title: HackTool - Htran/NATBypass Execution
id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e
status: test
description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
references:
    - https://github.com/HiwinCN/HTran
    - https://github.com/cw1997/NATBypass
author: Florian Roth (Nextron Systems)
date: 2022-12-27
modified: 2023-02-04
tags:
    - attack.command-and-control
    - attack.t1090
    - attack.s0040
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\htran.exe'
            - '\lcx.exe'
    selection_cli:
        CommandLine|contains:
            - '.exe -tran '
            - '.exe -slave '
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - Hydra Password Bruteforce Execution
id: aaafa146-074c-11eb-adc1-0242ac120002
status: test
description: Detects command line parameters used by Hydra password guessing hack tool
references:
    - https://github.com/vanhauser-thc/thc-hydra
author: Vasiliy Burov
date: 2020-10-05
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1110
    - attack.t1110.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '-u '
            - '-p '
        CommandLine|contains:
            - '^USER^'
            - '^PASS^'
    condition: selection
falsepositives:
    - Software that uses the caret encased keywords PASS and USER in its command line
level: high

title: HackTool - Impacket File Indicators
id: 03f4ca17-de95-428d-a75a-4ee78b047256
related:
    - id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
      type: similar
status: experimental
description: Detects file creation events with filename patterns used by Impacket.
references:
    - https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
    - https://github.com/fortra/impacket
author: "The DFIR Report, IrishDeath"
date: 2025-05-19
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection_names_re:
        TargetFilename|re: '\\sessionresume_[a-zA-Z]{8}$' # https://github.com/fortra/impacket/blob/ead516a1209742efc7ac550707a9304ba08681e9/impacket/examples/secretsdump.py#L1925C38-L1925C51
    condition: selection_names_re
falsepositives:
    - Unknown
level: high

title: HackTool - Impacket Tools Execution
id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
status: test
description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
references:
    - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
author: Florian Roth (Nextron Systems)
date: 2021-07-24
modified: 2023-02-07
tags:
    - attack.collection
    - attack.execution
    - attack.credential-access
    - attack.t1557.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|contains:
              - '\goldenPac'
              - '\karmaSMB'
              - '\kintercept'
              - '\ntlmrelayx'
              - '\rpcdump'
              - '\samrdump'
              - '\secretsdump'
              - '\smbexec'
              - '\smbrelayx'
              - '\wmiexec'
              - '\wmipersist'
        - Image|endswith:
              - '\atexec_windows.exe'
              - '\dcomexec_windows.exe'
              - '\dpapi_windows.exe'
              - '\findDelegation_windows.exe'
              - '\GetADUsers_windows.exe'
              - '\GetNPUsers_windows.exe'
              - '\getPac_windows.exe'
              - '\getST_windows.exe'
              - '\getTGT_windows.exe'
              - '\GetUserSPNs_windows.exe'
              - '\ifmap_windows.exe'
              - '\mimikatz_windows.exe'
              - '\netview_windows.exe'
              - '\nmapAnswerMachine_windows.exe'
              - '\opdump_windows.exe'
              - '\psexec_windows.exe'
              - '\rdp_check_windows.exe'
              - '\sambaPipe_windows.exe'
              - '\smbclient_windows.exe'
              - '\smbserver_windows.exe'
              - '\sniff_windows.exe'
              - '\sniffer_windows.exe'
              - '\split_windows.exe'
              - '\ticketer_windows.exe'
              # - '\addcomputer_windows.exe'
              # - '\esentutl_windows.exe'
              # - '\getArch_windows.exe'
              # - '\lookupsid_windows.exe'
              # - '\mqtt_check_windows.exe'
              # - '\mssqlclient_windows.exe'
              # - '\mssqlinstance_windows.exe'
              # - '\ntfs-read_windows.exe'
              # - '\ping_windows.exe'
              # - '\ping6_windows.exe'
              # - '\raiseChild_windows.exe'
              # - '\reg_windows.exe'
              # - '\registry-read_windows.exe'
              # - '\services_windows.exe'
              # - '\wmiquery_windows.exe'
    condition: selection
falsepositives:
    - Legitimate use of the impacket tools
level: high

