title: Container With A hostPath Mount Created
id: 402b955c-8fe0-4a8c-b635-622b4ac5f902
status: test
description: |
    Detects creation of a container with a hostPath mount.
    A hostPath volume mounts a directory or a file from the node to the container.
    Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
    - https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1611
    - attack.privilege-escalation
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        hostPath: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
    condition: selection
falsepositives:
    - The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace.
level: low

title: Creation Of A Local User Account
id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
    - https://ss64.com/osx/sysadminctl.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2023-02-18
tags:
    - attack.t1136.001
    - attack.persistence
logsource:
    category: process_creation
    product: macos
detection:
    selection_dscl:
        Image|endswith: '/dscl'
        CommandLine|contains: 'create'
    selection_sysadminctl:
        Image|endswith: '/sysadminctl'
        CommandLine|contains: 'addUser'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration activities
level: low

title: Crontab Enumeration
id: 403ed92c-b7ec-4edd-9947-5b535ee12d46
status: test
description: Detects usage of crontab to list the tasks of the user
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
    - attack.discovery
    - attack.t1007
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/crontab'
        CommandLine|contains: ' -l'
    condition: selection
falsepositives:
    - Legitimate use of crontab
level: low

title: Curl Usage on Linux
id: ea34fb97-e2c4-4afb-810f-785e4459b194
status: test
description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
references:
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/curl'
    condition: selection
falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
level: low

title: DD File Overwrite
id: 2953194b-e33c-4859-b9e8-05948c167447
status: test
description: Detects potential overwriting and deletion of a file using DD.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-07-07
tags:
    - attack.impact
    - attack.t1485
logsource:
    product: linux
    category: process_creation
detection:
    selection1:
        Image:
            - '/bin/dd'
            - '/usr/bin/dd'
    selection2:
        CommandLine|contains: 'of='
    selection3:
        CommandLine|contains:
            - 'if=/dev/zero'
            - 'if=/dev/null'
    condition: all of selection*
falsepositives:
    - Any user deleting files that way.
level: low

title: DMSA Link Attributes Modified
id: 9b111d8e-92e0-4153-88bc-daefc1333aba
related:
    - id: 6c9eb492-e477-4df9-b0f4-571fc9db29cd # Windows Security Modification of msDS-ManagedAccountPrecededByLink Attribute
      type: similar
status: experimental
description: |
    Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts.
    This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
references:
    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.002
    - attack.t1098
logsource:
    category: ps_script
    product: windows
detection:
    selection:
        ScriptBlockText|contains|all:
            - '.Put("msDS-ManagedAccountPrecededByLink'
            - 'CN='
    condition: selection
falsepositives:
    - Legitimate administrative tasks modifying these attributes.
level: low

title: DNS Events Related To Mining Pools
id: bf74135c-18e8-4a72-a926-0e4f47888c19
status: test
description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml
author: Saw Winn Naung, Azure-Sentinel, @neu5ron
date: 2021-08-19
modified: 2022-07-07
tags:
    - attack.execution
    - attack.t1569.002
    - attack.impact
    - attack.t1496
logsource:
    service: dns
    product: zeek
detection:
    selection:
        query|endswith:
            - 'monerohash.com'
            - 'do-dear.com'
            - 'xmrminerpro.com'
            - 'secumine.net'
            - 'xmrpool.com'
            - 'minexmr.org'
            - 'hashanywhere.com'
            - 'xmrget.com'
            - 'mininglottery.eu'
            - 'minergate.com'
            - 'moriaxmr.com'
            - 'multipooler.com'
            - 'moneropools.com'
            - 'xmrpool.eu'
            - 'coolmining.club'
            - 'supportxmr.com'
            - 'minexmr.com'
            - 'hashvault.pro'
            - 'xmrpool.net'
            - 'crypto-pool.fr'
            - 'xmr.pt'
            - 'miner.rocks'
            - 'walpool.com'
            - 'herominers.com'
            - 'gntl.co.uk'
            - 'semipool.com'
            - 'coinfoundry.org'
            - 'cryptoknight.cc'
            - 'fairhash.org'
            - 'baikalmine.com'
            - 'tubepool.xyz'
            - 'fairpool.xyz'
            - 'asiapool.io'
            - 'coinpoolit.webhop.me'
            - 'nanopool.org'
            - 'moneropool.com'
            - 'miner.center'
            - 'prohash.net'
            - 'poolto.be'
            - 'cryptoescrow.eu'
            - 'monerominers.net'
            - 'cryptonotepool.org'
            - 'extrmepool.org'
            - 'webcoin.me'
            - 'kippo.eu'
            - 'hashinvest.ws'
            - 'monero.farm'
            - 'linux-repository-updates.com'
            - '1gh.com'
            - 'dwarfpool.com'
            - 'hash-to-coins.com'
            - 'pool-proxy.com'
            - 'hashfor.cash'
            - 'fairpool.cloud'
            - 'litecoinpool.org'
            - 'mineshaft.ml'
            - 'abcxyz.stream'
            - 'moneropool.ru'
            - 'cryptonotepool.org.uk'
            - 'extremepool.org'
            - 'extremehash.com'
            - 'hashinvest.net'
            - 'unipool.pro'
            - 'crypto-pools.org'
            - 'monero.net'
            - 'backup-pool.com'
            - 'mooo.com' # Dynamic DNS, may want to exclude
            - 'freeyy.me'
            - 'cryptonight.net'
            - 'shscrypto.net'
    exclude_answers:
        answers:
            - '127.0.0.1'
            - '0.0.0.0'
    exclude_rejected:
        rejected: 'true'
    condition: selection and not 1 of exclude_*
falsepositives:
    - A DNS lookup does not necessarily  mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
level: low

