title: A Member Was Added to a Security-Enabled Global Group
id: c43c26be-2e87-46c7-8661-284588c5a53e
related:
    - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
      type: obsolete
status: stable
description: Detects activity when a member is added to a security-enabled global group
references:
    - https://www.cisecurity.org/controls/cis-controls-list/
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
author: Alexandr Yampolskyi, SOC Prime
date: 2023-04-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4728 # A member was added to a security-enabled global group
            - 632 # Security Enabled Global Group Member Added
    condition: selection
falsepositives:
    - Unknown
level: low

title: A Member Was Removed From a Security-Enabled Global Group
id: 02c39d30-02b5-45d2-b435-8aebfe5a8629
related:
    - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
      type: obsolete
status: stable
description: Detects activity when a member is removed from a security-enabled global group
references:
    - https://www.cisecurity.org/controls/cis-controls-list/
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
author: Alexandr Yampolskyi, SOC Prime
date: 2023-04-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 633 # Security Enabled Global Group Member Removed
            - 4729 # A member was removed from a security-enabled global group
    condition: selection
falsepositives:
    - Unknown
level: low

title: A Security-Enabled Global Group Was Deleted
id: b237c54b-0f15-4612-a819-44b735e0de27
related:
    - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
      type: obsolete
status: stable
description: Detects activity when a security-enabled global group is deleted
references:
    - https://www.cisecurity.org/controls/cis-controls-list/
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
author: Alexandr Yampolskyi, SOC Prime
date: 2023-04-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4730 # A security-enabled global group was deleted
            - 634 # Security Enabled Global Group Deleted
    condition: selection
falsepositives:
    - Unknown
level: low

title: AD Groups Or Users Enumeration Using PowerShell - PoshModule
id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4
status: test
description: |
    Adversaries may attempt to find domain-level groups and permission settings.
    The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
    Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2023-01-20
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_ad_principal:
        - Payload|contains: 'get-ADPrincipalGroupMembership'
        - ContextInfo|contains: 'get-ADPrincipalGroupMembership'
    selection_get_aduser:
        - Payload|contains|all:
              - get-aduser
              - '-f '
              - '-pr '
              - DoesNotRequirePreAuth
        - ContextInfo|contains|all:
              - get-aduser
              - '-f '
              - '-pr '
              - DoesNotRequirePreAuth
    condition: 1 of selection_*
falsepositives:
    - Administrator script
level: low

title: AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
id: 88f0884b-331d-403d-a3a1-b668cf035603
status: test
description: |
    Adversaries may attempt to find domain-level groups and permission settings.
    The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
    Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    test_2:
        ScriptBlockText|contains: get-ADPrincipalGroupMembership
    test_7:
        ScriptBlockText|contains|all:
            - get-aduser
            - '-f '
            - '-pr '
            - DoesNotRequirePreAuth
    condition: 1 of test_*
falsepositives:
    - Unknown
level: low

title: ADCS Certificate Template Configuration Vulnerability
id: 5ee3a654-372f-11ec-8d3d-0242ac130003
status: test
description: Detects certificate creation with template allowing risk permission subject
references:
    - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
author: Orlinum , BlueDefenZer
date: 2021-11-17
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.credential-access
logsource:
    product: windows
    service: security
    definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag.
detection:
    selection1:
        EventID: 4898
        TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
    selection2:
        EventID: 4899
        NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
    condition: selection1 or selection2
falsepositives:
    - Administrator activity
    - Proxy SSL certificate with subject modification
    - Smart card enrollement
level: low

title: AWS EC2 VM Export Failure
id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
status: test
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
references:
    - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
author: Diogo Braz
date: 2020-04-16
modified: 2022-10-05
tags:
    - attack.collection
    - attack.t1005
    - attack.exfiltration
    - attack.t1537
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventName: 'CreateInstanceExportTask'
        eventSource: 'ec2.amazonaws.com'
    filter1:
        errorMessage|contains: '*'
    filter2:
        errorCode|contains: '*'
    filter3:
        responseElements|contains: 'Failure'
    condition: selection and not 1 of filter*
level: low

