title: OS Architecture Discovery Via Grep
id: d27ab432-2199-483f-a297-03633c05bae6
status: test
description: |
    Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: linux
detection:
    selection_process:
        Image|endswith: '/grep'
    selection_architecture:
        CommandLine|endswith:
            - 'aarch64'
            - 'arm'
            - 'i386'
            - 'i686'
            - 'mips'
            - 'x86_64'
    condition: all of selection_*
falsepositives:
    - Unknown
level: low

title: Office Macro File Creation
id: 91174a41-dc8f-401b-be89-7bfc140612a0
related:
    - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
      type: similar
status: test
description: Detects the creation of a new office macro files on the systems
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2026-01-09
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '.docm'
            - '.dotm'
            - '.xlsm'
            - '.xltm'
            - '.potm'
            - '.pptm'
    filter_main_office:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        Image|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.EXE'
        TargetFilename|contains: '\~$' # Temporary files created by Office applications
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Very common in environments that rely heavily on macro documents
level: low

title: Office Macro File Download
id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
related:
    - id: 91174a41-dc8f-401b-be89-7bfc140612a0
      type: similar
status: test
description: |
    Detects the creation of a new office macro files on the system via an application (browser, mail client).
    This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2025-10-29
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: file_event
    product: windows
detection:
    selection_processes:
        Image|endswith:
            # Email clients
            - '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
            - '\outlook.exe'
            - '\thunderbird.exe'
            # Browsers
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\iexplore.exe'
            - '\maxthon.exe'
            - '\MicrosoftEdge.exe'
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\opera.exe'
            - '\safari.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
            - '\whale.exe'
    selection_ext:
        - TargetFilename|endswith:
              - '.docm'
              - '.dotm'
              - '.xlsm'
              - '.xltm'
              - '.potm'
              - '.pptm'
        - TargetFilename|contains:
              - '.docm:Zone'
              - '.dotm:Zone'
              - '.xlsm:Zone'
              - '.xltm:Zone'
              - '.potm:Zone'
              - '.pptm:Zone'
    condition: all of selection_*
falsepositives:
    - Legitimate macro files downloaded from the internet
    - Legitimate macro files sent as attachments via emails
level: low

title: Okta Policy Modified or Deleted
id: 1667a172-ed4c-463c-9969-efd92195319a
status: test
description: Detects when an Okta policy is modified or deleted.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
    - attack.impact
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - policy.lifecycle.update
            - policy.lifecycle.delete
    condition: selection
falsepositives:
    - Okta Policies being modified or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: OneLogin User Account Locked
id: a717c561-d117-437e-b2d9-0118a7035d01
status: test
description: Detects when an user account is locked or suspended.
references:
    - https://developers.onelogin.com/api-docs/1/events/event-resource/
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-25
tags:
    - attack.impact
logsource:
    product: onelogin
    service: onelogin.events
detection:
    selection1: # Locked via API
        event_type_id: 532
    selection2: # Locked via API
        event_type_id: 553
    selection3: # Suspended via API
        event_type_id: 551
    condition: 1 of selection*
falsepositives:
    - System may lock or suspend user accounts.
level: low

title: OneLogin User Assumed Another User
id: 62fff148-278d-497e-8ecd-ad6083231a35
status: test
description: Detects when an user assumed another user account.
references:
    - https://developers.onelogin.com/api-docs/1/events/event-resource
author: Austin Songer @austinsonger
date: 2021-10-12
modified: 2022-12-25
tags:
    - attack.impact
logsource:
    product: onelogin
    service: onelogin.events
detection:
    selection:
        event_type_id: 3
    condition: selection
falsepositives:
    - Unknown
level: low

title: Outgoing Logon with New Credentials
id: def8b624-e08f-4ae1-8612-1ba21190da6b
status: test
description: Detects logon events that specify new credentials
references:
    - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
    - attack.lateral-movement
    - attack.t1550
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 9
    condition: selection
falsepositives:
    - Legitimate remote administration activity
level: low

