: obsolete
    - id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
      type: obsolete
status: test
description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
references:
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
    - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
author: Markus Neis, Florian Roth (Nextron Systems)
date: 2024-02-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection_amazon_1:
        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
        cs-method: 'GET'
        c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
        cs-host: 'www.amazon.com'
        cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
    selection_amazon_2:
        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
        cs-method: 'POST'
        c-uri: '/N4215/adj/amzn.us.sr.aps'
        cs-host: 'www.amazon.com'
    selection_generic_1:
        c-useragent:
            - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
            - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
    selection_generic_2:
        c-useragent|endswith: '; MANM; MANM)'
    selection_oscp:
        c-uri|contains: '/oscp/'
        cs-host: 'ocsp.verisign.com'
    selection_onedrive:
        cs-method: 'GET'
        c-uri|endswith: '\?manifest=wac'
        cs-host: 'onedrive.live.com'
    filter_main_onedrive:
        c-uri|startswith: 'http'
        c-uri|contains: '://onedrive.live.com/'
    condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: HackTool - CoercedPotato Execution
id: e8d34729-86a4-4140-adfd-0a29c2106307
status: test
description: Detects the use of CoercedPotato, a tool for privilege escalation
references:
    - https://github.com/hackvens/CoercedPotato
    - https://blog.hackvens.fr/articles/CoercedPotato.html
author: Florian Roth (Nextron Systems)
date: 2023-10-11
modified: 2024-11-23
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection_loader_img:
        Image|endswith: '\CoercedPotato.exe'
    selection_params:
        CommandLine|contains: ' --exploitId '
    selection_loader_imphash:
        Hashes|contains:
            - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6'
            - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9'
            - 'IMPHASH=14C81850A079A87E83D50CA41C709A15'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - CoercedPotato Named Pipe Creation
id: 4d0083b3-580b-40da-9bba-626c19fe4033
status: test
description: Detects the pattern of a pipe name as used by the hack tool CoercedPotato
references:
    - https://blog.hackvens.fr/articles/CoercedPotato.html
    - https://github.com/hackvens/CoercedPotato
author: Florian Roth (Nextron Systems)
date: 2023-10-11
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains: '\coerced\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Covenant PowerShell Launcher
id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
status: test
description: Detects suspicious command lines used in Covenant luanchers
references:
    - https://posts.specterops.io/covenant-v0-5-eee0507b85ba
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2020-06-04
modified: 2023-02-21
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains|all:
            - '-Sta'
            - '-Nop'
            - '-Window'
            - 'Hidden'
        CommandLine|contains:
            - '-Command'
            - '-EncodedCommand'
    selection_2:
        CommandLine|contains:
            - 'sv o (New-Object IO.MemorySteam);sv d '
            - 'mshta file.hta'
            - 'GruntHTTP'
            - '-EncodedCommand cwB2ACAAbwAgA'
    condition: 1 of selection_*
level: high

title: HackTool - CrackMapExec Execution
id: 42a993dd-bb3e-48c8-b372-4d6684c4106c
status: test
description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
references:
    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
    - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
    - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-03-08
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.credential-access
    - attack.discovery
    - attack.t1047
    - attack.t1053
    - attack.t1059.003
    - attack.t1059.001
    - attack.t1110
    - attack.t1201
logsource:
    category: process_creation
    product: windows
detection:
    selection_binary:
        Image|endswith: '\crackmapexec.exe'
    selection_special:
        CommandLine|contains: ' -M pe_inject '
    selection_execute:
        CommandLine|contains|all:
            - ' --local-auth'
            - ' -u '
            - ' -x '
    selection_hash:
        CommandLine|contains|all:
            - ' --local-auth'
            - ' -u '
            - ' -p '
            - " -H 'NTHASH'"
    selection_module_mssql:
        CommandLine|contains|all:
            - ' mssql '
            - ' -u '
            - ' -p '
            - ' -M '
            - ' -d '
    selection_module_smb1:
        CommandLine|contains|all:
            - ' smb '
            - ' -u '
            - ' -H '
            - ' -M '
            - ' -o '
    selection_module_smb2:
        CommandLine|contains|all:
            - ' smb '
            - ' -u '
            - ' -p '
            - ' --local-auth'
    part_localauth_1:
        CommandLine|contains|all:
            - ' --local-auth'
            - ' -u '
            - ' -p '
    part_localauth_2:
        CommandLine|contains|all:
            - ' 10.'
            - ' 192.168.'
            - '/24 '
    condition: 1 of selection_* or all of part_localauth*
falsepositives:
    - Unknown
level: high