title: HackTool - Koadic Execution
id: 5cddf373-ef00-4112-ad72-960ac29bac34
status: test
description: Detects command line parameters used by Koadic hack tool
references:
    - https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
    - https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js
    - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
author: wagga, Jonhnathan Ribeiro, oscd.community
date: 2020-01-12
modified: 2023-02-11
tags:
    - attack.execution
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        CommandLine|contains|all:
            - '/q'
            - '/c'
            - 'chcp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - KrbRelay Execution
id: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4
status: test
description: Detects the use of KrbRelay, a Kerberos relaying tool
references:
    - https://github.com/cube0x0/KrbRelay
author: Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\KrbRelay.exe'
        - OriginalFileName: 'KrbRelay.exe' # In case the file has been renamed after compilation
    selection_cli_1:
        CommandLine|contains|all:
            - ' -spn '
            - ' -clsid '
            - ' -rbcd '
    selection_cli_2:
        CommandLine|contains|all:
            - 'shadowcred'
            - 'clsid'
            - 'spn'
    selection_cli_3:
        CommandLine|contains|all:
            - 'spn '
            - 'session '
            - 'clsid '
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - KrbRelayUp Execution
id: 12827a56-61a4-476a-a9cb-f3068f191073
status: test
description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
references:
    - https://github.com/Dec0ne/KrbRelayUp
author: Florian Roth (Nextron Systems)
date: 2022-04-26
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\KrbRelayUp.exe'
        - OriginalFileName: 'KrbRelayUp.exe' # In case the file has been renamed after compilation
    selection_cli_1:
        CommandLine|contains|all:
            - ' relay '
            - ' -Domain '
            - ' -ComputerName '
    selection_cli_2:
        CommandLine|contains|all:
            - ' krbscm '
            - ' -sc '
    selection_cli_3:
        CommandLine|contains|all:
            - ' spawn '
            - ' -d '
            - ' -cn '
            - ' -cp '
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - LittleCorporal Generated Maldoc Injection
id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
status: test
description: Detects the process injection of a LittleCorporal generated Maldoc.
references:
    - https://github.com/connormcgarr/LittleCorporal
author: Christian Burkard (Nextron Systems)
date: 2021-08-09
modified: 2023-11-28
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1204.002
    - attack.t1055.003
logsource:
    category: process_access
    product: windows
detection:
    selection:
        SourceImage|endswith: '\winword.exe'
        CallTrace|contains|all:
            - ':\Windows\Microsoft.NET\Framework64\v2.'
            - 'UNKNOWN'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - LocalPotato Execution
id: 6bd75993-9888-4f91-9404-e1e4e4e34b77
status: test
description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
references:
    - https://www.localpotato.com/localpotato_html/LocalPotato.html
    - https://github.com/decoder-it/LocalPotato
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
modified: 2024-11-23
tags:
    - attack.privilege-escalation
    - cve.2023-21746
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\LocalPotato.exe'
    selection_cli:
        CommandLine|contains|all:
            - '.exe -i C:\'
            - '-o Windows\'
    selection_hash_plain:
        Hashes|contains:
            - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'
            - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - Mimikatz Execution
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://tools.thehacker.recipes/mimikatz/modules
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
date: 2019-10-22
modified: 2023-02-21
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_name:
        CommandLine|contains:
            - 'DumpCreds'
            - 'mimikatz'
    selection_function_names: # To cover functions from modules that are not in module_names
        CommandLine|contains:
            - '::aadcookie' # misc module
            - '::detours' # misc module
            - '::memssp' # misc module
            - '::mflt' # misc module
            - '::ncroutemon' # misc module
            - '::ngcsign' # misc module
            - '::printnightmare' # misc module
            - '::skeleton' # misc module
            - '::preshutdown'  # service module
            - '::mstsc'  # ts module
            - '::multirdp'  # ts module
    selection_module_names:
        CommandLine|contains:
            - 'rpc::'
            - 'token::'
            - 'crypto::'
            - 'dpapi::'
            - 'sekurlsa::'
            - 'kerberos::'
            - 'lsadump::'
            - 'privilege::'
            - 'process::'
            - 'vault::'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - NPPSpy Hacktool Usage
id: cad1fe90-2406-44dc-bd03-59d0b58fe722
status: test
description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy
    - https://twitter.com/0gtweet/status/1465282548494487554
author: Florian Roth (Nextron Systems)
date: 2021-11-29
modified: 2024-06-27
tags:
    - attack.credential-access
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '\NPPSpy.txt'
            - '\NPPSpy.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - NetExec Execution
id: 7638e5fe-600c-4289-a968-f49dd537ec7d
status: experimental
description: |
    Detects execution of the hacktool NetExec.
    NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration
    In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems.
    Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.
references:
    - https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
    - https://github.com/Pennyw0rth/NetExec
    - https://www.netexec.wiki/
author: Chirag Damani
date: 2026-03-29
tags:
    - attack.discovery
    - attack.t1018
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\nxc.exe'
        CommandLine|contains:
            - ' ftp '
            - ' ldap '
            - ' mssql '
            - ' nfs '
            - ' rdp '
            - ' smb '
            - ' ssh '
            - ' vnc '
            - ' winrm '
            - ' wmi '
    condition: selection
falsepositives:
    - Legitimate use of NetExec by security professionals or system administrators for network assessment and management.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml

title: HackTool - NetExec File Indicators
id: efc21479-9e83-41da-8cf1-122e06ba8db3
status: experimental
description: |
    Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
    NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory
    under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
    extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
    NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
    Active Directory enumeration, credential harvesting, and remote code execution.
references:
    - https://github.com/Pennyw0rth/NetExec
    - https://www.netexec.wiki/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-08
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.discovery
    - attack.t1021.002
    - attack.t1059.005
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - Image|contains: '\nxc-windows-latest\'
        - TargetFilename|contains|all:
              - '\Temp\_MEI'
              - '\nxc\data\'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml

title: HackTool - NoFilter Execution
id: 7b14c76a-c602-4ae6-9717-eff868153fc0
status: test
description: |
    Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
references:
    - https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
    - https://github.com/deepinstinct/NoFilter
    - https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation
    - https://x.com/_st0pp3r_/status/1742203752361128162?s=20
author: Stamatis Chatzimangou (st0pp3r)
date: 2024-01-05
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134
    - attack.t1134.001
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
detection:
    selection_5447:
        EventID: 5447
        FilterName|contains: 'RonPolicy'
    selection_5449:
        EventID: 5449
        ProviderContextName|contains: 'RonPolicy'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - PCHunter Execution
id: fca949cc-79ca-446e-8064-01aa7e52ece5
status: test
description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
references:
    - https://web.archive.org/web/20231210115125/http://www.xuetr.com/
    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
    - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2022-10-10
modified: 2024-11-23
tags:
    - attack.execution
    - attack.discovery
    - attack.t1082
    - attack.t1057
    - attack.t1012
    - attack.t1083
    - attack.t1007
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        Image|endswith:
            - '\PCHunter64.exe'
            - '\PCHunter32.exe'
    selection_pe:
        - OriginalFileName: 'PCHunter.exe'
        - Description: 'Epoolsoft Windows Information View Tools'
    selection_hashes:
        Hashes|contains:
            - 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'
            - 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'
            - 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'
            - 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF'
            - 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB'
            - 'MD5=228DD0C2E6287547E26FFBD973A40F14'
            - 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C'
            - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - PPID Spoofing SelectMyParent Tool Execution
id: 52ff7941-8211-46f9-84f8-9903efb7077d
status: test
description: Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
references:
    - https://pentestlab.blog/2020/02/24/parent-pid-spoofing/
    - https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks
    - https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
    - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files
author: Florian Roth (Nextron Systems)
date: 2022-07-23
modified: 2024-11-23
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SelectMyParent.exe'
        - CommandLine|contains:
              - 'PPID-spoof'
              - 'ppid_spoof'
              - 'spoof-ppid'
              - 'spoof_ppid'
              - 'ppidspoof'
              - 'spoofppid'
              - 'spoofedppid'
              - ' -spawnto '
        - OriginalFileName|contains:
              - 'PPID-spoof'
              - 'ppid_spoof'
              - 'spoof-ppid'
              - 'spoof_ppid'
              - 'ppidspoof'
              - 'spoofppid'
              - 'spoofedppid'
        - Description: 'SelectMyParent'
        - Hashes|contains:
              - 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC'
              - 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E'
              - 'IMPHASH=89059503D7FBF470E68F7E63313DA3AD'
              - 'IMPHASH=CA28337632625C8281AB8A130B3D6BAD'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - Potential CobaltStrike Process Injection
id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
status: test
description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
references:
    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
date: 2018-11-30
modified: 2023-05-05
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        StartAddress|endswith:
            - '0B80'
            - '0C7C'
            - '0C88'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Potential Impacket Lateral Movement Activity
id: 10c14723-61c7-4c75-92ca-9af245723ad2
related:
    - id: e31f89f7-36fb-4697-8ab6-48823708353b
      type: obsolete
status: stable
description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
references:
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py
    - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
date: 2019-09-03
modified: 2023-02-21
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_other:
        # *** wmiexec.py
        #    parent is wmiprvse.exe
        #    examples:
        #       cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
        #       cmd.exe /Q /c cd  1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
        # *** dcomexec.py -object MMC20
        #   parent is mmc.exe
        #   example:
        #       "C:\Windows\System32\cmd.exe" /Q /c cd  1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1
        # *** dcomexec.py -object ShellBrowserWindow
        #  runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe
        #  example:
        #   "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1567520103.71 2>&1
        # *** smbexec.py
        #   parent is services.exe
        #   example:
        #       C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat
        ParentImage|endswith:
            - '\wmiprvse.exe'        # wmiexec
            - '\mmc.exe'        # dcomexec MMC
            - '\explorer.exe'        # dcomexec ShellBrowserWindow
            - '\services.exe'        # smbexec
        CommandLine|contains|all:
            - 'cmd.exe'
            - '/Q'
            - '/c'
            - '\\\\127.0.0.1\\'
            - '&1'
    selection_atexec:
        ParentCommandLine|contains:
            - 'svchost.exe -k netsvcs'       # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs")
            - 'taskeng.exe'       # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:")
            # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1
        CommandLine|contains|all:
            - 'cmd.exe'
            - '/C'
            - 'Windows\Temp\'
            - '&1'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
status: test
description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
references:
    - https://github.com/Porchetta-Industries/CrackMapExec
    - https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py
author: SecurityAura
date: 2022-11-16
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\svchost.exe'
        # CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy
        TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - PowerTool Execution
id: a34f79a3-8e5f-4cc3-b765-de00695452c2
status: test
description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
references:
    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
    - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html
    - https://twitter.com/gbti_sa/status/1249653895900602375?lang=en
    - https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-29
modified: 2023-02-04
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith:
              - '\PowerTool.exe'
              - '\PowerTool64.exe'
        - OriginalFileName: 'PowerTool.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - Powerup Write Hijack DLL
id: 602a1f13-c640-4d73-b053-be9a2fa58b96
status: test
description: |
    Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
    In it's default mode, it builds a self deleting .bat file which executes malicious command.
    The detection rule relies on creation of the malicious bat file (debug.bat by default).
references:
    - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
author: Subhash Popuri (@pbssubhash)
date: 2021-08-21
modified: 2024-06-27
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|endswith: '.bat'
    condition: selection
falsepositives:
    - Any powershell script that creates bat files # highly unlikely (untested)
level: high