title: Overwriting the File with Dev Zero or Null
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
status: stable
description: Detects overwriting (effectively wiping/deleting) of a file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: Jakob Weinzettl, oscd.community
date: 2019-10-23
tags:
    - attack.impact
    - attack.t1485
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0|contains: 'dd'
        a1|contains:
            - 'if=/dev/null'
            - 'if=/dev/zero'
    condition: selection
falsepositives:
    - Appending null bytes to files.
    - Legitimate overwrite of files.
level: low

title: PUA - Adidnsdump Execution
id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
status: test
description: |
    This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
    Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump
author: frack113
date: 2022-01-01
modified: 2023-02-21
tags:
    - attack.discovery
    - attack.t1018
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\python.exe'
        CommandLine|contains: 'adidnsdump'
    condition: selection
falsepositives:
    - Unknown
level: low

title: PUA - Sysinternal Tool Execution - Registry
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
status: test
description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\EulaAccepted'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same Registry Key
level: low
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml

title: Password Policy Discovery - Linux
id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
status: stable
description: Detects password policy discovery commands
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md
    - https://linux.die.net/man/1/chage
    - https://man7.org/linux/man-pages/man1/passwd.1.html
    - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
author: Ömer Günal, oscd.community, Pawel Mazur
date: 2020-10-08
modified: 2024-12-01
tags:
    - attack.discovery
    - attack.t1201
logsource:
    product: linux
    service: auditd
detection:
    selection_files:
        type: 'PATH'
        name:
            - '/etc/login.defs'
            - '/etc/pam.d/auth'
            - '/etc/pam.d/common-account'
            - '/etc/pam.d/common-auth'
            - '/etc/pam.d/common-password'
            - '/etc/pam.d/system-auth'
            - '/etc/security/pwquality.conf'
    selection_chage:
        type: 'EXECVE'
        a0: 'chage'
        a1:
            - '--list'
            - '-l'
    selection_passwd:
        type: 'EXECVE'
        a0: 'passwd'
        a1:
            - '-S'
            - '--status'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration activities
level: low

title: Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
id: bbb9495b-58fc-4016-b9df-9a3a1b67ca82
status: test
description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy
    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
author: frack113
date: 2022-03-17
tags:
    - attack.discovery
    - attack.t1201
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Get-AdDefaultDomainPasswordPolicy
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low

title: Potential 7za.DLL Sideloading
id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57
status: test
description: Detects potential DLL sideloading of "7za.dll"
references:
    - https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d
author: X__Junior
date: 2023-06-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\7za.dll'
    filter_main_legit_path:
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed.
level: low

title: Potential Azure Browser SSO Abuse
id: 50f852e6-af22-4c78-9ede-42ef36aa3453
status: test
description: |
    Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.
    An attacker can use this to authenticate to Azure AD in a browser as that user.
references:
    - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
author: Den Iuzvyk
date: 2020-07-15
modified: 2023-04-18
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded: 'C:\Windows\System32\MicrosoftAccountTokenProvider.dll'
    filter_main_bgtaskhost:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
        Image|endswith: '\BackgroundTaskHost.exe'
        # CommandLine|contains: '-ServerNameBackgroundTaskHost.WebAccountProvider'
    filter_optional_devenv:
        Image|startswith:
            - 'C:\Program Files\Microsoft Visual Studio\'
            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
        Image|endswith: '\IDE\devenv.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_onedrive:
        Image|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
    filter_optional_null:
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity
level: low

title: Potential Bucket Enumeration on AWS
id: f305fd62-beca-47da-ad95-7690a0620084
related:
    - id: 4723218f-2048-41f6-bcb0-417f2d784f61
      type: similar
status: test
description: Looks for potential enumeration of AWS buckets via ListBuckets.
references:
    - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md
    - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html
    - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
date: 2023-01-06
modified: 2024-07-10
tags:
    - attack.discovery
    - attack.t1580
    - attack.t1619
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 's3.amazonaws.com'
        eventName: 'ListBuckets'
    filter:
        userIdentity.type: 'AssumedRole'
    condition: selection and not filter
falsepositives:
    - Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
level: low