title: AWS EKS Cluster Created or Deleted
id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0
status: test
description: Identifies when an EKS cluster is created or deleted.
references:
    - https://any-api.com/amazonaws_com/eks/docs/API_Description
author: Austin Songer
date: 2021-08-16
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1485
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: eks.amazonaws.com
        eventName:
            - CreateCluster
            - DeleteCluster
    condition: selection
falsepositives:
    - EKS Cluster being created or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: AWS ElastiCache Security Group Created
id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
status: test
description: Detects when an ElastiCache security group has been created.
references:
    - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.t1136
    - attack.t1136.003
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: elasticache.amazonaws.com
        eventName: 'CreateCacheSecurityGroup'
    condition: selection
falsepositives:
    - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.


level: low

title: AWS ElastiCache Security Group Modified or Deleted
id: 7c797da2-9cf2-4523-ba64-33b06339f0cc
status: test
description: Identifies when an ElastiCache security group has been modified or deleted.
references:
    - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1531
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: elasticache.amazonaws.com
        eventName:
            - 'DeleteCacheSecurityGroup'
            - 'AuthorizeCacheSecurityGroupIngress'
            - 'RevokeCacheSecurityGroupIngress'
            - 'AuthorizeCacheSecurityGroupEgress'
            - 'RevokeCacheSecurityGroupEgress'
    condition: selection
falsepositives:
    - A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.


level: low

title: AWS Glue Development Endpoint Activity
id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
status: test
description: Detects possible suspicious glue development endpoint activity.
references:
    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
    - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
author: Austin Songer @austinsonger
date: 2021-10-03
modified: 2022-12-18
tags:
    - attack.privilege-escalation
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'glue.amazonaws.com'
        eventName:
            - 'CreateDevEndpoint'
            - 'DeleteDevEndpoint'
            - 'UpdateDevEndpoint'
    condition: selection
falsepositives:
    - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: AWS New Lambda Layer Attached
id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
status: test
description: |
  Detects when a user attached a Lambda layer to an existing Lambda function.
  A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role.
  This would give an adversary access to resources that the function has access to.
references:
    - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
    - https://github.com/clearvector/lambda-spy
author: Austin Songer
date: 2021-09-23
modified: 2025-03-17
tags:
    - attack.privilege-escalation
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: lambda.amazonaws.com
        eventName|startswith: 'UpdateFunctionConfiguration'
        requestParameters.layers|contains: '*'
    condition: selection
falsepositives:
    - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: AWS Route 53 Domain Transfer Lock Disabled
id: 3940b5f1-3f46-44aa-b746-ebe615b879e0
status: test
description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
references:
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
    - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html
    - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html
author: Elastic, Austin Songer @austinsonger
date: 2021-07-22
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.credential-access
    - attack.t1098
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: route53.amazonaws.com
        eventName: DisableDomainTransferLock
    condition: selection
falsepositives:
    - A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: AWS Route 53 Domain Transferred to Another Account
id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
status: test
description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
references:
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
author: Elastic, Austin Songer @austinsonger
date: 2021-07-22
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.t1098
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: route53.amazonaws.com
        eventName: TransferDomainToAnotherAwsAccount
    condition: selection
falsepositives:
    - A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: AWS S3 Data Management Tampering
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
status: test
description: Detects when a user tampers with S3 data management in Amazon Web Services.
references:
    - https://github.com/elastic/detection-rules/pull/1145/files
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
    - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
    - attack.exfiltration
    - attack.t1537
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: s3.amazonaws.com
        eventName:
            - PutBucketLogging
            - PutBucketWebsite
            - PutEncryptionConfiguration
            - PutLifecycleConfiguration
            - PutReplicationConfiguration
            - ReplicateObject
            - RestoreObject
    condition: selection
falsepositives:
    - A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: AWS STS AssumeRole Misuse
id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
status: test
description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
references:
    - https://github.com/elastic/detection-rules/pull/1214
    - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
    - attack.lateral-movement
    - attack.privilege-escalation
    - attack.t1548
    - attack.t1550
    - attack.t1550.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        userIdentity.type: AssumedRole
        userIdentity.sessionContext.sessionIssuer.type: Role
    condition: selection
falsepositives:
    - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    - Automated processes that uses Terraform may lead to false positives.
level: low