title: HackTool - Pypykatz Credentials Dumping Activity
id: a29808fd-ef50-49ff-9c7a-59a9b040b404
status: test
description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
references:
    - https://github.com/skelsec/pypykatz
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz
author: frack113
date: 2022-01-05
modified: 2023-02-05
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - \pypykatz.exe
            - \python.exe
        CommandLine|contains|all:
            - 'live'
            - 'registry'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Quarks PwDump Execution
id: 0685b176-c816-4837-8e7b-1216f346636b
status: test
description: Detects usage of the Quarks PwDump tool via commandline arguments
references:
    - https://github.com/quarkslab/quarkspwdump
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2023-02-05
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\QuarksPwDump.exe'
    selection_cli:
        CommandLine:
            - ' -dhl'
            - ' --dump-hash-local'
            - ' -dhdc'
            - ' --dump-hash-domain-cached'
            - ' --dump-bitlocker'
            - ' -dhd '
            - ' --dump-hash-domain '
            - '--ntds-file'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - RedMimicry Winnti Playbook Execution
id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
status: test
description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
references:
    - https://redmimicry.com/posts/redmimicry-winnti/
author: Alexander Rausch
date: 2020-06-24
modified: 2023-03-01
tags:
    - attack.execution
    - attack.stealth
    - attack.t1106
    - attack.t1059.003
    - attack.t1218.011
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\rundll32.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'gthread-3.6.dll'
            - '\Windows\Temp\tmp.bat'
            - 'sigcmm-2.4.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - RemoteKrbRelay Execution
id: a7664b14-75fb-4a50-a223-cb9bc0afbacf
status: test
description: |
    Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
references:
    - https://github.com/CICADA8-Research/RemoteKrbRelay
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\RemoteKrbRelay.exe'
        - OriginalFileName: 'RemoteKrbRelay.exe'
    selection_cli_required:
        CommandLine|contains|all:
            - ' -clsid '
            - ' -target '
            - ' -victim '
    # selection_cli_attacks:
    #     # Note: In the current implementation these flags do not require any other flags. Which means they can't be used on their own. They're already covered by "selection_cli_required"
    #     CommandLine|contains:
    #         - '-adcs ' # relay to HTTP Web Enrollment and get certificate
    #         - '-laps ' # relay to LDAP and extract LAPS passwords
    #         - '-ldapwhoami ' # relay to LDAP and get info about relayed user
    #         - '-shadowcred ' # relay to LDAP and setup Shadow Credentials
    selection_cli_attack_smb:
        CommandLine|contains|all:
            - '-smb ' # relay to SMB
            - '--smbkeyword '
        CommandLine|contains:
            - 'interactive'
            - 'secrets'
            - 'service-add'
    selection_cli_attack_rbcd_main:
        CommandLine|contains: '-rbcd ' # relay to LDAP and setup RBCD
    selection_cli_attack_rbcd_options:
        CommandLine|contains:
            - '-cn ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity
            - '--computername ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity
    selection_cli_attack_changepass:
        CommandLine|contains: '-chp ' # relay to LDAP and change user password
        CommandLine|contains|all:
            - '-chpPass ' # new password
            - '-chpUser ' # the name of the user whose password you want to change
    selection_cli_attack_addgrpname:
        CommandLine|contains|all:
            - '-addgroupmember ' # relay to LDAP and add user to group
            - '-group '
            - '-groupuser '
    condition: selection_img or selection_cli_required or all of selection_cli_attack_rbcd_* or selection_cli_attack_changepass or selection_cli_attack_addgrpname or selection_cli_attack_smb
falsepositives:
    - Unlikely
level: high