title: Potential Container Discovery Via Inodes Listing
id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
status: test
description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
references:
    - https://blog.skyplabs.net/posts/container-detection/
    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
    - attack.discovery
    - attack.t1082
author: Seth Hanford
date: 2023-08-23
modified: 2025-11-24
logsource:
    category: process_creation
    product: linux
detection:
    selection_ls_img:
        Image|endswith: '/ls'    # inode outside containers low, inside high
    selection_ls_cli:
        - CommandLine|endswith: ' /'
        - CommandLine|contains: ' / '
    selection_regex_inode:
        CommandLine|re: '(?:\s-[^-\s]{0,20}i|\s--inode\s)'      # -i finds inode number
    selection_regex_dir:
        CommandLine|re: '(?:\s-[^-\s]{0,20}d|\s--directory\s)'  # -d gets directory itself, not contents
    condition: all of selection_*
falsepositives:
    - Legitimate system administrator usage of these commands
    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low

title: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
id: db809f10-56ce-4420-8c86-d6a7d793c79c
status: test
description: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2025-12-03
tags:
    - attack.stealth
    - attack.t1006
logsource:
    product: windows
    category: raw_access_thread
detection:
    filter_main_floppy:
        Device|contains: floppy
    filter_main_generic:
        Image|startswith:
            - 'C:\$WINDOWS.~BT\'
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\CCM\'
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\servicing\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemApps\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\uus\'
            - 'C:\Windows\WinSxS\'
    filter_main_system_images:
        Image:
            - 'Registry'
            - 'System'
    filter_main_windefender:
        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        Image|endswith:
            - '\MsMpEng.exe'
            - '\MpDefenderCoreService.exe'
    filter_main_microsoft_appdata:
        Image|startswith: 'C:\Users\'
        Image|contains|all:
            - '\AppData\'
            - '\Microsoft\'
    filter_main_ssd_nvme:
        Image|startswith: 'C:\Windows\Temp\'
        Image|endswith:
            - '\Executables\SSDUpdate.exe'
            - '\HostMetadata\NVMEHostmetadata.exe'
    filter_main_null:
        Image: null
    filter_main_systemsettings:
        Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
    filter_main_update:
        Image|startswith: 'C:\$WinREAgent\Scratch\'
    filter_optional_github_desktop:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\GitHubDesktop\app-'
        Image|endswith: '\resources\app\git\mingw64\bin\git.exe'
    filter_optional_nextron:
        Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
        Image|endswith: '\thor.exe'
    filter_optional_Keybase:
        Image|startswith: 'C:\Users\'
        Image|contains: '\AppData\Local\Keybase\upd.exe'
    condition: not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely
level: low

title: Potential Encoded PowerShell Patterns In CommandLine
id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
related:
    - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
      type: similar
status: test
description: Detects specific combinations of encoding methods in PowerShell via the commandline
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-01-26
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_to_1:
        CommandLine|contains:
            - 'ToInt'
            - 'ToDecimal'
            - 'ToByte'
            - 'ToUint'
            - 'ToSingle'
            - 'ToSByte'
    selection_to_2:
        CommandLine|contains:
            - 'ToChar'
            - 'ToString'
            - 'String'
    selection_gen_1:
        CommandLine|contains|all:
            - 'char'
            - 'join'
    selection_gen_2:
        CommandLine|contains|all:
            - 'split'
            - 'join'
    condition: selection_img and (all of selection_to_* or 1 of selection_gen_*)
falsepositives:
    - Unknown
level: low

title: Potential Execution of Sysinternals Tools
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
status: test
description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2024-03-13
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|windash: ' -accepteula'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same command line flag
level: low