title: HackTool - CrackMapExec Execution Patterns
id: 058f4380-962d-40a5-afce-50207d36d7e2
status: stable
description: Detects various execution patterns of the CrackMapExec pentesting framework
references:
    - https://github.com/byt3bl33d3r/CrackMapExec
author: Thomas Patzke
date: 2020-05-22
modified: 2023-11-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1047
    - attack.t1053
    - attack.t1059.003
    - attack.t1059.001
    - attack.s0106
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
            - 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
            # cme/protocols/smb/atexec.py:109 (fileless output via share)
            - 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
            # cme/protocols/smb/atexec.py:111 (fileless output via share)
            - 'cmd.exe /C * > *\\Temp\\* 2>&1'
            # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L136 (PowerShell execution with obfuscation)
            - 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
            # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L160 (PowerShell execution without obfuscation)
            - 'powershell.exe -noni -nop -w 1 -enc '
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - CrackMapExec File Indicators
id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
related:
    - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
      type: obsolete
status: test
description: Detects file creation events with filename patterns used by CrackMapExec.
references:
    - https://github.com/byt3bl33d3r/CrackMapExec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-11
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection_path:
        TargetFilename|startswith: 'C:\Windows\Temp\' # The disk extension is hardcoded in the tool.
    selection_names_str:
        TargetFilename|endswith:
            - '\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68
            - '\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106
    selection_names_re:
        - TargetFilename|re: '\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86
        - TargetFilename|re: '\\[a-zA-Z]{8}\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146
    condition: selection_path and 1 of selection_names_*
falsepositives:
    - Unknown
level: high

title: HackTool - CrackMapExec PowerShell Obfuscation
id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
status: test
description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
references:
    - https://github.com/byt3bl33d3r/CrackMapExec
    - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
author: Thomas Patzke
date: 2020-05-22
modified: 2023-02-21
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1027.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains:
            - 'join*split'
            # Line 343ff
            - '( $ShellId[1]+$ShellId[13]+''x'')'
            - '( $PSHome[*]+$PSHOME[*]+'
            - '( $env:Public[13]+$env:Public[5]+''x'')'
            - '( $env:ComSpec[4,*,25]-Join'''')'
            - '[1,3]+''x''-Join'''')'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - CrackMapExec Process Patterns
id: f26307d8-14cd-47e3-a26b-4b4769f24af6
status: test
description: Detects suspicious process patterns found in logs when CrackMapExec is used
references:
    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
author: Florian Roth (Nextron Systems)
date: 2022-03-12
modified: 2023-02-13
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_lsass_dump1:
        CommandLine|contains|all:
            - 'tasklist /fi '
            - 'Imagename eq lsass.exe'
        CommandLine|contains:
            - 'cmd.exe /c '
            - 'cmd.exe /r '
            - 'cmd.exe /k '
            - 'cmd /c '
            - 'cmd /r '
            - 'cmd /k '
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    selection_lsass_dump2:
        CommandLine|contains|all:
            - 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
            - '\Windows\Temp\'
            - ' full'
            - '%%B'
    selection_procdump:
        CommandLine|contains|all:
            - 'tasklist /v /fo csv'
            - 'findstr /i "lsass"'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

title: HackTool - CreateMiniDump Execution
id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d
status: test
description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
references:
    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
author: Florian Roth (Nextron Systems)
date: 2019-12-22
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\CreateMiniDump.exe'
        - Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Default PowerSploit/Empire Scheduled Task Creation
id: 56c217c3-2de2-479b-990f-5c109ba8458f
status: test
description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
references:
    - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py
author: Markus Neis, @Karneades
date: 2018-03-06
modified: 2023-03-03
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.s0111
    - attack.g0022
    - attack.g0060
    - car.2013-08-001
    - attack.t1053.005
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - '/Create'
            - 'powershell.exe -NonI'
            - '/TN Updater /TR'
        CommandLine|contains:
            - '/SC ONLOGON'
            - '/SC DAILY /ST'
            - '/SC ONIDLE'
            - '/SC HOURLY'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - Doppelanger LSASS Dumper Execution
id: d474c8fe-bb69-4ea0-b7d9-f682b56d52d3
status: experimental
description: Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
references:
    - https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
    - https://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-01
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Doppelganger.exe'
        - Hashes|contains:
              - 'IMPHASH=AB94D5217896ADCD765A06B2D52F0AEB'
              - 'IMPHASH=65F0EA61156EE0C2A35421926F0C7F78'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - EDRSilencer Execution
id: eb2d07d4-49cb-4523-801a-da002df36602
status: test
description: |
    Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
references:
    - https://github.com/netero1010/EDRSilencer
author: '@gott_cyber'
date: 2024-01-02
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\EDRSilencer.exe'
        - OriginalFileName: 'EDRSilencer.exe'
        - Description|contains: 'EDRSilencer'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - EDRSilencer Execution - Filter Added
id: 98054878-5eab-434c-85d4-72d4e5a3361b
status: test
description: |
    Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
references:
    - https://github.com/netero1010/EDRSilencer
author: Thodoris Polyzos (@SmoothDeploy)
date: 2024-01-29
modified: 2024-01-30
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
detection:
    selection:
        EventID:
            - 5441
            - 5447
        FilterName|contains: 'Custom Outbound Filter'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - EfsPotato Named Pipe Creation
id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2
status: test
description: Detects the pattern of a pipe name as used by the hack tool EfsPotato
references:
    - https://twitter.com/SBousseaden/status/1429530155291193354?s=20
    - https://github.com/zcgonvh/EfsPotato
author: Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2023-12-21
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains:
            - '\pipe\'
            - '\pipe\srvsvc'  # more specific version (use only this one if the other causes too many false positives)
    filter_optional_ctx:
        PipeName|contains: '\CtxShare'
    filter_optional_default:
        PipeName|startswith: '\pipe\' # excludes pipes that start with \pipe\*
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - \pipe\LOCAL\Monitorian # https://github.com/emoacht/Monitorian
level: high