title: AWS STS GetSessionToken Misuse
id: b45ab1d2-712f-4f01-a751-df3826969807
status: test
description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
references:
    - https://github.com/elastic/detection-rules/pull/1213
    - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
    - attack.lateral-movement
    - attack.privilege-escalation
    - attack.t1548
    - attack.t1550
    - attack.t1550.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: sts.amazonaws.com
        eventName: GetSessionToken
        userIdentity.type: IAMUser
    condition: selection
falsepositives:
    - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: Access To ADMIN$ Network Share
id: 098d7118-55bc-4912-a836-dc6483a8d150
status: test
description: Detects access to ADMIN$ network share
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140
author: Florian Roth (Nextron Systems)
date: 2017-03-04
modified: 2024-01-16
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
    definition: 'Requirements: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
    selection:
        EventID: 5140
        ShareName: 'Admin$'
    filter_main_computer_account:
        SubjectUserName|endswith: '$'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate administrative activity
level: low

title: Active Directory Certificate Services Denied Certificate Enrollment Request
id: 994bfd6d-0a2e-481e-a861-934069fcf5f5
status: test
description: |
    Detects denied requests by Active Directory Certificate Services.
    Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
    - https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
author: '@SerkinValery'
date: 2024-03-07
tags:
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Microsoft-Windows-CertificationAuthority'
        EventID: 53
    condition: selection
falsepositives:
    - Unknown
level: low

title: Active Directory Computers Enumeration With Get-AdComputer
id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
status: test
description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
references:
    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md
author: frack113
date: 2022-03-17
modified: 2023-07-08
tags:
    - attack.discovery
    - attack.t1018
    - attack.t1087.002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains: 'Get-AdComputer '
    selection_option:
        ScriptBlockText|contains:
            - '-Filter '
            - '-LDAPFilter '
            - '-Properties '
    condition: all of selection_*
falsepositives:
    - Unknown
level: low

title: Active Directory Group Enumeration With Get-AdGroup
id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee
status: test
description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: frack113
date: 2022-03-17
modified: 2022-11-17
tags:
    - attack.discovery
    - attack.t1069.002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-AdGroup '
            - '-Filter'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Add or Remove Computer from DC
id: 20d96d95-5a20-4cf1-a483-f3bda8a7c037
status: test
description: Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
references:
    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743
author: frack113
date: 2022-10-14
tags:
    - attack.defense-impairment
    - attack.t1207
logsource:
    service: security
    product: windows
detection:
    selection:
        EventID:
            - 4741
            - 4743
    condition: selection
falsepositives:
    - Unknown
level: low

title: Admin User Remote Logon
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
status: test
description: Detect remote login by Administrator user (depending on internal pattern).
references:
    - https://car.mitre.org/wiki/CAR-2016-04-005
author: juju4
date: 2017-10-29
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.lateral-movement
    - attack.initial-access
    - attack.stealth
    - attack.t1078.001
    - attack.t1078.002
    - attack.t1078.003
    - car.2016-04-005
logsource:
    product: windows
    service: security
    definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
detection:
    selection:
        EventID: 4624
        LogonType: 10
        AuthenticationPackageName: Negotiate
        TargetUserName|startswith: 'Admin'
    condition: selection
falsepositives:
    - Legitimate administrative activity.
level: low

title: Application Uninstalled
id: 570ae5ec-33dc-427c-b815-db86228ad43e
status: test
description: An application has been removed. Check if it is critical.
references:
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml
    - https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
author: frack113
date: 2022-01-28
modified: 2022-09-17
tags:
    - attack.impact
    - attack.t1489
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name: 'MsiInstaller'
        EventID:
            - 1034 # Windows Installer removed the product
            - 11724 # Product Removal Successful
    condition: selection
falsepositives:
    - Unknown
# Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview
level: low