title: DNS Query Request By QuickAssist.EXE
id: 882e858a-3233-4ba8-855e-2f3d3575803d
status: experimental
description: |
    Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
references:
    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
    - https://x.com/cyb3rops/status/1862406110365245506
    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
author: Muhammad Faisal (@faisalusuf)
date: 2024-12-19
tags:
    - attack.command-and-control
    - attack.initial-access
    - attack.lateral-movement
    - attack.t1071.001
    - attack.t1210
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        Image|endswith: '\QuickAssist.exe'
        QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
    condition: selection
falsepositives:
    - Legitimate use of Quick Assist in the environment.
level: low

title: DNS Query Request To OneLaunch Update Service
id: df68f791-ad95-447f-a271-640a0dab9cf8
status: test
description: |
    Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
    When the OneLaunch application is installed it will attempt to get updates from this domain.
references:
    - https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf
    - https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
    - https://malware.guide/browser-hijacker/remove-onelaunch-virus/
author: Josh Nickels
date: 2024-02-26
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1056
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName: 'update.onelaunch.com'
        Image|endswith: '\OneLaunch.exe'
    condition: selection
falsepositives:
    - Unlikely
level: low

title: DNS Query To Ufile.io
id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
related:
    - id: 090ffaad-c01a-4879-850c-6d57da98452d
      type: similar
status: test
description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
author: yatinwad, TheDFIRReport
date: 2022-06-23
modified: 2023-09-18
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains: 'ufile.io'
    condition: selection
falsepositives:
    - DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take
level: low

title: DNS Query To Ufile.io - DNS Client
id: 090ffaad-c01a-4879-850c-6d57da98452d
related:
    - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
      type: similar
status: test
description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
modified: 2023-09-18
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection:
        EventID: 3008
        QueryName|contains: 'ufile.io'
    condition: selection
falsepositives:
    - DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take
level: low

title: DNS Server Discovery Via LDAP Query
id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
status: test
description: Detects DNS server discovery via LDAP query requests from uncommon applications
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04
author: frack113
date: 2022-08-20
modified: 2023-09-18
tags:
    - attack.discovery
    - attack.t1482
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|startswith: '_ldap.'
    filter_main_generic:
        Image|contains:
            - ':\Program Files\'
            - ':\Program Files (x86)\'
            - ':\Windows\'
    filter_main_defender:
        Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
        Image|endswith: '\MsMpEng.exe'
    filter_main_unknown:
        Image: '<unknown process>'
    filter_optional_azure:
        Image|startswith: 'C:\WindowsAzure\GuestAgent'
    filter_main_null:
        Image: null
    filter_optional_browsers:
        # Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\opera.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely
# Note: Incrase the level once a baseline is established
level: low

title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: test
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-07-28
tags:
    - attack.exfiltration
    - attack.collection
    - attack.t1560.001
logsource:
    product: linux
    service: auditd
detection:
    selection1:
        type: 'execve'
        a0: 'zip'
    selection2:
        type: 'execve'
        a0: 'gzip'
        a1: '-k'
    selection3:
        type: 'execve'
        a0: 'tar'
        a1|contains: '-c'
    condition: 1 of selection*
falsepositives:
    - Legitimate use of archiving tools by legitimate user.
level: low

