title: Install Root Certificate
id: 78a80655-a51e-4669-bc6b-e9d206a462ee
status: test
description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: Ömer Günal, oscd.community
date: 2020-10-05
modified: 2022-07-07
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/update-ca-certificates'
            - '/update-ca-trust'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low

title: Interesting Service Enumeration Via Sc.EXE
id: e83e8899-c9b2-483b-b355-5decc942b959
status: test
description: |
    Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
    Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
references:
    - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
    - https://pentestlab.blog/tag/svchost/
author: Swachchhanda Shrawan Poudel
date: 2024-02-12
tags:
    - attack.t1003
    - attack.credential-access
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_cli:
        CommandLine|contains: 'query'
    selection_cmd:
        # Note: add more interesting services
        CommandLine|contains: 'termservice'
    condition: all of selection_*
falsepositives:
    - Unknown
# Note: can be upgraded to medium after an initial baseline
level: low

title: JAMF MDM Execution
id: be2e3a5c-9cc7-4d02-842a-68e9cb26ec49
status: test
description: |
    Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
references:
    - https://github.com/MythicAgents/typhon/
    - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
    - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Jay Pandit
date: 2023-08-22
tags:
    - attack.execution
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/jamf'
        CommandLine|contains:
            # Note: add or remove commands according to your policy
            - 'createAccount'
            - 'manage'
            - 'removeFramework'
            - 'removeMdmProfile'
            - 'resetPassword'
            - 'setComputerName'
    condition: selection
falsepositives:
    - Legitimate use of the JAMF CLI tool by IT support and administrators
level: low

title: JScript Compiler Execution
id: 52788a70-f1da-40dd-8fbd-73b5865d6568
status: test
description: |
    Detects the execution of the "jsc.exe" (JScript Compiler).
    Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Jsc/
    - https://www.phpied.com/make-your-javascript-a-windows-exe/
    - https://twitter.com/DissectMalware/status/998797808907046913
author: frack113
date: 2022-05-02
modified: 2024-04-24
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: '\jsc.exe'
        - OriginalFileName: 'jsc.exe'
    condition: selection
falsepositives:
    - Legitimate use to compile JScript by developers.
# Note: Can be decreased to informational or increased to medium depending on how this utility is used.
level: low

title: Juniper BGP Missing MD5
id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43
status: test
description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
references:
    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.credential-access
    - attack.collection
    - attack.stealth
    - attack.t1078
    - attack.t1110
    - attack.t1557
logsource:
    product: juniper
    service: bgp
    definition: 'Requirements: juniper bgp logs need to be enabled and ingested'
detection:
    keywords_bgp_juniper:
        '|all':
            - ':179' # Protocol
            - 'missing MD5 digest'
    condition: keywords_bgp_juniper
falsepositives:
    - Unlikely. Except due to misconfigurations
level: low

title: Kubernetes Secrets Enumeration
id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
related:
    - id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
      type: derived
status: test
description: Detects enumeration of Kubernetes secrets.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1552.007
    - attack.credential-access
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'list'
        objectRef.resource: 'secrets'
    condition: selection
falsepositives:
    - The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
level: low

title: Kubernetes Unauthorized or Unauthenticated Access
id: 0d933542-1f1f-420d-97d4-21b2c3c492d9
status: test
description: |
    Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.
    This may indicate an attacker attempting to leverage credentials they have obtained.
references:
    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
    - https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues
author: kelnage
date: 2024-04-12
tags:
    - attack.privilege-escalation
logsource:
    product: kubernetes
    service: audit
detection:
    selection:
        responseStatus.code:
            - 401 # Unauthorized
            - 403 # Forbidden
    condition: selection
falsepositives:
    - A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.
level: low

