title: Scheduled Task Creation Via Schtasks.EXE
id: 92626ddd-662c-49e3-ac59-f6535f12d189
status: test
description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2025-10-22
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1053.005
    - attack.s0111
    - car.2013-08-001
    - stp.1u
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains: ' /create '
    filter_main_system_user:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    filter_optional_msoffice:
        #  schtasks.exe /Create /tn "Microsoft\Office\Office Performance Monitor" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Performance Monitor.xml"
        ParentImage:
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
        Image:
            - 'C:\Windows\System32\schtasks.exe'
            - 'C:\Windows\SysWOW64\schtasks.exe'
        CommandLine|contains: 'Microsoft\Office\Office Performance Monitor'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrative activity
    - Software installation
level: low

title: Scheduled Task/Job At
id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
status: stable
description: |
  Detects the use of at/atd which are utilities that are used to schedule tasks.
  They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
author: Ömer Günal, oscd.community
date: 2020-10-06
modified: 2022-07-07
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.002
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/at'
            - '/atd'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low

title: Screen Capture - macOS
id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
status: test
description: Detects attempts to use screencapture to collect macOS screenshots
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py
author: remotephone, oscd.community
date: 2020-10-13
modified: 2021-11-27
tags:
    - attack.collection
    - attack.t1113
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image: '/usr/sbin/screencapture'
    condition: selection
falsepositives:
    - Legitimate user activity taking screenshots
level: low

title: Screen Capture with Import Tool
id: dbe4b9c5-c254-4258-9688-d6af0b7967fd
status: test
description: |
  Detects adversary creating screen capture of a desktop with Import Tool.
  Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.
  ImageMagick must be installed.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
    - https://linux.die.net/man/1/import
    - https://imagemagick.org/
author: 'Pawel Mazur'
date: 2021-09-21
modified: 2022-10-09
tags:
    - attack.collection
    - attack.t1113
logsource:
    product: linux
    service: auditd
detection:
    import:
        type: EXECVE
        a0: import
    import_window_root:
        a1: '-window'
        a2: 'root'
        a3|endswith:
            - '.png'
            - '.jpg'
            - '.jpeg'
    import_no_window_root:
        a1|endswith:
            - '.png'
            - '.jpg'
            - '.jpeg'
    condition: import and (import_window_root or import_no_window_root)
falsepositives:
    - Legitimate use of screenshot utility
level: low

title: Screen Capture with Xwd
id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c
status: test
description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
    - https://linux.die.net/man/1/xwd
author: 'Pawel Mazur'
date: 2021-09-13
modified: 2022-12-18
tags:
    - attack.collection
    - attack.t1113
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: xwd
    xwd_root_window:
        a1: '-root'
        a2: '-out'
        a3|endswith: '.xwd'
    xwd_no_root_window:
        a1: '-out'
        a2|endswith: '.xwd'
    condition: selection and 1 of xwd_*
falsepositives:
    - Legitimate use of screenshot utility
level: low

title: Security Software Discovery - Linux
id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
status: test
description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            # You can add more grep variations such as fgrep, rgrep...etc
            - '/grep'
            - '/egrep'
        CommandLine|contains:
            - 'nessusd'        # nessus vulnerability scanner
            - 'td-agent'       # fluentd log shipper
            - 'packetbeat'     # elastic network logger/shipper
            - 'filebeat'       # elastic log file shipper
            - 'auditbeat'      # elastic auditing agent/log shipper
            - 'osqueryd'       # facebook osquery
            - 'cbagentd'       # carbon black
            - 'falcond'        # crowdstrike falcon
    condition: selection
falsepositives:
    - Legitimate activities
level: low

title: Service Registry Key Read Access Request
id: 11d00fff-5dc3-428c-8184-801f292faec0
status: test
description: |
    Detects "read access" requests on the services registry key.
    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
    Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
references:
    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
date: 2023-09-28
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    product: windows
    service: security
    definition: 'Requirements: SACLs must be enabled for "READ_CONTROL" on the registry keys used in this rule'
detection:
    selection:
        EventID: 4663
        ObjectName|contains|all:
            - '\SYSTEM\'
            - 'ControlSet\Services\'
        AccessList|contains: '%%1538' # READ_CONTROL
    condition: selection
falsepositives:
    - Likely from legitimate applications reading their key. Requires heavy tuning
level: low