title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
id: 3ab79e90-9fab-4cdf-a7b2-6522bc742adb
status: test
description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
references:
    - https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-27
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - ':\windows\temp\sam.tmp'
            - ':\windows\temp\sec.tmp'
            - ':\windows\temp\sys.tmp'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - Rubeus Execution - ScriptBlock
id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: test
description: Detects the execution of the hacktool Rubeus using specific command line flags
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
    - https://github.com/GhostPack/Rubeus
author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-04-27
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'asreproast '
            - 'dump /service:krbtgt '
            - 'dump /luid:0x'
            - 'kerberoast '
            - 'createnetonly /program:'
            - 'ptt /ticket:'
            - '/impersonateuser:'
            - 'renew /ticket:'
            - 'asktgt /user:'
            - 'harvest /interval:'
            - 's4u /user:'
            - 's4u /ticket:'
            - 'hash /password:'
            - 'golden /aes256:'
            - 'silver /user:'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - SILENTTRINITY Stager DLL Load
id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d
related:
    - id: 03552375-cc2c-4883-bbe4-7958d5a980be # Process Creation
      type: derived
status: test
description: Detects SILENTTRINITY stager dll loading activity
references:
    - https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019-10-22
modified: 2023-02-17
tags:
    - attack.command-and-control
    - attack.t1071
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Description|contains: 'st2stager'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - SILENTTRINITY Stager Execution
id: 03552375-cc2c-4883-bbe4-7958d5a980be
related:
    - id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d # DLL Load
      type: derived
status: test
description: Detects SILENTTRINITY stager use via PE metadata
references:
    - https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019-10-22
modified: 2023-02-13
tags:
    - attack.command-and-control
    - attack.t1071
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Description|contains: 'st2stager'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - SOAPHound Execution
id: e92a4287-e072-4a40-9739-370c106bb750
status: test
description: |
    Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
references:
    - https://github.com/FalconForceTeam/SOAPHound
    - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
author: '@kostastsale'
date: 2024-01-26
tags:
    - attack.discovery
    - attack.t1087
logsource:
    product: windows
    category: process_creation
detection:
    selection_1:
        CommandLine|contains:
            - ' --buildcache '
            - ' --bhdump '
            - ' --certdump '
            - ' --dnsdump '
    selection_2:
        CommandLine|contains:
            - ' -c '
            - ' --cachefilename '
            - ' -o '
            - ' --outputdirectory'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - SafetyKatz Dump Indicator
id: e074832a-eada-4fd7-94a1-10642b130e16
status: test
description: Detects default lsass dump filename generated by SafetyKatz.
references:
    - https://github.com/GhostPack/SafetyKatz
    - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
author: Markus Neis
date: 2018-07-24
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\Temp\debug.bin'
    condition: selection
falsepositives:
    - Rare legitimate files with similar filename structure
level: high

title: HackTool - SharPersist Execution
id: 26488ad0-f9fd-4536-876f-52fea846a2e4
status: test
description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
references:
    - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
    - https://github.com/mandiant/SharPersist
author: Florian Roth (Nextron Systems)
date: 2022-09-15
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\SharPersist.exe'
        - Product: 'SharPersist'
    selection_cli_1:
        CommandLine|contains:
            - ' -t schtask -c '
            - ' -t startupfolder -c '
    selection_cli_2:
        CommandLine|contains|all:
            - ' -t reg -c '
            - ' -m add'
    selection_cli_3:
        CommandLine|contains|all:
            - ' -t service -c '
            - ' -m add'
    selection_cli_4:
        CommandLine|contains|all:
            - ' -t schtask -c '
            - ' -m add'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - SharpChisel Execution
id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
related:
    - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
      type: similar
status: test
description: Detects usage of the Sharp Chisel via the commandline arguments
references:
    - https://github.com/shantanu561993/SharpChisel
    - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2023-02-13
tags:
    - attack.command-and-control
    - attack.t1090.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SharpChisel.exe'
        - Product: 'SharpChisel'
    # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - SharpDPAPI Execution
id: c7d33b50-f690-4b51-8cfb-0fb912a31e57
status: test
description: |
    Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.
    SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
references:
    - https://github.com/GhostPack/SharpDPAPI
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - attack.t1134.003
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\SharpDPAPI.exe'
        - OriginalFileName: 'SharpDPAPI.exe'
    selection_other_cli:
        CommandLine|contains:
            - ' backupkey '
            - ' blob '
            - ' certificates '
            - ' credentials '
            - ' keepass '
            - ' masterkeys '
            - ' rdg '
            - ' vaults '
    selection_other_options_guid:
        CommandLine|contains|all:
            - ' {'
            - '}:'
    selection_other_options_flags:
        CommandLine|contains:
            - ' /file:'
            - ' /machine'
            - ' /mkfile:'
            - ' /password:'
            - ' /pvk:'
            - ' /server:'
            - ' /target:'
            - ' /unprotect'
    condition: selection_img or (selection_other_cli and 1 of selection_other_options_*)
falsepositives:
    - Unknown
level: high