title: Potential PowerShell Obfuscation Using Alias Cmdlets
id: 96cd126d-f970-49c4-848a-da3a09f55c55
related:
    - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
      type: derived
status: test
description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
references:
    - https://github.com/1337Rin/Swag-PSO
author: frack113
date: 2023-01-08
modified: 2025-10-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1027
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Set-Alias '
            - 'New-Alias '
    filter_main_cim:
        ScriptBlockText:
            - 'Set-Alias -Name ncms -Value New-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcls -Value Get-CimClass -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name ncso -Value New-CimSessionOption -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcms -Value Get-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name rcms -Value Remove-cimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name rcie -Value Register-CimIndicationEvent -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcai -Value Get-CimAssociatedInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name gcim -Value Get-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name scim -Value Set-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name rcim -Value Remove-cimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
            - 'Set-Alias -Name icim -Value Invoke-CimMethod -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: low

title: Potential PowerShell Obfuscation Using Character Join
id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
related:
    - id: 96cd126d-f970-49c4-848a-da3a09f55c55
      type: derived
status: test
description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1027
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        # Example:
        #   Set-Alias -Name Y -Value (-join("Ne","w-O","bje","ct"))
        #   Set-Alias -Name X -Value (-join("Inv","oke","-","Exp","ression"))
        ScriptBlockText|contains|all:
            - '-Alias' # For both "New-Alias" and "Set-Alias"
            - ' -Value (-join('
    condition: selection
falsepositives:
    - Unknown
level: low

title: Potentially Suspicious Network Connection To Notion API
id: 7e9cf7b6-e827-11ed-a05b-15959c120003
status: test
description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
references:
    - https://github.com/mttaggart/OffensiveNotion
    - https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332
author: Gavin Knapp
date: 2023-05-03
tags:
    - attack.command-and-control
    - attack.t1102
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: 'api.notion.com'
    filter_main_notion:
        Image|endswith: '\AppData\Local\Programs\Notion\Notion.exe'
    filter_main_brave:
        Image|endswith: '\brave.exe'
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_main_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_main_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_main_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_main_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_main_opera:
        Image|endswith: '\opera.exe'
    filter_main_safari:
        Image|endswith: '\safari.exe'
    filter_main_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_main_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_main_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured.
level: low

title: Potentially Suspicious Shell Script Creation in Profile Folder
id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
status: test
description: Detects the creation of shell scripts under the "profile.d" path.
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
    - attack.persistence
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|contains: '/etc/profile.d/'
        TargetFilename|endswith:
            - '.csh'
            - '.sh'
    condition: selection
falsepositives:
    - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
    - Regular file creation during system update or software installation by the package manager
level: low # Can be increased to a higher level after some tuning

title: PowerShell Download Via Net.WebClient - PowerShell Classic
id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
related:
    - id: 65531a81-a694-4e31-ae04-f8ba5bc33759
      type: derived
status: test
description: |
    Detects PowerShell download activity, via the .DownloadFile() or .DownloadString() methods of the Net.WebClient class.
    This technique is often abused by attackers to download additional payloads.
references:
    - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
author: Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2026-04-28
tags:
    - attack.execution
    - attack.command-and-control
    - attack.t1059.001
    - attack.t1105
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection_webclient:
        Data|contains: 'Net.WebClient'
    selection_download:
        Data|contains:
            - '.DownloadFile('
            - '.DownloadString('
    condition: all of selection_*
falsepositives:
    - This activity may be used by legitimate software, such as patch management tools or software updaters. Investigate any such activity and apply the necessary filter.
level: low

title: PowerShell Module File Created
id: e36941d0-c0f0-443f-bc6f-cb2952eb69ea
status: test
description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
references:
    - Internal Research
    - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
    - attack.persistence
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|contains:
            - '\WindowsPowerShell\Modules\'
            - '\PowerShell\7\Modules\'
    condition: selection
falsepositives:
    - Likely
level: low

title: PowerShell Script Change Permission Via Set-Acl - PsScript
id: cae80281-ef23-44c5-873b-fd48d2666f49
related:
    - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
      type: derived
    - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
      type: derived
    - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
      type: derived
status: test
description: Detects PowerShell scripts set ACL to of a file or a folder
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
    - attack.defense-impairment
    - attack.t1222
logsource:
    product: windows
    category: ps_script
    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Set-Acl '
            - '-AclObject '
            - '-Path '
    condition: selection
falsepositives:
    - Unknown
level: low