title: Data Copied To Clipboard Via Clip.EXE
id: ddeff553-5233-4ae9-bbab-d64d2bd634be
status: test
description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md
author: frack113
date: 2021-07-27
modified: 2023-02-21
tags:
    - attack.collection
    - attack.t1115
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\clip.exe'
        - OriginalFileName: clip.exe
    condition: selection
falsepositives:
    - Unknown
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/info.yml
simulation:
    - type: atomic-red-team
      name: Utilize Clipboard to store or execute commands from
      technique: T1115
      atomic_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7

title: Decode Base64 Encoded Text
id: e2072cab-8c9a-459b-b63c-40ae79e27031
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/base64'
        CommandLine|contains: '-d' # Also covers "--decode"
    condition: selection
falsepositives:
    - Legitimate activities
level: low

title: Decode Base64 Encoded Text -MacOs
id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-26
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image: '/usr/bin/base64'
        CommandLine|contains: '-d'
    condition: selection
falsepositives:
    - Legitimate activities
level: low

title: Deployment Deleted From Kubernetes Cluster
id: 40967487-139b-4811-81d9-c9767a92aa5a
status: test
description: |
    Detects the removal of a deployment from a Kubernetes cluster.
    This could indicate disruptive activity aiming to impact business operations.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1498
    - attack.impact
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'delete'
        objectRef.resource: 'deployments'
    condition: selection
falsepositives:
    - Unknown
level: low

title: DirLister Execution
id: b4dc61f5-6cce-468e-a608-b48b469feaa2
status: test
description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md
    - https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/
author: frack113
date: 2022-08-20
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'DirLister.exe'
        - Image|endswith: '\DirLister.exe'
    condition: selection
falsepositives:
    - Legitimate use by users
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dirlister_execution/info.yml
simulation:
    - type: atomic-red-team
      name: Launch DirLister Executable
      technique: T1083
      atomic_guid: c5bec457-43c9-4a18-9a24-fe151d8971b7

title: Directory Removal Via Rmdir
id: 41ca393d-538c-408a-ac27-cf1e038be80c
status: test
description: |
    Detects execution of the builtin "rmdir" command in order to delete directories.
    Adversaries may delete files left behind by the actions of their intrusion activity.
    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113
date: 2022-01-15
modified: 2023-03-07
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_rmdir:
        CommandLine|contains: 'rmdir'
    selection_flags:
        CommandLine|contains:
            - '/s'
            - '/q'
    condition: all of selection_*
falsepositives:
    - Unknown
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml

title: Discovery of a System Time
id: b243b280-65fe-48df-ba07-6ddea7646427
status: test
description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2022-06-28
tags:
    - attack.discovery
    - attack.t1124
logsource:
    category: process_creation
    product: windows
detection:
    selection_time:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
        CommandLine|contains: 'time'
    selection_w32tm:
        Image|endswith: '\w32tm.exe'
        CommandLine|contains: 'tz'
    condition: 1 of selection_*
falsepositives:
    - Legitimate use of the system utilities to discover system time for legitimate reason
level: low

title: Docker Container Discovery Via Dockerenv Listing
id: 11701de9-d5a5-44aa-8238-84252f131895
status: test
description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
references:
    - https://blog.skyplabs.net/posts/container-detection/
    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
    - attack.discovery
    - attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            # Note: add additional tools and utilities to increase coverage
            - '/cat'
            - '/dir'
            - '/find'
            - '/ls'
            - '/stat'
            - '/test'
            - 'grep'
        CommandLine|endswith: '.dockerenv'
    condition: selection
falsepositives:
    - Legitimate system administrator usage of these commands
    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low