title: Linux Capabilities Discovery
id: fe10751f-1995-40a5-aaa2-c97ccb4123fe
status: test
description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
references:
    - https://man7.org/linux/man-pages/man8/getcap.8.html
    - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
    - https://mn3m.info/posts/suid-vs-capabilities/
    - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
author: 'Pawel Mazur'
date: 2021-11-28
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.privilege-escalation
    - attack.t1083
    - attack.t1548
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: getcap
        a1: '-r'
        a2: '/'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Linux Doas Tool Execution
id: 067d8238-7127-451c-a9ec-fa78045b618b
status: stable
description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
references:
    - https://research.splunk.com/endpoint/linux_doas_tool_execution/
    - https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/doas'
    condition: selection
falsepositives:
    - Unlikely
level: low

title: Linux Network Service Scanning - Auditd
id: 3761e026-f259-44e6-8826-719ed8079408
related:
    - id: 3e102cd9-a70d-4a7a-9508-403963092f31
      type: derived
status: test
description: Detects enumeration of local or remote network services.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2023-09-26
tags:
    - attack.discovery
    - attack.t1046
logsource:
    product: linux
    service: auditd
    definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183'
detection:
    selection:
        type: 'SYSCALL'
        exe|endswith:
            - '/telnet'
            - '/nmap'
            - '/netcat'
            - '/nc'
            - '/ncat'
            - '/nc.openbsd'
        key: 'network_connect_4'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low

title: Linux Network Service Scanning Tools Execution
id: 3e102cd9-a70d-4a7a-9508-403963092f31
status: test
description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
    - https://github.com/projectdiscovery/naabu
    - https://github.com/Tib3rius/AutoRecon
author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])
date: 2020-10-21
modified: 2024-09-19
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: process_creation
    product: linux
detection:
    selection_netcat:
        Image|endswith:
            - '/nc'
            - '/ncat'
            - '/netcat'
            - '/socat'
    selection_network_scanning_tools:
        Image|endswith:
            - '/autorecon'
            - '/hping'
            - '/hping2'
            - '/hping3'
            - '/naabu'
            - '/nmap'
            - '/nping'
            - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
            - '/zenmap'
    filter_main_netcat_listen_flag:
        CommandLine|contains:
            - ' --listen '
            - ' -l '
    condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools
falsepositives:
    - Legitimate administration activities
level: low

title: Linux Package Uninstall
id: 95d61234-7f56-465c-6f2d-b562c6fedbc4
status: test
description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
references:
    - https://sysdig.com/blog/mitre-defense-evasion-falco
    - https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command
    - https://linuxhint.com/uninstall_yum_package/
    - https://linuxhint.com/uninstall-debian-packages/
author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
tags:
    - attack.stealth
    - attack.t1070
logsource:
    product: linux
    category: process_creation
detection:
    selection_yum:
        Image|endswith: '/yum'
        CommandLine|contains:
            - 'erase'
            - 'remove'
    selection_apt:
        Image|endswith:
            - '/apt'
            - '/apt-get'
        CommandLine|contains:
            - 'remove'
            - 'purge'
    selection_dpkg:
        Image|endswith: '/dpkg'
        CommandLine|contains:
            - '--remove '
            - ' -r '
    selection_rpm:
        Image|endswith: '/rpm'
        CommandLine|contains: ' -e '
    condition: 1 of selection_*
falsepositives:
    - Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
level: low

title: Linux Remote System Discovery
id: 11063ec2-de63-4153-935e-b1a8b9e616f1
status: test
description: Detects the enumeration of other remote systems.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
    - attack.discovery
    - attack.t1018
logsource:
    category: process_creation
    product: linux
detection:
    selection_1:
        Image|endswith: '/arp'
        CommandLine|contains: '-a'
    selection_2:
        Image|endswith: '/ping'
        CommandLine|contains:
            - ' 10.' # 10.0.0.0/8
            - ' 192.168.' # 192.168.0.0/16
            - ' 172.16.' # 172.16.0.0/12
            - ' 172.17.'
            - ' 172.18.'
            - ' 172.19.'
            - ' 172.20.'
            - ' 172.21.'
            - ' 172.22.'
            - ' 172.23.'
            - ' 172.24.'
            - ' 172.25.'
            - ' 172.26.'
            - ' 172.27.'
            - ' 172.28.'
            - ' 172.29.'
            - ' 172.30.'
            - ' 172.31.'
            - ' 127.' # 127.0.0.0/8
            - ' 169.254.' # 169.254.0.0/16
    condition: 1 of selection*
falsepositives:
    - Legitimate administration activities
level: low