title: PowerShell Script Dropped Via PowerShell.EXE
id: 576426ad-0131-4001-ae01-be175da0c108
status: test
description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
references:
    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: frack113
date: 2023-05-09
tags:
    - attack.persistence
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        TargetFilename|endswith: '.ps1'
    filter_main_psscriptpolicytest:
        TargetFilename|contains: '__PSScriptPolicyTest_'
    filter_main_appdata:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\Local\Temp\'
    filter_main_windows_temp:
        TargetFilename|startswith: 'C:\Windows\Temp\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
level: low

title: PowerShell Script Execution Policy Enabled
id: 8218c875-90b9-42e2-b60d-0b0069816d10
related:
    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814
      type: derived
status: test
description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
references:
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-10-18
tags:
    - attack.execution
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\EnableScripts'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Likely
level: low

title: PowerShell Script With File Upload Capabilities
id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
status: test
description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
author: frack113
date: 2022-01-07
modified: 2025-07-18
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    product: windows
    category: ps_script
    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'Invoke-RestMethod'
            - 'Invoke-WebRequest'
            - 'irm '
            - 'iwr '
    selection_flag:
        ScriptBlockText|contains:
            - '-Method "POST"'
            - '-Method "PUT"'
            - '-Method POST'
            - '-Method PUT'
            - "-Method 'POST'"
            - "-Method 'PUT'"
    condition: all of selection_*
falsepositives:
    - Unknown
level: low

title: Powershell Suspicious Win32_PnPEntity
id: b26647de-4feb-4283-af6b-6117661283c5
status: test
description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md
author: frack113
date: 2021-08-23
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.t1120
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Win32_PnPEntity
    condition: selection
falsepositives:
    - Admin script
level: low

title: Previously Installed IIS Module Was Removed
id: 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f
status: test
description: Detects the removal of a previously installed IIS module.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: Nasreddine Bencherchali
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|contains: '/system.webServer/modules/remove'
    condition: selection
falsepositives:
    - Legitimate administrator activity
# Note: Upgrade after an initial baseline
level: low

title: Privileged Container Deployed
id: c5cd1b20-36bb-488d-8c05-486be3d0cb97
status: test
description: |
    Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
    A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
    Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
    - https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html
    - https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1611
    - attack.privilege-escalation
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        capabilities: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
    condition: selection
falsepositives:
    - Unknown
level: low

title: PsExec Service File Creation
id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
related:
    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28
      type: derived
status: test
description: Detects default PsExec service filename which indicates PsExec service installation and execution
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2022-10-26
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\PSEXESVC.exe'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Python Image Load By Non-Python Process
id: cbb56d62-4060-40f7-9466-d8aaf3123f83
status: test
description: |
    Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code.
    Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables.
    Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.
references:
    - https://www.py2exe.org/
    - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
author: Patrick St. John, OTR (Open Threat Research)
date: 2020-05-03
modified: 2025-08-18
tags:
    - attack.stealth
    - attack.t1027.002
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Description: 'Python Core'
    filter_main_generic:
        - Image|contains: 'Python'  # FPs with python38.dll, python.exe etc.
        - Image|startswith:
              - 'C:\Program Files\'
              - 'C:\Program Files (x86)\'
              - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
    filter_optional_null_image:
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate Py2Exe Binaries
    - Known false positive caused with Python Anaconda
    - Various legitimate software is bundled from Python code into executables
level: low

title: QuickAssist Execution
id: e20b5b14-ce93-4230-88af-981983ef6e74
status: experimental
description: |
    Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
references:
    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
    - https://x.com/cyb3rops/status/1862406110365245506
    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
author: Muhammad Faisal (@faisalusuf)
date: 2024-12-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\QuickAssist.exe'
    condition: selection
falsepositives:
    - Legitimate use of Quick Assist in the environment.
level: low