title: Download From Suspicious TLD - Blacklist
id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
related:
    - id: b5de2919-b74a-4805-91a7-5049accbaefe
      type: similar
status: test
description: Detects download of certain file types from hosts in suspicious TLDs
references:
    - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
    - https://www.spamhaus.org/statistics/tlds/
    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
author: Florian Roth (Nextron Systems)
date: 2017-11-07
modified: 2023-05-18
tags:
    - attack.initial-access
    - attack.t1566
    - attack.execution
    - attack.t1203
    - attack.t1204.002
logsource:
    category: proxy
detection:
    selection:
        c-uri-extension:
            - 'exe'
            - 'vbs'
            - 'bat'
            - 'rar'
            - 'ps1'
            - 'doc'
            - 'docm'
            - 'xls'
            - 'xlsm'
            - 'pptm'
            - 'rtf'
            - 'hta'
            - 'dll'
            - 'ws'
            - 'wsf'
            - 'sct'
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
        cs-host|endswith:
            # Symantec / Chris Larsen analysis
            - '.country'
            - '.stream'
            - '.gdn'
            - '.mom'
            - '.xin'
            - '.kim'
            - '.men'
            - '.loan'
            - '.download'
            - '.racing'
            - '.online'
            - '.science'
            - '.ren'
            - '.gb'
            - '.win'
            - '.top'
            - '.review'
            - '.vip'
            - '.party'
            - '.tech'
            - '.xyz'
            - '.date'
            - '.faith'
            - '.zip'
            - '.cricket'
            - '.space'
            # McAfee report
            - '.info'
            - '.vn'
            - '.cm'
            - '.am'
            - '.cc'
            - '.asia'
            - '.ws'
            - '.tk'
            - '.biz'
            - '.su'
            - '.st'
            - '.ro'
            - '.ge'
            - '.ms'
            - '.pk'
            - '.nu'
            - '.me'
            - '.ph'
            - '.to'
            - '.tt'
            - '.name'
            - '.tv'
            - '.kz'
            - '.tc'
            - '.mobi'
            # Spamhaus
            - '.study'
            - '.click'
            - '.link'
            - '.trade'
            - '.accountant'
            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
            - '.cf'
            - '.gq'
            - '.ml'
            - '.ga'
            # Custom
            - '.pw'
    condition: selection
falsepositives:
    - All kinds of software downloads
level: low

title: Download From Suspicious TLD - Whitelist
id: b5de2919-b74a-4805-91a7-5049accbaefe
related:
    - id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
      type: similar
status: test
description: Detects executable downloads from suspicious remote systems
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2023-05-18
tags:
    - attack.initial-access
    - attack.t1566
    - attack.execution
    - attack.t1203
    - attack.t1204.002
logsource:
    category: proxy
detection:
    selection:
        c-uri-extension:
            - 'exe'
            - 'vbs'
            - 'bat'
            - 'rar'
            - 'ps1'
            - 'doc'
            - 'docm'
            - 'xls'
            - 'xlsm'
            - 'pptm'
            - 'rtf'
            - 'hta'
            - 'dll'
            - 'ws'
            - 'wsf'
            - 'sct'
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
    filter:
        cs-host|endswith:
            - '.com'
            - '.org'
            - '.net'
            - '.edu'
            - '.gov'
            - '.uk'
            - '.ca'
            - '.de'
            - '.jp'
            - '.fr'
            - '.au'
            - '.us'
            - '.ch'
            - '.it'
            - '.nl'
            - '.se'
            - '.no'
            - '.es'
            # Extend this list as needed
    condition: selection and not filter
falsepositives:
    - All kind of software downloads
level: low

title: Dynamic CSharp Compile Artefact
id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
status: test
description: |
    When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
    Certain processes are not typically observed compiling C# code, but can do so without touching disk.
    This can be used to unpack a payload for execution
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile
author: frack113
date: 2022-01-09
modified: 2023-02-17
tags:
    - attack.stealth
    - attack.t1027.004
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '.cmdline'
    condition: selection
falsepositives:
    - Unknown
level: low

title: ETW Logging Disabled For SCM
id: 4f281b83-0200-4b34-bf35-d24687ea57c2
status: test
description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
references:
    - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-09
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled'
        Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1.
    condition: selection
falsepositives:
    - Unknown
level: low

title: ETW Logging Disabled For rpcrt4.dll
id: 90f342e1-1aaa-4e43-b092-39fda57ed11e
status: test
description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
references:
    - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-09
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation'
        Details:
            # This is disabled by default for some reason
            - 'DWORD (0x00000000)' # Off
            - 'DWORD (0x00000002)' # Off with exceptions
    condition: selection
falsepositives:
    - Unknown
level: low