title: Linux Setgid Capability Set on a Binary via Setcap Utility
id: 3a716279-c18c-4488-83be-f9ececbfb9fc
status: experimental
description: |
    Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
    This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
    This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
    - https://man7.org/linux/man-pages/man8/setcap.8.html
    - https://dfir.ch/posts/linux_capabilities/
    - https://juggernaut-sec.com/capabilities/#cap_setgid
author: Luc Génaux
date: 2026-01-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1548
    - attack.t1554
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/setcap'
        CommandLine|contains: 'cap_setgid'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Linux Setuid Capability Set on a Binary via Setcap Utility
id: ed447910-bc30-4575-a598-3a2e49516a7a
status: experimental
description: |
    Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
    This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
    This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
    - https://man7.org/linux/man-pages/man8/setcap.8.html
    - https://dfir.ch/posts/linux_capabilities/
    - https://juggernaut-sec.com/capabilities/#cap_setuid
author: Luc Génaux
date: 2026-01-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1548
    - attack.t1554
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/setcap'
        CommandLine|contains: 'cap_setuid'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Linux Sudo Chroot Execution
id: f2bed782-994e-4f40-9cd5-518198cb3fba
status: experimental
description: |
    Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.
    Attackers may use this technique to evade detection and execute commands in a modified environment.
    This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.
    While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
references:
    - https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
author: Swachchhanda Shrawn Poudel (Nextron Systems)
date: 2025-10-02
tags:
    - attack.privilege-escalation
    - attack.t1068
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/sudo'
        CommandLine|contains:
            - ' --chroot '
            - 'sudo -R '
    condition: selection
falsepositives:
    - Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management.
level: low

title: Load Of RstrtMgr.DLL By An Uncommon Process
id: 3669afd2-9891-4534-a626-e5cf03810a61
related:
    - id: b48492dc-c5ef-4572-8dff-32bc241c15c8
      type: derived
status: test
description: |
    Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.
    This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
    It could also be used for anti-analysis purposes by shut downing specific processes.
references:
    - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
    - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
    - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
    - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
author: Luc Génaux
date: 2023-11-28
modified: 2025-12-08
tags:
    - attack.impact
    - attack.defense-impairment
    - attack.t1486
    - attack.t1685
logsource:
    category: image_load
    product: windows
detection:
    selection:
        - ImageLoaded|endswith: '\RstrtMgr.dll'
        - OriginalFileName: 'RstrtMgr.dll'
    filter_main_generic:
        Image|startswith:
            - C:\$WINDOWS.~BT\'
            - C:\$WinREAgent\'
            - C:\Program Files (x86)\'
            - C:\Program Files\'
            - C:\ProgramData\'
            - C:\Windows\explorer.exe'
            - C:\Windows\SoftwareDistribution\'
            - C:\Windows\SysNative\'
            - C:\Windows\System32\'
            - C:\Windows\SysWOW64\'
            - C:\Windows\WinSxS\'
            - C:\WUDownloadCache\'
    filter_main_user_software_installations:
        Image|startswith: C:\Users\'
        Image|contains|all:
            - '\AppData\Local\Temp\is-'
            - '.tmp\'
        Image|endswith: '.tmp'
    filter_main_admin_software_installations:
        Image|startswith: C:\Windows\Temp\'
    filter_optional_onedrive:
        Image|startswith: 'C:\Users\'
        Image|endswith: '\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Other legitimate Windows processes not currently listed
    - Processes related to software installation
level: low