title: Audio Capture
id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
status: test
description: Detects attempts to record audio using the arecord and ecasound utilities.
references:
    - https://linux.die.net/man/1/arecord
    - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
    - https://manpages.debian.org/unstable/ecasound/ecasound.1.en.html
    - https://ecasound.seul.org/ecasound/Documentation/examples.html#fconversions
author: Pawel Mazur, Milad Cheraghi
date: 2021-09-04
modified: 2025-12-05
tags:
    - attack.collection
    - attack.t1123
logsource:
    product: linux
    service: auditd
detection:
    selection_execve:
        type: EXECVE
        a0: arecord
        a1: '-vv'
        a2: '-fdat'
    selection_syscall_memfd_create:
        type: SYSCALL
        exe|endswith: "/ecasound"
        SYSCALL: 'memfd_create'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: low

title: Automated Collection Bookmarks Using Get-ChildItem PowerShell
id: e0565f5d-d420-4e02-8a68-ac00d864f9cf
status: test
description: |
    Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
    Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
    internal network resources such as servers, tools/dashboards, or other related infrastructure.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
author: frack113
date: 2021-12-13
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.t1217
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-ChildItem'
            - ' -Recurse '
            - ' -Path '
            - ' -Filter Bookmarks'
            - ' -ErrorAction SilentlyContinue'
            - ' -Force'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Azure AD Only Single Factor Authentication Required
id: 28eea407-28d7-4e42-b0be-575d5ba60b2c
status: test
description: Detect when users are authenticating without MFA being required.
references:
    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.defense-impairment
    - attack.t1078.004
    - attack.t1556.006
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        Status: 'Success'
        AuthenticationRequirement: 'singleFactorAuthentication'
    condition: selection
falsepositives:
    - If this was approved by System Administrator.
level: low

title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
status: test
description: Detects when a Container Registry is created or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
    condition: selection
falsepositives:
    - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
status: test
description: Detects when a Azure Kubernetes Cluster is created or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
    - attack.impact
    - attack.t1485
    - attack.t1496
    - attack.t1489
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
    condition: selection
falsepositives:
    - Kubernetes cluster being created or  deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: Bash Interactive Shell
id: 6104e693-a7d6-4891-86cb-49a258523559
status: test
description: Detects execution of the bash shell with the interactive flag "-i".
references:
    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
    - https://www.revshells.com/
    - https://linux.die.net/man/1/bash
author: '@d4ns4n_'
date: 2023-04-07
tags:
    - attack.execution
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/bash'
        CommandLine|contains: ' -i '
    condition: selection
falsepositives:
    - Unknown
level: low

title: BitLockerTogo.EXE Execution
id: 7f2376f9-42ee-4dfc-9360-fecff9a88fc8
status: test
description: |
    Detects the execution of "BitLockerToGo.EXE".
    BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
    This is a rarely used application and usage of it at all is worth investigating.
    Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
references:
    - https://tria.ge/240521-ynezpagf56/behavioral1
    - https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091
    - https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/
    - https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/
author: Josh Nickels, mttaggart
date: 2024-07-11
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\BitLockerToGo.exe'
    condition: selection
falsepositives:
    - Legitimate usage of BitLockerToGo.exe to encrypt portable devices.
level: low

title: Bitbucket Project Secret Scanning Allowlist Added
id: 42ccce6d-7bd3-4930-95cd-e4d83fa94a30
status: test
description: Detects when a secret scanning allowlist rule is added for projects.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Projects'
        auditType.action: 'Project secret scanning allowlist rule added'
    condition: selection
falsepositives:
    - Legitimate user activity.
level: low

title: Bitbucket Secret Scanning Rule Deleted
id: ff91e3f0-ad15-459f-9a85-1556390c138d
status: test
description: Detects when secret scanning rule is deleted for the project or repository.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category:
            - 'Projects'
            - 'Repositories'
        auditType.action:
            - 'Project secret scanning rule deleted'
            - 'Repository secret scanning rule deleted'
    condition: selection
falsepositives:
    - Legitimate user activity.
level: low