title: End User Consent
id: 9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a
status: test
description: Detects when an end user consents to an application
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-28
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        ConsentContext.IsAdminConsent: 'false'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Exports Registry Key To a File
id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
related:
    - id: 82880171-b475-4201-b811-e9c826cd5eaa
      type: similar
status: test
description: Detects the export of the target Registry key to a file.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-07
modified: 2024-03-13
tags:
    - attack.exfiltration
    - attack.discovery
    - attack.t1012
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\regedit.exe'
        - OriginalFileName: 'REGEDIT.EXE'
    selection_cli:
        CommandLine|contains|windash: ' -E '
    filter_1:   # filters to avoid intersection with critical keys rule
        CommandLine|contains:
            - 'hklm'
            - 'hkey_local_machine'
    filter_2:
        CommandLine|endswith:
            - '\system'
            - '\sam'
            - '\security'
    condition: all of selection_* and not all of filter_*
falsepositives:
    - Legitimate export of keys
level: low

title: External Disk Drive Or USB Storage Device Was Recognized By The System
id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
status: test
description: Detects external disk drives or plugged-in USB devices.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416
author: Keith Wright
date: 2019-11-20
modified: 2024-02-09
tags:
    - attack.t1091
    - attack.t1200
    - attack.lateral-movement
    - attack.initial-access
logsource:
    product: windows
    service: security
detection:
    selection_eid:
        EventID: 6416
    selection_field:
        - ClassName: 'DiskDrive'
        - DeviceDescription: 'USB Mass Storage Device'
    condition: all of selection_*
falsepositives:
    - Likely
level: low

title: Failed Authentications From Countries You Do Not Operate Out Of
id: 28870ae4-6a13-4616-bd1a-235a7fad7458
status: test
description: Detect failed authentications from countries you do not operate out of.
references:
    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        Status: 'Success'
    selection1:
        Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'
    condition: not selection and not selection1
falsepositives:
    - If this was approved by System Administrator.
level: low

title: File And SubFolder Enumeration Via Dir Command
id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
status: test
description: |
    Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
author: frack113
date: 2021-12-13
modified: 2024-04-14
tags:
    - attack.discovery
    - attack.t1217
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: Cmd.Exe
    selection_cli:
        CommandLine|contains|windash: 'dir*-s'
    condition: all of selection_*
falsepositives:
    - Likely
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml
simulation:
    - type: atomic-red-team
      name: List Internet Explorer Bookmarks using the command prompt
      technique: T1217
      atomic_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85

title: File Deletion Via Del
id: 379fa130-190e-4c3f-b7bc-6c8e834485f3
status: test
description: |
    Detects execution of the builtin "del"/"erase" commands in order to delete files.
    Adversaries may delete files left behind by the actions of their intrusion activity.
    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113
date: 2022-01-15
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_del:
        CommandLine|contains:
            - 'del '
            - 'erase '
    selection_flags:
        CommandLine|contains|windash:
            - ' -f' # Force deleting of read-only files.
            - ' -s' # Delete specified files from all subdirectories.
            - ' -q' # Quiet mode, do not ask if ok to delete on global wildcard
    condition: all of selection_*
falsepositives:
    - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity
level: low

title: File or Folder Permissions Change
id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
status: test
description: Detects file and folder permission changes.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: Jakob Weinzettl, oscd.community
date: 2019-09-23
modified: 2021-11-27
tags:
    - attack.defense-impairment
    - attack.t1222.002
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0|contains:
            - 'chmod'
            - 'chown'
    condition: selection
falsepositives:
    - User interacting with files permissions (normal/daily behaviour).
level: low

title: Files Added To An Archive Using Rar.EXE
id: 6f3e2987-db24-4c78-a860-b4f4095a7095
status: test
description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
    - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
author: Timur Zinniatullin, E.M. Anhaus, oscd.community
date: 2019-10-21
modified: 2023-02-05
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rar.exe'
        CommandLine|contains: ' a '
    condition: selection
falsepositives:
    - Highly likely if rar is a default archiver in the monitored environment.
level: low

title: Firewall Configuration Discovery Via Netsh.EXE
id: 0e4164da-94bc-450d-a7be-a4b176179f1f
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules
    - https://ss64.com/nt/netsh.html
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-12-07
modified: 2025-10-18
tags:
    - attack.discovery
    - attack.t1016
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'netsh'
            - 'show '
            - 'firewall '
        CommandLine|contains:
            - 'config '
            - 'state '
            - 'rule '
            - 'name=all'
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: low