title: Local Accounts Discovery
id: 502b42de-4306-40b4-9596-6f590c81f073
status: test
related:
    - id: e28a5a99-da44-436d-b7a0-2afc20a5f413 # Whoami Utility Execution
      type: obsolete
description: Local accounts, System Owner/User discovery using operating systems utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019-10-21
modified: 2025-10-20
tags:
    - attack.discovery
    - attack.t1033
    - attack.t1087.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_other_img:
        - Image|endswith:
              - '\whoami.exe'
              - '\quser.exe'
              - '\qwinsta.exe'
        - OriginalFileName:
              - 'whoami.exe'
              - 'quser.exe'
              - 'qwinsta.exe'
    selection_other_wmi:
        Image|endswith: '\wmic.exe'
        CommandLine|contains|all:
            - 'useraccount'
            - 'get'
    selection_other_cmdkey:
        Image|endswith: '\cmdkey.exe'
        CommandLine|contains: ' /l'
    selection_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - ' /c'
            - 'dir '
            - '\Users\'
    filter_cmd:
        CommandLine|contains: ' rmdir ' # don't match on 'dir'   "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005"
    selection_net:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
        CommandLine|contains: 'user'
    filter_net:
        CommandLine|contains:
            - '/domain'       # local account discovery only
            - '/add'          # discovery only
            - '/delete'       # discovery only
            - '/active'       # discovery only
            - '/expires'      # discovery only
            - '/passwordreq'  # discovery only
            - '/scriptpath'   # discovery only
            - '/times'        # discovery only
            - '/workstations' # discovery only
    condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*
falsepositives:
    - Legitimate administrator or user enumerates local users for legitimate reason
level: low

title: Local Groups Discovery - Linux
id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
status: test
description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2025-06-04
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    category: process_creation
    product: linux
detection:
    selection_1:
        Image|endswith: '/groups'
    selection_2:
        Image|endswith:
            - '/cat'
            - '/ed'
            - '/head'
            - '/less'
            - '/more'
            - '/nano'
            - '/tail'
            - '/vi'
            - '/vim'
        CommandLine|contains: '/etc/group'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration activities
level: low

title: Local Groups Reconnaissance Via Wmic.EXE
id: 164eda96-11b2-430b-85ff-6a265c15bf32
status: test
description: |
    Detects the execution of "wmic" with the "group" flag.
    Adversaries may attempt to find local system groups and permission settings.
    The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
    Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2023-02-14
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains: ' group'
    condition: all of selection*
falsepositives:
    - Unknown
level: low

title: Local System Accounts Discovery - Linux
id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
status: test
description: Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
    - https://my.f5.com/manage/s/article/K589
    - https://man.freebsd.org/cgi/man.cgi?pwd_mkdb
author: Alejandro Ortuno, oscd.community, CheraghiMilad
date: 2020-10-08
modified: 2024-12-10
tags:
    - attack.discovery
    - attack.t1087.001
logsource:
    category: process_creation
    product: linux
detection:
    selection_1:
        Image|endswith: '/lastlog'
    selection_2:
        CommandLine|contains: '''x:0:'''
    selection_3:
        Image|endswith:
            - '/cat'
            - '/ed'
            - '/head'
            - '/more'
            - '/nano'
            - '/tail'
            - '/vi'
            - '/vim'
            - '/less'
            - '/emacs'
            - '/sqlite3'
            - '/makemap'
        CommandLine|contains:
            - '/etc/passwd'
            - '/etc/shadow'
            - '/etc/sudoers'
            - '/etc/spwd.db'
            - '/etc/pwd.db'
            - '/etc/master.passwd'
    selection_4:
        Image|endswith: '/id'
    selection_5:
        Image|endswith: '/lsof'
        CommandLine|contains: '-u'
    condition: 1 of selection*
falsepositives:
    - Legitimate administration activities
level: low