title: Browser Execution In Headless Mode
id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
related:
    - id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
      type: derived
status: test
description: Detects execution of Chromium based browser in headless mode
references:
    - https://twitter.com/mrd0x/status/1478234484881436672?s=12
    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-12
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1105
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
        CommandLine|contains: '--headless'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Capabilities Discovery - Linux
id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
status: test
description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
    - https://github.com/carlospolop/PEASS-ng
    - https://github.com/diego-treitos/linux-smart-enumeration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2026-01-24
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/getcap'
        CommandLine|contains: ' -r '
    condition: selection
falsepositives:
    - Unknown
level: low

title: Change Default File Association Via Assoc
id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
related:
    - id: ae6f14e6-14de-45b0-9f44-c0986f50dc89
      type: similar
status: test
description: |
    Detects file association changes using the builtin "assoc" command.
    When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-03-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        CommandLine|contains: 'assoc'
    condition: all of selection_*
falsepositives:
    - Admin activity
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml

title: Cisco BGP Authentication Failures
id: 56fa3cd6-f8d6-4520-a8c7-607292971886
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
references:
    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.credential-access
    - attack.collection
    - attack.stealth
    - attack.t1078
    - attack.t1110
    - attack.t1557
logsource:
    product: cisco
    service: bgp
    definition: 'Requirements: cisco bgp logs need to be enabled and ingested'
detection:
    keywords_bgp_cisco:
        '|all':
            - ':179' # Protocol
            - 'IP-TCP-3-BADAUTH'
    condition: keywords_bgp_cisco
falsepositives:
    - Unlikely. Except due to misconfigurations
level: low

title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: test
description: Collect pertinent data from the configuration files
references:
    - https://blog.router-switch.com/2013/11/show-running-config/
    - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
    - attack.discovery
    - attack.credential-access
    - attack.collection
    - attack.t1087.001
    - attack.t1552.001
    - attack.t1005
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'show running-config'
        - 'show startup-config'
        - 'show archive config'
        - 'more'
    condition: keywords
falsepositives:
    - Commonly run by administrators
level: low

title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
    - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.discovery
    - attack.t1083
    - attack.t1201
    - attack.t1057
    - attack.t1018
    - attack.t1082
    - attack.t1016
    - attack.t1049
    - attack.t1033
    - attack.t1124
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'dir'
        - 'show arp'
        - 'show cdp'
        - 'show clock'
        - 'show ip interface'
        - 'show ip route'
        - 'show ip sockets'
        - 'show processes'
        - 'show ssh'
        - 'show users'
        - 'show version'
    condition: keywords
falsepositives:
    - Commonly used by administrators for troubleshooting
level: low

title: Cisco LDP Authentication Failures
id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b
status: test
description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
references:
    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.credential-access
    - attack.collection
    - attack.stealth
    - attack.t1078
    - attack.t1110
    - attack.t1557
logsource:
    product: cisco
    service: ldp
    definition: 'Requirements: cisco ldp logs need to be enabled and ingested'
detection:
    selection_protocol:
        - 'LDP'
    selection_keywords:
        - 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL'
        - 'TCPMD5AuthenFail'
    condition: selection_protocol and selection_keywords
falsepositives:
    - Unlikely. Except due to misconfigurations
level: low

title: Cisco Stage Data
id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
status: test
description: Various protocols maybe used to put data on the device for exfil or infil
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.collection
    - attack.lateral-movement
    - attack.command-and-control
    - attack.exfiltration
    - attack.t1074
    - attack.t1105
    - attack.t1560.001
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'tftp'
        - 'rcp'
        - 'puts'
        - 'copy'
        - 'configure replace'
        - 'archive tar'
    condition: keywords
falsepositives:
    - Generally used to copy configs or IOS images
level: low