title: HackTool - SharpEvtMute DLL Load
id: 49329257-089d-46e6-af37-4afce4290685
related:
    - id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c # Process Creation
      type: similar
status: test
description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
references:
    - https://github.com/bats3c/EvtMute
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2024-11-23
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B'
    condition: selection
falsepositives:
    - Other DLLs with the same Imphash
level: high

title: HackTool - SharpEvtMute Execution
id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c
related:
    - id: 49329257-089d-46e6-af37-4afce4290685 # DLL load
      type: similar
status: test
description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
references:
    - https://github.com/bats3c/EvtMute
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-02-14
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: '\SharpEvtMute.exe'
        - Description: 'SharpEvtMute'
        - CommandLine|contains:
              - '--Filter "rule '
              - '--Encoded --Filter \"'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - SharpImpersonation Execution
id: f89b08d0-77ad-4728-817b-9b16c5a69c7a
related:
    - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
      type: similar
status: test
description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
    - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/
    - https://github.com/S3cur3Th1sSh1t/SharpImpersonation
author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-27
modified: 2023-02-13
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - attack.t1134.003
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\SharpImpersonation.exe'
        - OriginalFileName: 'SharpImpersonation.exe'
    selection_cli:
        - CommandLine|contains|all:
              - ' user:'
              - ' binary:'
        - CommandLine|contains|all:
              - ' user:'
              - ' shellcode:'
        - CommandLine|contains:
              - ' technique:CreateProcessAsUserW'
              - ' technique:ImpersonateLoggedOnuser'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - SharpLdapWhoami Execution
id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d
status: test
description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
references:
    - https://github.com/bugch3ck/SharpLdapWhoami
author: Florian Roth (Nextron Systems)
date: 2022-08-29
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1033
    - car.2016-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        Image|endswith: '\SharpLdapWhoami.exe'
    selection_pe: # in case the file has been renamed after compilation
        - OriginalFileName|contains: 'SharpLdapWhoami'
        - Product: 'SharpLdapWhoami'
    selection_flags1:
        CommandLine|endswith:
            - ' /method:ntlm'
            - ' /method:kerb'
            - ' /method:nego'
            - ' /m:nego'
            - ' /m:ntlm'
            - ' /m:kerb'
    condition: 1 of selection*
falsepositives:
    - Programs that use the same command line flags
level: high

title: HackTool - SharpMove Tool Execution
id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
status: test
description: |
    Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
references:
    - https://github.com/0xthirteen/SharpMove/
    - https://pentestlab.blog/tag/sharpmove/
author: Luca Di Bartolomeo (CrimpSec)
date: 2024-01-29
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\SharpMove.exe'
        - OriginalFileName: SharpMove.exe
    selection_cli_computer:
        # In its current implementation the "computername" flag is required in all actions
        CommandLine|contains: 'computername='
    selection_cli_actions:
        CommandLine|contains:
            - 'action=create'
            - 'action=dcom'
            - 'action=executevbs'
            - 'action=hijackdcom'
            - 'action=modschtask'
            - 'action=modsvc'
            - 'action=query'
            - 'action=scm'
            - 'action=startservice'
            - 'action=taskscheduler'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Unknown
level: high