title: Local System Accounts Discovery - MacOs
id: ddf36b67-e872-4507-ab2e-46bda21b842c
status: test
description: Detects enumeration of local systeam accounts on MacOS
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-08
modified: 2022-11-27
tags:
    - attack.discovery
    - attack.t1087.001
logsource:
    category: process_creation
    product: macos
detection:
    selection_1:
        Image|endswith: '/dscl'
        CommandLine|contains|all:
            - 'list'
            - '/users'
    selection_2:
        Image|endswith: '/dscacheutil'
        CommandLine|contains|all:
            - '-q'
            - 'user'
    selection_3:
        CommandLine|contains: '''x:0:'''
    selection_4:
        Image|endswith: '/cat'
        CommandLine|contains:
            - '/etc/passwd'
            - '/etc/sudoers'
    selection_5:
        Image|endswith: '/id'
    selection_6:
        Image|endswith: '/lsof'
        CommandLine|contains: '-u'
    condition: 1 of selection*
falsepositives:
    - Legitimate administration activities
level: low

title: Local User Creation
id: 66b6be3d-55d0-4f47-9855-d69df21740ea
status: test
description: |
    Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
references:
    - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
author: Patrick Bareiss
date: 2019-04-18
modified: 2021-01-17
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4720
    condition: selection
falsepositives:
    - Domain Controller Logs
    - Local accounts managed by privileged account management tools
level: low

title: MSSQL Server Failed Logon
id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
related:
    - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
      type: similar
status: test
description: Detects failed logon attempts from clients to MSSQL server.
references:
    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: Nasreddine Bencherchali (Nextron Systems), j4son
date: 2023-10-11
modified: 2024-06-26
tags:
    - attack.credential-access
    - attack.t1110
logsource:
    product: windows
    service: application
    definition: 'Requirements: Must enable MSSQL authentication.'
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 18456
    condition: selection
falsepositives:
    - This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them
level: low

title: MacOS Network Service Scanning
id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
status: test
description: Detects enumeration of local or remote network services.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2021-11-27
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: process_creation
    product: macos
detection:
    selection_1:
        Image|endswith:
            - '/nc'
            - '/netcat'
    selection_2:
        Image|endswith:
            - '/nmap'
            - '/telnet'
    filter:
        CommandLine|contains: 'l'
    condition: (selection_1 and not filter) or selection_2
falsepositives:
    - Legitimate administration activities
level: low

title: Malicious Windows Script Components File Execution by TAEF Detection
id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
status: test
description: |
  Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces
  Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/
    - https://twitter.com/pabraeken/status/993298228840992768
    - https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/
author: 'Agro (@agro_sev) oscd.community'
date: 2020-10-13
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\te.exe'
        - ParentImage|endswith: '\te.exe'
        - OriginalFileName: '\te.exe'
    condition: selection
falsepositives:
    - It's not an uncommon to use te.exe directly to execute legal TAEF tests
level: low

title: MaxMpxCt Registry Value Changed
id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e
status: test
description: |
    Detects changes to the "MaxMpxCt" registry value.
    MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
    Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
references:
    - https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
    - https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
    - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
    - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-19
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Measurable Increase Of Successful Authentications
id: 67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae
status: test
description: Detects when successful sign-ins increased by 10% or greater.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022-08-11
modified: 2022-08-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        Status: Success
        Count: "<10%"
    condition: selection
falsepositives:
    - Increase of users in the environment
level: low

title: Modification of IE Registry Settings
id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
status: test
description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
author: frack113
date: 2022-01-22
modified: 2025-10-22
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_domains:
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings'
    filter_main_dword:
        Details|startswith: 'DWORD'
    filter_main_null:
        Details: null
    filter_main_office:
        Details:
            - 'Cookie:'
            - 'Visited:'
            - '(Empty)'
    filter_main_path:
        TargetObject|contains:
            - '\Cache'
            - '\ZoneMap'
            - '\WpadDecision'
    filter_main_binary:
        Details: 'Binary Data'
    filter_optional_accepted_documents:
        # Spotted during Office installations
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents'
    condition: selection_domains and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: low