title: Cleartext Protocol Usage
id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
status: stable
description: |
    Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
    Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
references:
    - https://www.cisecurity.org/controls/cis-controls-list/
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
author: Alexandr Yampolskyi, SOC Prime, Tim Shelton
date: 2019-03-26
modified: 2022-10-10
tags:
    - attack.credential-access
    # - CSC4
    # - CSC4.5
    # - CSC14
    # - CSC14.4
    # - CSC16
    # - CSC16.5
    # - NIST CSF 1.1 PR.AT-2
    # - NIST CSF 1.1 PR.MA-2
    # - NIST CSF 1.1 PR.PT-3
    # - NIST CSF 1.1 PR.AC-1
    # - NIST CSF 1.1 PR.AC-4
    # - NIST CSF 1.1 PR.AC-5
    # - NIST CSF 1.1 PR.AC-6
    # - NIST CSF 1.1 PR.AC-7
    # - NIST CSF 1.1 PR.DS-1
    # - NIST CSF 1.1 PR.DS-2
    # - ISO 27002-2013 A.9.2.1
    # - ISO 27002-2013 A.9.2.2
    # - ISO 27002-2013 A.9.2.3
    # - ISO 27002-2013 A.9.2.4
    # - ISO 27002-2013 A.9.2.5
    # - ISO 27002-2013 A.9.2.6
    # - ISO 27002-2013 A.9.3.1
    # - ISO 27002-2013 A.9.4.1
    # - ISO 27002-2013 A.9.4.2
    # - ISO 27002-2013 A.9.4.3
    # - ISO 27002-2013 A.9.4.4
    # - ISO 27002-2013 A.8.3.1
    # - ISO 27002-2013 A.9.1.1
    # - ISO 27002-2013 A.10.1.1
    # - PCI DSS 3.2 2.1
    # - PCI DSS 3.2 8.1
    # - PCI DSS 3.2 8.2
    # - PCI DSS 3.2 8.3
    # - PCI DSS 3.2 8.7
    # - PCI DSS 3.2 8.8
    # - PCI DSS 3.2 1.3
    # - PCI DSS 3.2 1.4
    # - PCI DSS 3.2 4.3
    # - PCI DSS 3.2 7.1
    # - PCI DSS 3.2 7.2
    # - PCI DSS 3.2 7.3
logsource:
    category: firewall
detection:
    selection:
        dst_port:
            - 8080
            - 21
            - 80
            - 23
            - 50000
            - 1521
            - 27017
            - 3306
            - 1433
            - 11211
            - 15672
            - 5900
            - 5901
            - 5902
            - 5903
            - 5904
    selection_allow1:
        action:
            - forward
            - accept
            - 2
    selection_allow2:
        blocked: "false" # not all fws set action value, but are set to mark as blocked or allowed or not
    condition: selection and 1 of selection_allow*
falsepositives:
    - Unknown
level: low

title: Clipboard Collection of Image Data with Xclip Tool
id: f200dc3f-b219-425d-a17e-c38467364816
status: test
description: |
  Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.
  Xclip has to be installed.
  Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
    - https://linux.die.net/man/1/xclip
author: 'Pawel Mazur'
date: 2021-10-01
modified: 2022-10-09
tags:
    - attack.collection
    - attack.t1115
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: xclip
        a1:
            - '-selection'
            - '-sel'
        a2:
            - clipboard
            - clip
        a3: '-t'
        a4|startswith: 'image/'
        a5: '-o'
    condition: selection
falsepositives:
    - Legitimate usage of xclip tools
level: low

title: Clipboard Collection with Xclip Tool
id: ec127035-a636-4b9a-8555-0efd4e59f316
status: test
description: |
    Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
    Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
    - https://www.packetlabs.net/posts/clipboard-data-security/
author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-09-15
tags:
    - attack.collection
    - attack.t1115
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|contains: 'xclip'
        CommandLine|contains|all:
            - '-sel'
            - 'clip'
            - '-o'
    condition: selection
falsepositives:
    - Legitimate usage of xclip tools.
level: low

title: Clipboard Collection with Xclip Tool - Auditd
id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
status: test
description: |
  Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.
  Xclip has to be installed.
  Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
    - https://linux.die.net/man/1/xclip
    - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
author: 'Pawel Mazur'
date: 2021-09-24
modified: 2022-11-26
tags:
    - attack.collection
    - attack.t1115
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: xclip
        a1:
            - '-selection'
            - '-sel'
        a2:
            - clipboard
            - clip
        a3: '-o'
    condition: selection
falsepositives:
    - Legitimate usage of xclip tools
level: low