title: Fsutil Drive Enumeration
id: 63de06b9-a385-40b5-8b32-73f2b9ef84b6
status: test
description: Attackers may leverage fsutil to enumerated connected drives.
references:
    - Turla has used fsutil fsinfo drives to list connected drives.
    - https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2022-03-29
modified: 2022-07-14
tags:
    - attack.discovery
    - attack.t1120
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\fsutil.exe'
        - OriginalFileName: 'fsutil.exe'
    selection_cli:
        CommandLine|contains: 'drives'
    condition: all of selection_*
falsepositives:
    - Certain software or administrative tasks may trigger false positives.
level: low

title: GUI Input Capture - macOS
id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
status: test
description: Detects attempts to use system dialog prompts to capture user credentials
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md
    - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
author: remotephone, oscd.community
date: 2020-10-13
modified: 2025-12-05
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1056.002
logsource:
    product: macos
    category: process_creation
detection:
    selection_img:
        Image|endswith: '/osascript'
    selection_cli_1:
        CommandLine|contains|all:
            - '-e'
            - 'display'
            - 'dialog'
            - 'answer'
    selection_cli_2:
        CommandLine|contains:
            - 'admin'
            - 'administrator'
            - 'authenticate'
            - 'authentication'
            - 'credentials'
            - 'pass'
            - 'password'
            - 'unlock'
    condition: all of selection_*
falsepositives:
    - Legitimate administration tools and activities
level: low

title: Gatekeeper Bypass via Xattr
id: f5141b6d-9f42-41c6-a7bf-2a780678b29b
status: test
description: Detects macOS Gatekeeper bypass via xattr utility
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md
    - https://www.loobins.io/binaries/xattr/
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2024-04-18
tags:
    - attack.defense-impairment
    - attack.t1553.001
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/xattr'
        CommandLine|contains|all:
            - '-d'
            - 'com.apple.quarantine'
    condition: selection
falsepositives:
    - Legitimate activities
level: low

title: GitHub Repository Archive Status Changed
id: dca8991c-cb16-4128-abf8-6b11e5cd156f
status: experimental
description: |
    Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.
references:
    - https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories
    - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms
    - https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events
author: Ivan Saakov
date: 2025-10-18
tags:
    - attack.persistence
    - attack.impact
    - attack.defense-impairment
logsource:
    product: github
    service: audit
detection:
    selection:
        action:
            - 'repo.archived'
            - 'repo.unarchived'
    condition: selection
falsepositives:
    - Archiving or unarchiving a repository is often legitimate. Investigate this action to determine if it was authorized.
level: low

title: GitHub Repository Pages Site Changed to Public
id: 0c46d4f4-a2bf-4104-9597-8d653fc2bb55
status: experimental
description: |
    Detects when a GitHub Pages site of a repository is made public. This usually is part of a publishing process but could indicate or lead to potential unauthorized exposure of sensitive information or code.
references:
    - https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site
    - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms
    - https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events
author: Ivan Saakov
date: 2025-10-18
tags:
    - attack.collection
    - attack.exfiltration
    - attack.t1567.001
logsource:
    product: github
    service: audit
detection:
    selection:
        action: 'repo.pages_public'
    condition: selection
falsepositives:
    - Legitimate publishing of repository pages by authorized users
level: low

title: Github New Secret Created
id: f9405037-bc97-4eb7-baba-167dad399b83
status: test
description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-20
references:
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'codespaces.create_an_org_secret'
            - 'environment.create_actions_secret'
            - 'org.create_actions_secret'
            - 'repo.create_actions_secret'
    condition: selection
falsepositives:
    - This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".
level: low

title: Github Push Protection Bypass Detected
id: 02cf536a-cf21-4876-8842-4159c8aee3cc
status: test
description: Detects when a user bypasses the push protection on a secret detected by secret scanning.
references:
    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
    - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action|contains: 'secret_scanning_push_protection.bypass'
    condition: selection
falsepositives:
    - Allowed administrative activities.
level: low