title: Mstsc.EXE Execution With Local RDP File
id: 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af
status: test
description: Detects potential RDP connection via Mstsc using a local ".rdp" file
references:
    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock
date: 2023-04-18
modified: 2023-04-30
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mstsc.exe'
        - OriginalFileName: 'mstsc.exe'
    selection_cli:
        CommandLine|endswith:
            - '.rdp'
            - '.rdp"'
    filter_optional_wsl:
        ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
        CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Likely with legitimate usage of ".rdp" files
level: low

title: NTDS.DIT Created
id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database)
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
    - attack.credential-access
    - attack.t1003.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: 'ntds.dit'
    condition: selection
falsepositives:
    - Unknown
level: low

title: NTLM Logon
id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
status: test
description: Detects logons using NTLM, which could be caused by a legacy source or attackers
references:
    - https://twitter.com/JohnLaTwC/status/1004895028995477505
author: Florian Roth (Nextron Systems)
date: 2018-06-08
modified: 2024-07-22
tags:
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8002
    condition: selection
falsepositives:
    - Legacy hosts
level: low

title: Named Pipe Created Via Mkfifo
id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility
references:
    - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
    - attack.execution
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/mkfifo'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Network Connection Initiated To Mega.nz
id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
status: test
description: |
    Detects a network connection initiated by a binary to "api.mega.co.nz".
    Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
references:
    - https://megatools.megous.com/
    - https://www.mandiant.com/resources/russian-targeting-gov-business
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2024-05-31
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - 'mega.co.nz'
            - 'mega.nz'
    condition: selection
falsepositives:
    - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.
level: low

title: Network Sniffing - Linux
id: f4d3748a-65d1-4806-bd23-e25728081d01
status: test
description: |
  Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
  An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2022-12-18
tags:
    - attack.credential-access
    - attack.discovery
    - attack.t1040
logsource:
    product: linux
    service: auditd
detection:
    selection_1:
        type: 'execve'
        a0: 'tcpdump'
        a1: '-c'
        a3|contains: '-i'
    selection_2:
        type: 'execve'
        a0: 'tshark'
        a1: '-c'
        a3: '-i'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low

title: New BITS Job Created Via Bitsadmin
id: 1ff315dc-2a3a-4b71-8dde-873818d25d39
status: test
description: Detects the creation of a new bits job by Bitsadmin
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: frack113
date: 2022-03-01
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 3
        processPath|endswith: '\bitsadmin.exe'
    condition: selection
falsepositives:
    - Many legitimate applications or scripts could leverage "bitsadmin". This event is best correlated with EID 16403 via the JobID field
level: low

title: New BITS Job Created Via PowerShell
id: fe3a2d49-f255-4d10-935c-bda7391108eb
status: test
description: Detects the creation of a new bits job by PowerShell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
author: frack113
date: 2022-03-01
modified: 2023-03-27
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    service: bits-client
detection:
    selection:
        EventID: 3
        processPath|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Administrator PowerShell scripts
level: low