title: HackTool - Empire PowerShell Launch Parameters
id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581
status: test
description: Detects suspicious powershell command line parameters used in Empire
references:
    - https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
author: Florian Roth (Nextron Systems)
date: 2019-04-20
modified: 2023-02-21
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' -NoP -sta -NonI -W Hidden -Enc '
            - ' -noP -sta -w 1 -enc '
            - ' -NoP -NonI -W Hidden -enc '
            - ' -noP -sta -w 1 -enc'
            - ' -enc  SQB'
            - ' -nop -exec bypass -EncodedCommand '
    condition: selection
falsepositives:
    - Other tools that incidentally use the same command line parameters
level: high

title: HackTool - Empire UserAgent URI Combo
id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
status: test
description: Detects user agent and URI paths used by empire agents
references:
    - https://github.com/BC-SECURITY/Empire
author: Florian Roth (Nextron Systems)
date: 2020-07-13
modified: 2024-02-26
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
        cs-uri:
            - '/admin/get.php'
            - '/news.php'
            - '/login/process.php'
        cs-method: 'POST'
    condition: selection
falsepositives:
    - Valid requests with this exact user agent to server scripts of the defined names
level: high

title: HackTool - Evil-WinRm Execution - PowerShell Module
id: 9fe55ea2-4cd6-4491-8a54-dd6871651b51
status: test
description: |
    Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
references:
    - https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb
    - https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-25
tags:
    - attack.lateral-movement
logsource:
    product: windows
    category: ps_module
detection:
    selection_wsm:
        ContextInfo|contains:
            - ':\Windows\System32\wsmprovhost.exe'
            - ':\Windows\SysWOW64\wsmprovhost.exe'
    selection_payload_1:
        Payload|contains:
            - value="(get-location).path # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L592
            - value="(get-item*).length # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L490
            - 'Invoke-Binary ' # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L740
            - Donut-Loader -process_id*-donutfile # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L761
            - Bypass-4MSI
            - IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($a))).replace('???','')
    selection_payload_2:
        Payload|contains|all:
            - $servicios = Get-ItemProperty "registry::HKLM\System\CurrentControlSet\Services\"
            - Where-Object {$_.imagepath -notmatch "system" -and $_.imagepath -ne $null } | Select-Object pschildname,imagepath
    selection_payload_3:
        Payload|contains|all:
            - $a +=  \"$($_.FullName.Replace('\\','/'))/\"}else{  $a += \"$($_.FullName.Replace('\\', '/'))\" } # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L1001
            - $a=@();$
    condition: selection_wsm and 1 of selection_payload_*
falsepositives:
    - Unknown
level: high