title: RBAC Permission Enumeration Attempt
id: 84b777bd-c946-4d17-aa2e-c39f5a454325
status: test
description: |
    Detects identities attempting to enumerate their Kubernetes RBAC permissions.
    In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
    In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
    This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
references:
    - https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1069.003
    - attack.t1087.004
    - attack.discovery
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        apiGroup: 'authorization.k8s.io'
        objectRef.resource: 'selfsubjectrulesreviews'
    condition: selection
falsepositives:
    - Unknown
level: low

title: RegAsm.EXE Execution Without CommandLine Flags or Files
id: 651f87f7-12db-47f9-84c5-f27b081b94b6
status: experimental
description: |
    Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity.
    Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
references:
    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/
    - https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
    - https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2
    - https://www.joesandbox.com/analysis/1467354/0/html
author: frack113
date: 2025-06-04
tags:
    - attack.stealth
    - attack.t1218.009
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\RegAsm.exe'
        - OriginalFileName: 'RegAsm.exe'
    selection_cli:
        CommandLine|endswith:
            - 'RegAsm'
            - 'RegAsm.exe'
            - 'RegAsm.exe"'
            - "RegAsm.exe'"
    condition: all of selection_*
falsepositives:
    - Legitimate use of Regasm by developers.
# Note: You can increase after an initial baseline
level: low

title: Registry Modification Via Regini.EXE
id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
related:
    - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
      type: derived
status: test
description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Regini/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
author: Eli Salem, Sander Wiebing, oscd.community
date: 2020-10-08
modified: 2023-02-08
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\regini.exe'
        - OriginalFileName: 'REGINI.EXE'
    filter:
        CommandLine|re: ':[^ \\]' # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682
    condition: selection and not filter
falsepositives:
    - Legitimate modification of keys
level: low

title: Remote Access Tool - ScreenConnect Command Execution
id: 076ebe48-cc05-4d8f-9d41-89245cd93a14
related:
    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
      type: similar
status: test
description: Detects command execution via ScreenConnect RMM
references:
    - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
    - https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    service: application
    product: windows
detection:
    selection:
        Provider_Name: 'ScreenConnect'
        EventID: 200
        Data|contains: 'Executed command of length'
    condition: selection
falsepositives:
    - Legitimate use of ScreenConnect
level: low

title: Remote Access Tool - ScreenConnect File Transfer
id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13
related:
    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
      type: similar
status: test
description: Detects file being transferred via ScreenConnect RMM
references:
    - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
    - https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    service: application
    product: windows
detection:
    selection:
        Provider_Name: 'ScreenConnect'
        EventID: 201
        Data|contains: 'Transferred files with action'
    condition: selection
falsepositives:
    - Legitimate use of ScreenConnect
level: low

title: Remote Access Tool - ScreenConnect Remote Command Execution
id: b1f73849-6329-4069-bc8f-78a604bb8b23
status: test
description: Detects the execution of a system command via the ScreenConnect RMM service.
references:
    - https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
modified: 2024-02-26
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\ScreenConnect.ClientService.exe'
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        # Example:
        #   CommandLine: "cmd.exe" /c "C:\Windows\TEMP\ScreenConnect\23.6.8.8644\3c41d689-bbf5-4216-b2f4-ba8fd6192c25run.cmd"
        CommandLine|contains: '\TEMP\ScreenConnect\'
    condition: all of selection_*
falsepositives:
    - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used.
# Note: Increase the level if you don't leverage ScreenConnect
level: low

title: Remote Access Tool - ScreenConnect Temporary File
id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
related:
    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
      type: similar
status: test
description: |
    Detects the creation of files in a specific location by ScreenConnect RMM.
    ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
references:
    - https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\ScreenConnect.WindowsClient.exe'
        TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\'
    condition: selection
falsepositives:
    - Legitimate use of ScreenConnect
# Note: Incase the level if ScreenConnect is not used
level: low

title: Remote Access Tool - Team Viewer Session Started On Linux Host
id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
related:
    - id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
      type: similar
    - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
      type: similar
status: test
description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
    - Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        ParentImage|endswith: '/TeamViewer_Service'
        Image|endswith: '/TeamViewer_Desktop'
        CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
    condition: selection
falsepositives:
    - Legitimate usage of TeamViewer
level: low