title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
id: f8931561-97f5-4c46-907f-0a4a592e47a7
status: experimental
description: |
    Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.
    This event is best correlated with EID 3089 to determine the error of the validation.
references:
    - https://twitter.com/SBousseaden/status/1483810148602814466
    - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-20
modified: 2025-02-28
tags:
    - attack.execution
logsource:
    product: windows
    service: codeintegrity-operational
detection:
    selection:
        EventID:
            - 3033 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements.
            - 3034 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.
    filter_optional_dtrace:
        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\DTrace\dtrace.dll that did not meet the Windows signing level requirements.
        FileNameBuffer|endswith: '\Program Files\DTrace\dtrace.dll'
        ProcessNameBuffer|endswith: '\Windows\System32\svchost.exe'
        RequestedPolicy: 12
    filter_optional_av_generic:
        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_36fb67bd6dbd887d\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.
        FileNameBuffer|contains: '\Windows\System32\DriverStore\FileRepository\'
        FileNameBuffer|endswith: '\igd10iumd64.dll'
        # ProcessNameBuffer is AV products
        RequestedPolicy: 7
    filter_optional_electron_based_app:
        # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Users\user\AppData\Local\Keybase\Gui\Keybase.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\nvspcap64.dll that did not meet the Microsoft signing level requirements.
        FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
        ProcessNameBuffer|endswith:
            - '\AppData\Local\Keybase\Gui\Keybase.exe'
            - '\Microsoft\Teams\stage\Teams.exe'
        RequestedPolicy: 8
    filter_optional_bonjour:
        FileNameBuffer|endswith: '\Program Files\Bonjour\mdnsNSP.dll'
        ProcessNameBuffer|endswith:
            - '\Windows\System32\svchost.exe'
            - '\Windows\System32\SIHClient.exe'
        RequestedPolicy:
            - 8
            - 12
    filter_optional_msoffice_1:
        FileNameBuffer|contains: '\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE'
        FileNameBuffer|endswith: '\MSOXMLMF.DLL'
        # ProcessNameBuffer is AV products
        RequestedPolicy: 7
    filter_optional_msoffice_2:
        ProcessNameBuffer|contains: '\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office'
        FileNameBuffer|contains: '\Windows\System32\'
        RequestedPolicy: 8
    filter_optional_slack:
        # Example: https://user-images.githubusercontent.com/112784902/197407680-96d4b662-8a59-4289-a483-b24d630ac2a9.png
        # Even though it's the same DLL as the one used in the electron based app filter. We need to do a separate selection due to slack's folder naming convention with the version number :)
        FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
        ProcessNameBuffer|contains: '\AppData\Local\slack\app-'
        ProcessNameBuffer|endswith: '\slack.exe'
        RequestedPolicy: 8
    filter_optional_firefox:
        # Example: https://user-images.githubusercontent.com/62423083/197451483-70e89010-ed96-4357-8079-b5a061a239d6.png
        FileNameBuffer|endswith:
            - '\Mozilla Firefox\mozavcodec.dll'
            - '\Mozilla Firefox\mozavutil.dll'
        ProcessNameBuffer|endswith: '\Mozilla Firefox\firefox.exe'
        RequestedPolicy: 8
    filter_optional_avast:
        FileNameBuffer|endswith:
            - '\Program Files\Avast Software\Avast\aswAMSI.dll'
            - '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll'
        RequestedPolicy:
            - 8
            - 12
    filter_main_gac:
        # Filtering the path containing this string because of multiple possible DLLs in that location
        FileNameBuffer|contains: '\Windows\assembly\GAC\'
        ProcessNameBuffer|endswith: '\mscorsvw.exe'
        ProcessNameBuffer|contains: '\Windows\Microsoft.NET\'
        RequestedPolicy: 8
    filter_optional_google_drive:
        # Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe
        FileNameBuffer|contains: '\Program Files\Google\Drive File Stream\'
        FileNameBuffer|endswith: '\crashpad_handler.exe'
        ProcessNameBuffer|endswith: '\Windows\ImmersiveControlPanel\SystemSettings.exe'
        RequestedPolicy: 8
    filter_optional_trend_micro:
        FileNameBuffer|endswith: '\Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll'
        RequestedPolicy: 8
    filter_optional_mdns_responder:
        FileNameBuffer|endswith: '\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll '
    filter_optional_mcafee:
        FileNameBuffer|endswith:
            - '\Program Files\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll'
            - '\Program Files\McAfee\MfeAV\AMSIExt.dll'
    filter_optional_eset:
        FileNameBuffer|endswith: '\Program Files\ESET\ESET Security\eamsi.dll'
    filter_optional_comodo:
        FileNameBuffer|endswith: '\Program Files\comodo\comodo internet security\amsiprovider_x64.dll'
    filter_optional_sentinel_one:
        # Example: program files\sentinelone\sentinel agent 23.4.4.223\inprocessclient64.dll
        - FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
        # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe
        - ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
    filter_optional_national_instruments:
        # Example: \device\harddiskvolume3\program files\national instruments\shared\mdns responder\nimdnsnsp.dll
        FileNameBuffer|contains: '\National Instruments\Shared\mDNS Responder\'
    filter_optional_kaspersky:
        # Example: \Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\antimalware_provider.dll
        - ProcessNameBuffer|contains|all:
              - '\Kaspersky Lab\'
              - '\avp.exe'
        - FileNameBuffer|contains|all:
              - '\Kaspersky Lab\'
              - '\antimalware_provider.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.
level: low