title: Github Self Hosted Runner Changes Detected
id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
status: test
description: |
    A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
    This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
    it should be validated from GitHub UI because the log entry may not provide full context.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-27
references:
    - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation
tags:
    - attack.impact
    - attack.discovery
    - attack.collection
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
    - attack.stealth
    - attack.t1526
    - attack.t1213.003
    - attack.t1078.004
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'org.remove_self_hosted_runner'
            - 'org.runner_group_created'
            - 'org.runner_group_removed'
            - 'org.runner_group_runner_removed'
            - 'org.runner_group_runners_added'
            - 'org.runner_group_runners_updated'
            - 'org.runner_group_updated'
            - 'repo.register_self_hosted_runner'
            - 'repo.remove_self_hosted_runner'
    condition: selection
falsepositives:
    - Allowed self-hosted runners changes in the environment.
    - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.
    - An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day.
level: low

title: Google Cloud Storage Buckets Enumeration
id: e2feb918-4e77-4608-9697-990a1aaf74c3
status: test
description: Detects when storage bucket is enumerated in Google Cloud.
references:
    - https://cloud.google.com/storage/docs/json_api/v1/buckets
author: Austin Songer @austinsonger
date: 2021-08-14
modified: 2022-10-09
tags:
    - attack.discovery
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name:
            - storage.buckets.list
            - storage.buckets.listChannels
    condition: selection
falsepositives:
    - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: Guest Account Enabled Via Sysadminctl
id: d7329412-13bd-44ba-a072-3387f804a106
status: test
description: Detects attempts to enable the guest account using the sysadminctl utility
references:
    - https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
    - attack.t1078.001
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/sysadminctl'
        CommandLine|contains|all:
            # By default the guest account is not active
            - ' -guestAccount'
            - ' on'
    condition: selection
falsepositives:
    - Unknown
level: low

title: HH.EXE Execution
id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84
status: test
description: Detects the execution of "hh.exe" to open ".chm" files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md
    - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community
date: 2019-10-24
modified: 2023-12-11
tags:
    - attack.stealth
    - attack.t1218.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'HH.exe'
        - Image|endswith: '\hh.exe'
    selection_cli:
        CommandLine|contains: '.chm'
    condition: all of selection_*
falsepositives:
    - False positives are expected with legitimate ".CHM"
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml

title: Hidden Files and Directories
id: d08722cd-3d09-449a-80b4-83ea2d9d4616
status: test
description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: 'Pawel Mazur'
date: 2021-09-06
modified: 2025-06-16
tags:
    - attack.stealth
    - attack.t1564.001
logsource:
    product: linux
    service: auditd
detection:
    selection_commands:
        type: 'EXECVE'
        a0:
            - 'mkdir'
            - 'nano'
            - 'touch'
            - 'vi'
            - 'vim'
    selection_arguments:
        - a1|re: '(^|\/)\.[^.\/]'
        - a2|re: '(^|\/)\.[^.\/]'
    condition: all of selection_*
falsepositives:
    - Unknown
level: low

title: Huawei BGP Authentication Failures
id: a557ffe6-ac54-43d2-ae69-158027082350
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
references:
    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.credential-access
    - attack.collection
    - attack.stealth
    - attack.t1078
    - attack.t1110
    - attack.t1557
logsource:
    product: huawei
    service: bgp
    definition: 'Requirements: huawei bgp logs need to be enabled and ingested'
detection:
    keywords_bgp_huawei:
        '|all':
            - ':179' # Protocol
            - 'BGP_AUTH_FAILED'
    condition: keywords_bgp_huawei
falsepositives:
    - Unlikely. Except due to misconfigurations
level: low

title: Indirect Command Execution By Program Compatibility Wizard
id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc
status: test
description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
references:
    - https://twitter.com/pabraeken/status/991335019833708544
    - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
author: A. Sungurov , oscd.community
date: 2020-10-12
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1218
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\pcwrun.exe'
    condition: selection
falsepositives:
    - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
    - Legit usage of scripts
level: low

title: Insensitive Subfolder Search Via Findstr.EXE
id: 04936b66-3915-43ad-a8e5-809eadfd1141
related:
    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
      type: obsolete
status: test
description: |
    Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2024-03-05
tags:
    - attack.credential-access
    - attack.command-and-control
    - attack.stealth
    - attack.t1218
    - attack.t1564.004
    - attack.t1552.001
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr:
        - CommandLine|contains: findstr
        - Image|endswith: 'findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_cli_search_subfolder:
        CommandLine|contains|windash: ' -s '
    selection_cli_search_insensitive:
        CommandLine|contains|windash: ' -i '
    condition: selection_findstr and all of selection_cli_search_*
falsepositives:
    - Administrative or software activity
level: low