title: New Cron File Created
id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
status: experimental
description: |
    Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker.
    Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files.
    This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job.
    Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes.
    Additionally, it is recommended to review the contents of the newly created cron files to assess their intent.
    Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.
references:
    - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
    - https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/
    - https://www.elastic.co/security-labs/primer-on-persistence-mechanisms
    - https://snehbavarva.medium.com/privilege-escalation-techniques-series-linux-cron-jobs-a5b797b424b4
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2026-04-28
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.003
logsource:
    product: linux
    category: file_event
detection:
    selection_cron_dirs:
        TargetFilename|startswith:
            - '/etc/cron.d/'
            - '/etc/cron.daily/'
            - '/etc/cron.hourly/'
            - '/etc/cron.monthly/'
            - '/etc/cron.weekly/'
            - '/var/spool/cron/crontabs/'
            - '/var/spool/cron/root'
    selection_cron_special_files:
        TargetFilename|contains:
            - '/etc/cron.allow'
            - '/etc/cron.deny'
            - '/etc/crontab'
    filter_optional_legit_cron:
        # Note: FPs on docker images: golang, postgres, python, redis, ruby
        TargetFilename:
            - '/etc/cron.daily/apt'
            - '/etc/cron.daily/dpkg'
            - '/etc/cron.daily/passwd'
            - '/etc/crontabs/root'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrative tasks, package managers, containers, configuration management tools, cloud agents, or system maintenance operations might cause false positives. Apply baselining before deployment.
level: low

title: New Kind of Network (NKN) Detection
id: fa7703d6-0ee8-4949-889c-48c84bc15b6f
status: test
description: NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>
references:
    - https://github.com/nknorg/nkn-sdk-go
    - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
    - https://github.com/Maka8ka/NGLite
author: Michael Portera (@mportatoes)
date: 2022-04-21
tags:
    - attack.command-and-control
logsource:
    product: zeek
    service: dns
detection:
    selection:
        query|contains|all:
            - 'seed'
            - '.nkn.org'
    condition: selection
falsepositives:
    - Unknown
level: low

title: New Kubernetes Service Account Created
id: e31bae15-83ed-473e-bf31-faf4f8a17d36
related:
    - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
      type: derived
status: test
description: |
    Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.persistence
    - attack.t1136
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'serviceaccounts'
    condition: selection
falsepositives:
    - Unknown
level: low

title: New Network ACL Entry Added
id: e1f7febb-7b94-4234-b5c6-00fb8500f5dd
status: test
description: |
    Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.defense-impairment
    - attack.t1686.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'ec2.amazonaws.com'
        eventName: 'CreateNetworkAclEntry'
    condition: selection
falsepositives:
    - Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC
level: low

title: New ODBC Driver Registered
id: 3390fbef-c98d-4bdd-a863-d65ed7c610dd
status: test
description: Detects the registration of a new ODBC driver.
references:
    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
        TargetObject|endswith: '\Driver'
    filter_main_sqlserver:
        TargetObject|contains: '\SQL Server\'
        Details: '%WINDIR%\System32\SQLSRV32.dll'
    filter_optional_office_access:
        TargetObject|contains: '\Microsoft Access '
        Details|startswith: 'C:\Progra'
        Details|endswith: '\ACEODBC.DLL'
    filter_optional_office_excel:
        TargetObject|contains: '\Microsoft Excel Driver'
        Details|startswith: 'C:\Progra'
        Details|endswith: '\ACEODBC.DLL'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely
level: low

title: New Process Created Via Taskmgr.EXE
id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
status: test
description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
references:
    - https://twitter.com/ReneFreingruber/status/1172244989335810049
author: Florian Roth (Nextron Systems)
date: 2018-03-13
modified: 2024-01-18
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\taskmgr.exe'
    filter_main_generic:
        Image|endswith:
            - ':\Windows\System32\mmc.exe'
            - ':\Windows\System32\resmon.exe'
            - ':\Windows\System32\Taskmgr.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrative activity
level: low

title: New Service Creation Using PowerShell
id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2
related:
    - id: 85ff530b-261d-48c6-a441-facaa2e81e48 # Using Sc.EXE
      type: similar
status: test
description: Detects the creation of a new service using powershell.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2023-02-20
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'New-Service'
            - '-BinaryPathName'
    condition: selection
falsepositives:
    - Legitimate administrator or user creates a service for legitimate reasons.
    - Software installation
level: low