title: Compressed File Creation Via Tar.EXE
id: 418a3163-3247-4b7b-9933-dcfcb7c52ea9
status: test
description: |
    Detects execution of "tar.exe" in order to create a compressed file.
    Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
references:
    - https://unit42.paloaltonetworks.com/chromeloader-malware/
    - https://lolbas-project.github.io/lolbas/Binaries/Tar/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
author: Nasreddine Bencherchali (Nextron Systems), AdmU3
date: 2023-12-19
tags:
    - attack.collection
    - attack.exfiltration
    - attack.t1560
    - attack.t1560.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\tar.exe'
        - OriginalFileName: 'bsdtar'
    selection_create:
        CommandLine|contains:
            - '-c'
            - '-r'
            - '-u'
    condition: all of selection_*
falsepositives:
    - Likely
level: low

title: Compressed File Extraction Via Tar.EXE
id: bf361876-6620-407a-812f-bfe11e51e924
status: test
description: |
    Detects execution of "tar.exe" in order to extract compressed file.
    Adversaries may abuse various utilities in order to decompress data to avoid detection.
references:
    - https://unit42.paloaltonetworks.com/chromeloader-malware/
    - https://lolbas-project.github.io/lolbas/Binaries/Tar/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
author: AdmU3
date: 2023-12-19
tags:
    - attack.collection
    - attack.exfiltration
    - attack.t1560
    - attack.t1560.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\tar.exe'
        - OriginalFileName: 'bsdtar'
    selection_extract:
        CommandLine|contains: '-x'
    condition: all of selection_*
falsepositives:
    - Likely
level: low

title: Connection Proxy
id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
status: test
description: Detects setting proxy configuration
author: Ömer Günal
date: 2020-06-17
modified: 2022-10-05
tags:
    - attack.command-and-control
    - attack.t1090
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'http_proxy='
            - 'https_proxy='
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low

title: Container Residence Discovery Via Proc Virtual FS
id: 746c86fb-ccda-4816-8997-01386263acc4
status: test
description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
references:
    - https://blog.skyplabs.net/posts/container-detection/
    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
    - attack.discovery
    - attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
    category: process_creation
    product: linux
detection:
    selection_tools:
        Image|endswith:
            - 'awk'
            - '/cat'
            - 'grep'
            - '/head'
            - '/less'
            - '/more'
            - '/nl'
            - '/tail'
    selection_procfs_kthreadd:  # outside containers, PID 2 == kthreadd
        CommandLine|contains: '/proc/2/'
    selection_procfs_target:
        CommandLine|contains: '/proc/'
        CommandLine|endswith:
            - '/cgroup'  # cgroups end in ':/' outside containers
            - '/sched'   # PID mismatch when run in containers
    condition: selection_tools and 1 of selection_procfs_*
falsepositives:
    - Legitimate system administrator usage of these commands
    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low