title: HackTool - SharpView Execution
id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
related:
    - id: dcd74b95-3f36-4ed9-9598-0490951643aa
      type: similar
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/tevora-threat/SharpView/
    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
author: frack113
date: 2021-12-10
modified: 2023-02-14
tags:
    - attack.discovery
    - attack.t1049
    - attack.t1069.002
    - attack.t1482
    - attack.t1135
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'SharpView.exe'
        - Image|endswith: '\SharpView.exe'
        - CommandLine|contains:
              # - 'Add-DomainGroupMember'
              # - 'Add-DomainObjectAcl'
              # - 'Add-ObjectAcl'
              - 'Add-RemoteConnection'
              - 'Convert-ADName'
              - 'ConvertFrom-SID'
              - 'ConvertFrom-UACValue'
              - 'Convert-SidToName'
              # - 'ConvertTo-SID'
              - 'Export-PowerViewCSV'
              # - 'Find-DomainLocalGroupMember'
              - 'Find-DomainObjectPropertyOutlier'
              - 'Find-DomainProcess'
              - 'Find-DomainShare'
              - 'Find-DomainUserEvent'
              - 'Find-DomainUserLocation'
              - 'Find-ForeignGroup'
              - 'Find-ForeignUser'
              - 'Find-GPOComputerAdmin'
              - 'Find-GPOLocation'
              - 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile'
              - 'Find-LocalAdminAccess'
              - 'Find-ManagedSecurityGroups'
              # - 'Get-ADObject'
              - 'Get-CachedRDPConnection'
              - 'Get-DFSshare'
              # - 'Get-DNSRecord'
              # - 'Get-DNSZone'
              # - 'Get-Domain'
              - 'Get-DomainComputer'
              - 'Get-DomainController'
              - 'Get-DomainDFSShare'
              - 'Get-DomainDNSRecord'
              # - 'Get-DomainDNSZone'
              - 'Get-DomainFileServer'
              - 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser'
              - 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping'
              - 'Get-DomainGroup' # 'Get-DomainGroupMember'
              - 'Get-DomainGUIDMap'
              - 'Get-DomainManagedSecurityGroup'
              - 'Get-DomainObject' # 'Get-DomainObjectAcl'
              - 'Get-DomainOU'
              - 'Get-DomainPolicy' # 'Get-DomainPolicyData'
              - 'Get-DomainSID'
              - 'Get-DomainSite'
              - 'Get-DomainSPNTicket'
              - 'Get-DomainSubnet'
              - 'Get-DomainTrust' # 'Get-DomainTrustMapping'
              # - 'Get-DomainUser'
              - 'Get-DomainUserEvent'
              # - 'Get-Forest'
              - 'Get-ForestDomain'
              - 'Get-ForestGlobalCatalog'
              - 'Get-ForestTrust'
              - 'Get-GptTmpl'
              - 'Get-GroupsXML'
              # - 'Get-GUIDMap'
              # - 'Get-IniContent'
              # - 'Get-IPAddress'
              - 'Get-LastLoggedOn'
              - 'Get-LoggedOnLocal'
              - 'Get-NetComputer' # 'Get-NetComputerSiteName'
              - 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust'
              - 'Get-NetFileServer'
              - 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust'
              - 'Get-NetGPO' # 'Get-NetGPOGroup'
              # - 'Get-NetGroup'
              - 'Get-NetGroupMember'
              - 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember'
              - 'Get-NetLoggedon'
              - 'Get-NetOU'
              - 'Get-NetProcess'
              - 'Get-NetRDPSession'
              - 'Get-NetSession'
              - 'Get-NetShare'
              - 'Get-NetSite'
              - 'Get-NetSubnet'
              - 'Get-NetUser'
              # - 'Get-ObjectAcl'
              - 'Get-PathAcl'
              - 'Get-PrincipalContext'
              # - 'Get-Proxy'
              - 'Get-RegistryMountedDrive'
              - 'Get-RegLoggedOn'
              # - 'Get-SiteName'
              # - 'Get-UserEvent'
              # - 'Get-WMIProcess'
              - 'Get-WMIRegCachedRDPConnection'
              - 'Get-WMIRegLastLoggedOn'
              - 'Get-WMIRegMountedDrive'
              - 'Get-WMIRegProxy'
              - 'Invoke-ACLScanner'
              - 'Invoke-CheckLocalAdminAccess'
              - 'Invoke-Kerberoast'
              - 'Invoke-MapDomainTrust'
              - 'Invoke-RevertToSelf'
              - 'Invoke-Sharefinder'
              - 'Invoke-UserImpersonation'
              # - 'New-DomainGroup'
              # - 'New-DomainUser'
              - 'Remove-DomainObjectAcl'
              - 'Remove-RemoteConnection'
              - 'Request-SPNTicket'
              # - 'Resolve-IPAddress'
              # - 'Set-ADObject'
              - 'Set-DomainObject'
              # - 'Set-DomainUserPassword'
              - 'Test-AdminAccess'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - SharpWSUS/WSUSpendu Execution
id: b0ce780f-10bd-496d-9067-066d23dc3aa5
status: test
description: |
    Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.
    Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
references:
    - https://labs.nettitude.com/blog/introducing-sharpwsus/
    - https://github.com/nettitude/SharpWSUS
    - https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1
author: '@Kostastsale, Nasreddine Bencherchali (Nextron Systems)'
date: 2022-10-07
modified: 2024-08-23
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1210
logsource:
    product: windows
    category: process_creation
detection:
    selection_wsuspendu_inject:
        CommandLine|contains: ' -Inject '
    selection_wsuspendu_payload:
        CommandLine|contains:
            - ' -PayloadArgs '
            - ' -PayloadFile '
    selection_sharpwsus_commands:
        CommandLine|contains:
            - ' approve '
            - ' create '
            - ' check '
            - ' delete '
    selection_sharpwsus_flags:
        CommandLine|contains:
            - ' /payload:'
            - ' /payload='
            - ' /updateid:'
            - ' /updateid='
    condition: all of selection_wsuspendu_* or all of selection_sharpwsus_*
falsepositives:
    - Unknown
level: high