title: Remote Access Tool - Team Viewer Session Started On MacOS Host
id: f459ccb4-9805-41ea-b5b2-55e279e2424a
related:
    - id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
      type: similar
    - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
      type: similar
status: test
description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
    - Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        ParentImage|endswith: '/TeamViewer_Service'
        Image|endswith: '/TeamViewer_Desktop'
        CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
    condition: selection
falsepositives:
    - Legitimate usage of TeamViewer
level: low

title: Remote Access Tool - Team Viewer Session Started On Windows Host
id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
related:
    - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
      type: similar
    - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
      type: similar
status: test
description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
    - Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image: 'TeamViewer_Desktop.exe'
        ParentImage: 'TeamViewer_Service.exe'
        CommandLine|endswith: 'TeamViewer_Desktop.exe --IPCport 5939 --Module 1'
    condition: selection
falsepositives:
    - Legitimate usage of TeamViewer
level: low

title: Remote File Copy
id: 7a14080d-a048-4de8-ae58-604ce58a795b
status: stable
description: Detects the use of tools that copy files from or to remote systems
references:
    - https://www.cisa.gov/stopransomware/ransomware-guide
author: Ömer Günal
date: 2020-06-18
tags:
    - attack.command-and-control
    - attack.lateral-movement
    - attack.t1105
logsource:
    product: linux
detection:
    tools:
        - 'scp '
        - 'rsync '
        - 'sftp '
    filter:
        - '@'
        - ':'
    condition: tools and filter
falsepositives:
    - Legitimate administration activities
level: low

title: Remote PowerShell Session (PS Classic)
id: 60167e5c-84b2-4c95-a7ac-86281f27c445
related:
    - id: 96b9f619-aa91-478f-bacb-c3e50f8df575
      type: derived
status: test
description: Detects remote PowerShell sessions
references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2024-01-03
tags:
    - attack.execution
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.006
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains|all:
            - 'HostName=ServerRemoteHost'
            - 'wsmprovhost.exe'
    condition: selection
falsepositives:
    - Legitimate use remote PowerShell sessions
# Note: Increase the level to "medium" in environments that do not leverage PowerShell remoting
level: low

title: Renamed Powershell Under Powershell Channel
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
status: test
description: |
    Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020-06-29
modified: 2025-01-20
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1036.003
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains: 'HostName=ConsoleHost'
    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases.
    filter_main_ps:
        Data|contains:
            - 'HostApplication=powershell'
            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
            # In some cases powershell was invoked with inverted slashes
            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
            - 'HostApplication=C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
            - 'HostApplication=C:\\\\WINDOWS\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
    filter_main_host_application_null:
        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
        # If you're already mapping and extracting the field, then obviously use that directly.
        Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: low

title: Replace Desktop Wallpaper by Powershell
id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
status: test
description: |
    An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
    This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
author: frack113
date: 2021-12-26
tags:
    - attack.impact
    - attack.t1491.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_1:
        ScriptBlockText|contains|all:
            - 'Get-ItemProperty'
            - 'Registry::'
            - 'HKEY_CURRENT_USER\Control Panel\Desktop\'
            - 'WallPaper'
    selection_2:
        ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: low

title: Run Once Task Execution as Configured in Registry
id: 198effb6-6c98-4d0c-9ea3-451fa143c45c
status: test
description: This rule detects the execution of Run Once task as configured in the registry
references:
    - https://twitter.com/pabraeken/status/990717080805789697
    - https://lolbas-project.github.io/lolbas/Binaries/Runonce/
    - https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)'
date: 2020-10-18
modified: 2022-12-13
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\runonce.exe'
        - Description: 'Run Once Wrapper'
    selection_cli:
        - CommandLine|contains: '/AlternateShellStartup'
        - CommandLine|endswith: '/r'
    condition: all of selection_*
falsepositives:
    - Unknown
level: low