title: HackTool - GMER Rootkit Detector and Remover Execution
id: 9082ff1f-88ab-4678-a3cc-5bcff99fc74d
status: test
description: Detects the execution GMER tool based on image and hash fields.
references:
    - http://www.gmer.net/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-05
modified: 2024-11-23
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\gmer.exe'
    selection_sysmon_hash:
        Hashes|contains:
            - 'MD5=E9DC058440D321AA17D0600B3CA0AB04'
            - 'SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57'
            - 'SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - Generic Process Access
id: d0d2f720-d14f-448d-8242-51ff396a334e
status: test
description: Detects process access requests from hacktool processes based on their default image name
references:
    - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-11-27
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        - SourceImage|endswith:
              - '\Akagi.exe'
              - '\Akagi64.exe'
              - '\atexec_windows.exe'
              - '\Certify.exe'
              - '\Certipy.exe'
              - '\CoercedPotato.exe'
              - '\crackmapexec.exe'
              - '\CreateMiniDump.exe'
              - '\dcomexec_windows.exe'
              - '\dpapi_windows.exe'
              - '\findDelegation_windows.exe'
              - '\GetADUsers_windows.exe'
              - '\GetNPUsers_windows.exe'
              - '\getPac_windows.exe'
              - '\getST_windows.exe'
              - '\getTGT_windows.exe'
              - '\GetUserSPNs_windows.exe'
              - '\gmer.exe'
              - '\hashcat.exe'
              - '\htran.exe'
              - '\ifmap_windows.exe'
              - '\impersonate.exe'
              - '\Inveigh.exe'
              - '\LocalPotato.exe'
              - '\mimikatz_windows.exe'
              - '\mimikatz.exe'
              - '\netview_windows.exe'
              - '\nmapAnswerMachine_windows.exe'
              - '\opdump_windows.exe'
              - '\PasswordDump.exe'
              - '\Potato.exe'
              - '\PowerTool.exe'
              - '\PowerTool64.exe'
              - '\psexec_windows.exe'
              - '\PurpleSharp.exe'
              - '\pypykatz.exe'
              - '\QuarksPwDump.exe'
              - '\rdp_check_windows.exe'
              - '\Rubeus.exe'
              - '\SafetyKatz.exe'
              - '\sambaPipe_windows.exe'
              - '\SelectMyParent.exe'
              - '\SharpChisel.exe'
              - '\SharPersist.exe'
              - '\SharpEvtMute.exe'
              - '\SharpImpersonation.exe'
              - '\SharpLDAPmonitor.exe'
              - '\SharpLdapWhoami.exe'
              - '\SharpUp.exe'
              - '\SharpView.exe'
              - '\smbclient_windows.exe'
              - '\smbserver_windows.exe'
              - '\sniff_windows.exe'
              - '\sniffer_windows.exe'
              - '\split_windows.exe'
              - '\SpoolSample.exe'
              - '\Stracciatella.exe'
              - '\SysmonEOP.exe'
              - '\temp\rot.exe'
              - '\ticketer_windows.exe'
              - '\TruffleSnout.exe'
              - '\winPEASany_ofs.exe'
              - '\winPEASany.exe'
              - '\winPEASx64_ofs.exe'
              - '\winPEASx64.exe'
              - '\winPEASx86_ofs.exe'
              - '\winPEASx86.exe'
              - '\xordump.exe'
        - SourceImage|contains:
              - '\goldenPac'
              - '\just_dce_'
              - '\karmaSMB'
              - '\kintercept'
              - '\LocalPotato'
              - '\ntlmrelayx'
              - '\rpcdump'
              - '\samrdump'
              - '\secretsdump'
              - '\smbexec'
              - '\smbrelayx'
              - '\wmiexec'
              - '\wmipersist'
              - 'HotPotato'
              - 'Juicy Potato'
              - 'JuicyPotato'
              - 'PetitPotam'
              - 'RottenPotato'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - HandleKatz Duplicating LSASS Handle
id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
status: test
description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
references:
    - https://github.com/codewhitesec/HandleKatz
author: Bhabesh Raj (rule), @thefLinkk
date: 2022-06-27
modified: 2023-11-28
tags:
    - attack.execution
    - attack.t1106
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
        GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
        # Example: C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
        CallTrace|contains: '|UNKNOWN('
        CallTrace|endswith: ')'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - HandleKatz LSASS Dumper Execution
id: ca621ba5-54ab-4035-9942-d378e6fcde3c
status: test
description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
references:
    - https://github.com/codewhitesec/HandleKatz
author: Florian Roth (Nextron Systems)
date: 2022-08-18
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_loader_img:
        Image|endswith: '\loader.exe'
        CommandLine|contains: '--pid:'
    selection_loader_imphash:
        Hashes|contains:
            - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'
            - 'IMPHASH=0E2216679CA6E1094D63322E3412D650'
    selection_flags:
        CommandLine|contains|all:
            - '--pid:'
            - '--outfile:'
        CommandLine|contains:
            - '.dmp'
            - 'lsass'
            - '.obf'
            - 'dump'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - Hashcat Password Cracker Execution
id: 39b31e81-5f5f-4898-9c0e-2160cfc0f9bf
status: test
description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat
    - https://hashcat.net/wiki/doku.php?id=hashcat
author: frack113
date: 2021-12-27
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1110.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\hashcat.exe'
    selection_cli:
        CommandLine|contains|all:
            - '-a '
            - '-m 1000 '
            - '-r '
    condition: 1 of selection_*
falsepositives:
    - Tools that use similar command line flags and values
level: high

title: HackTool - HollowReaper Execution
id: 85d23b42-9a9d-4f8f-b3d7-d2733c1d58f5
status: experimental
description: |
    Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.
    It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
references:
    - https://github.com/vari-sh/RedTeamGrimoire/tree/b5e7635d34db6e1f0398d8847e8f293186e947c5/HollowReaper
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-01
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.012
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\HollowReaper.exe'
    condition: selection
falsepositives:
    - Unknown
level: high