title: HackTool - Stracciatella Execution
id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539
status: test
description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
references:
    - https://github.com/mgeeky/Stracciatella
author: pH-T (Nextron Systems)
date: 2023-04-17
modified: 2024-11-23
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1059
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Stracciatella.exe'
        - OriginalFileName: 'Stracciatella.exe'
        - Description: 'Stracciatella'
        - Hashes|contains:
              - 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956'
              - 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - SysmonEnte Execution
id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
status: test
description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
references:
    - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
    - https://github.com/codewhitesec/SysmonEnte/
    - https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-11-28
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_access
    product: windows
detection:
    selection_sysmon:
        TargetImage|contains:
            - ':\Windows\Sysmon.exe'
            - ':\Windows\Sysmon64.exe'
        GrantedAccess: '0x1400'
    selection_calltrace:
        CallTrace: 'Ente'
    filter_main_generic:
        SourceImage|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
    filter_main_msdefender:
        SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
        SourceImage|endswith: '\MsMpEng.exe'
    condition: ( selection_sysmon and not 1 of filter_main_* ) or selection_calltrace
falsepositives:
    - Unknown
level: high

title: HackTool - TruffleSnout Execution
id: 69ca006d-b9a9-47f5-80ff-ecd4d25d481a
status: test
description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md
    - https://github.com/dsnezhkov/TruffleSnout
    - https://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md
author: frack113
date: 2022-08-20
modified: 2023-02-13
tags:
    - attack.discovery
    - attack.t1482
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'TruffleSnout.exe'
        - Image|endswith: '\TruffleSnout.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Typical HiveNightmare SAM File Export
id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
status: test
description: Detects files written by the different tools that exploit HiveNightmare
references:
    - https://github.com/GossiTheDog/HiveNightmare
    - https://github.com/FireFart/hivenightmare/
    - https://github.com/WiredPulse/Invoke-HiveNightmare
    - https://twitter.com/cube0x0/status/1418920190759378944
author: Florian Roth (Nextron Systems)
date: 2021-07-23
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1552.001
    - cve.2021-36934
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - TargetFilename|contains:
              - '\hive_sam_'  # Go version
              - '\SAM-2021-'  # C++ version
              - '\SAM-2022-'  # C++ version
              - '\SAM-2023-'  # C++ version
              - '\SAM-haxx'   # Early C++ versions
              - '\Sam.save'   # PowerShell version
        - TargetFilename: 'C:\windows\temp\sam'  # C# version of HiveNightmare
    condition: selection
falsepositives:
    - Files that accidentally contain these strings
level: high

title: HackTool - UACMe Akagi Execution
id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177
status: test
description: Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
date: 2021-08-30
modified: 2024-11-23
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_pe:
        - Product: 'UACMe'
        - Company:
              - 'REvol Corp'
              - 'APT 92'
              - 'UG North'
              - 'Hazardous Environments'
              - 'CD Project Rekt'
        - Description:
              - 'UACMe main module'
              - 'Pentesting utility'
        - OriginalFileName:
              - 'Akagi.exe'
              - 'Akagi64.exe'
    selection_img:
        Image|endswith:
            - '\Akagi64.exe'
            - '\Akagi.exe'
    selection_hashes_sysmon:
        Hashes|contains:
            - 'IMPHASH=767637C23BB42CD5D7397CF58B0BE688'
            - 'IMPHASH=14C4E4C72BA075E9069EE67F39188AD8'
            - 'IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC'
            - 'IMPHASH=7D010C6BB6A3726F327F7E239166D127'
            - 'IMPHASH=89159BA4DD04E4CE5559F132A9964EB3'
            - 'IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F'
            - 'IMPHASH=5834ED4291BDEB928270428EBBAF7604'
            - 'IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38'
            - 'IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894'
            - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74'
            - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - WSASS Execution
id: 589ac73f-8e12-409c-964e-31a2f5775ae2
status: experimental
description: |
    Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
    (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
references:
    - https://github.com/TwoSevenOneT/WSASS
    - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-23
modified: 2026-01-09
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\wsass.exe'
    selection_hash:
        Hashes|contains: 'IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42'
    selection_cli:
        # change to |re|i after Sigma v2.0 release
        # plain string without quotation marks as it has to match for both ' and "
        CommandLine|re: (?i)\.exe[\"\']?\s+[^\"]{0,64}werfaultsecure\.exe[\"\']?\s+\d{2,10} # wsass.exe "path to werfaultsecure" lsass_pid
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml

title: HackTool - WinPwn Execution
id: d557dc06-62e8-4468-a8e8-7984124908ce
related:
    - id: 851fd622-b675-4d26-b803-14bc7baa517a
      type: similar
status: test
description: |
    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - WinPwn Execution - ScriptBlock
id: 851fd622-b675-4d26-b803-14bc7baa517a
related:
    - id: d557dc06-62e8-4468-a8e8-7984124908ce
      type: similar
status: test
description: |
    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: ps_script
    product: windows
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
level: high

title: HackTool - Wmiexec Default Powershell Command
id: 022eaba8-f0bf-4dd9-9217-4604b0bb3bb0
status: test
description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
references:
    - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-08
tags:
    - attack.lateral-movement
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc'
    condition: selection
falsepositives:
    - Unlikely
level: high