title: New Service Creation Using Sc.EXE
id: 85ff530b-261d-48c6-a441-facaa2e81e48
related:
    - id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 # Using PowerShell
      type: similar
status: test
description: Detects the creation of a new service using the "sc.exe" utility.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2023-02-20
modified: 2025-09-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\sc.exe'
        CommandLine|contains|all:
            - 'create'
            - 'binPath'
    filter_optional_dropbox:
        ParentImage|startswith:
            - 'C:\Program Files (x86)\Dropbox\Client\'
            - 'C:\Program Files\Dropbox\Client\'
        ParentImage|endswith: '\Dropbox.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrator or user creates a service for legitimate reasons.
    - Software installation
level: low

title: Nltest.EXE Execution
id: 903076ff-f442-475a-b667-4f246bcc203b
related:
    - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
      type: similar
    - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1
      type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
author: Arun Chauhan
date: 2023-02-03
tags:
    - attack.discovery
    - attack.t1016
    - attack.t1018
    - attack.t1482
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\nltest.exe'
        - OriginalFileName: 'nltestrk.exe'
    condition: selection
falsepositives:
    - Legitimate administration activity
level: low

title: No Suitable Encryption Key Found For Generating Kerberos Ticket
id: b1e0b3f5-b62e-41be-886a-daffde446ad4
status: test
description: |
    Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.
    This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
author: '@SerkinValery'
date: 2024-03-07
modified: 2025-09-22
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name:
            - 'Kerberos-Key-Distribution-Center'
            - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
        EventID:
            - 16 # KDCEVENT_NO_KEY_INTERSECTION_TGS
            - 27 # KDCEVENT_UNSUPPORTED_ETYPE_REQUEST_TGS
    condition: selection
falsepositives:
    - Unknown
level: low

title: NodeJS Execution of JavaScript File
id: ba3874b9-0fae-465f-836c-eb5d071a1789
status: experimental
description: |
    Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.
    Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.
    Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.
    Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
references:
    - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-21
tags:
    - attack.execution
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\node.exe'
        - OriginalFileName: 'node.exe'
        - Product: 'Node.js'
    selection_cmd:
        CommandLine|contains: '.js'
    condition: all of selection_*
falsepositives:
    - Legitimate use of node.exe to execute JavaScript or JSC files on your environment
level: low

title: Non Interactive PowerShell Process Spawned
id: f4bbd493-b796-416e-bbf2-121235348529
status: test
description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
references:
    - https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
date: 2019-09-12
modified: 2025-02-28
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    filter_main_generic:
        ParentImage|endswith:
            - ':\Windows\explorer.exe'
            - ':\Windows\System32\CompatTelRunner.exe'
            - ':\Windows\SysWOW64\explorer.exe'
    filter_main_windows_update:
        ParentImage: ':\$WINDOWS.~BT\Sources\SetupHost.exe' # During Windows updates/upgrades
        # CommandLine: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
    filter_optional_vscode:
        # Triggered by VsCode when you open a Shell inside the workspace
        ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
        ParentCommandLine|contains: ' --ms-enable-electron-run-as-node '
    filter_optional_terminal:
        ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal_'
        ParentImage|endswith: '\WindowsTerminal.exe'
    filter_optional_defender:
        ParentImage|endswith: ':\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies
level: low

title: Notepad Password Files Discovery
id: 3b4e950b-a3ea-44d3-877e-432071990709
status: experimental
description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
references:
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
    - https://intel.thedfirreport.com/eventReports/view/57  # Private Report
author: 'The DFIR Report'
tags:
    - attack.discovery
    - attack.t1083
date: 2025-02-21
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith: '\notepad.exe'
        CommandLine|endswith:
        # Note: Commandline to contain a file with the string password and a specific extension
            - 'password*.txt'
            - 'password*.csv'
            - 'password*.doc'
            - 'password*.xls'
    condition: selection
falsepositives:
    - Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further.
level: low