title: Service Reload or Start - Linux
id: 2625cc59-0634-40d0-821e-cb67382a3dd7
status: test
description: Detects the start, reload or restart of a service.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
author: Jakob Weinzettl, oscd.community, CheraghiMilad
date: 2019-09-23
modified: 2025-03-03
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1543.002
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0|contains:
            - 'systemctl'
            - 'service'
        a1|contains:
            - 'reload'
            - 'start'
    condition: selection
falsepositives:
    - Installation of legitimate service.
    - Legitimate reconfiguration of service.
    - Command line contains daemon-reload.
level: low

title: Setuid and Setgid
id: c21c4eaa-ba2e-419a-92b2-8371703cbe21
status: test
description: Detects suspicious change of file privileges with chown and chmod commands
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
author: Ömer Günal
date: 2020-06-16
modified: 2022-10-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1548.001
logsource:
    product: linux
    category: process_creation
detection:
    selection_root:
        CommandLine|contains: 'chown root'
    selection_perm:
        CommandLine|contains:
            - ' chmod u+s'
            - ' chmod g+s'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
level: low

title: Share And Session Enumeration Using Net.EXE
id: 62510e69-616b-4078-b371-847da438cc03
status: stable
description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Endgame, JHasenbusch (ported for oscd.community)
date: 2018-10-30
modified: 2023-02-21
tags:
    - attack.discovery
    - attack.t1018
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains: 'view'
    filter:
        CommandLine|contains: '\\\\'
    condition: all of selection_* and not filter
falsepositives:
    - Legitimate use of net.exe utility by legitimate user
level: low

title: Sign-ins by Unknown Devices
id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c
status: test
description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Michael Epping, '@mepples21'
date: 2022-06-28
modified: 2022-10-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        AuthenticationRequirement: singleFactorAuthentication
        ResultType: 0
        NetworkLocationDetails: '[]'
        DeviceDetail.deviceId: ''
    condition: selection
falsepositives:
    - Unknown
level: low

title: Space After Filename - macOS
id: b6e2a2e3-2d30-43b1-a4ea-071e36595690
status: test
description: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md
author: remotephone
date: 2021-11-20
modified: 2023-01-04
tags:
    - attack.stealth
    - attack.t1036.006
logsource:
    product: macos
    category: process_creation
detection:
    selection1:
        CommandLine|endswith: ' '
    selection2:
        Image|endswith: ' '
    condition: 1 of selection*
falsepositives:
    - Mistyped commands or legitimate binaries named to match the pattern
level: low

title: Special File Creation via Mknod Syscall
id: 710bdbce-495d-491d-9a8f-7d0d88d2b41e
status: experimental
description: |
    Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).
    Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,
    or establish covert channels in Linux systems.
    Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,
    and it can be abused to bypass file system restrictions or create backdoors.
references:
    - https://man7.org/linux/man-pages/man2/mknod.2.html
    - https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8
author: Milad Cheraghi
date: 2025-05-31
modified: 2025-12-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1543.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL: 'mknod'
    condition: selection
falsepositives:
    - Device creation by legitimate scripts or init systems (udevadm, MAKEDEV)
    - Container runtimes or security tools during initialization
level: low

title: Split A File Into Pieces
id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12
status: test
description: Detection use of the command "split" to split files into parts and possible transfer.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-15
modified: 2021-11-27
tags:
    - attack.exfiltration
    - attack.t1030
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/split'
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: low

title: Split A File Into Pieces - Linux
id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769
status: test
description: 'Detection use of the command "split" to split files into parts and possible transfer.'
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
    - attack.exfiltration
    - attack.t1030
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        comm: 'split'
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: low

title: Start Windows Service Via Net.EXE
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
status: test
description: Detects the usage of the "net.exe" command to start a service using the "start" flag
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019-10-21
modified: 2023-03-05
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains: ' start '     # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
    condition: all of selection_*
falsepositives:
    - Legitimate administrator or user executes a service for legitimate reasons.
level: low

title: Startup Item File Created - MacOS
id: dfe8b941-4e54-4242-b674-6b613d521962
status: test
description: |
    Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.
    Adversaries may use startup items automatically executed at boot initialization to establish persistence.
    Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md
    - https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-14
modified: 2024-08-11
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1037.005
logsource:
    category: file_event
    product: macos
detection:
    selection:
        TargetFilename|startswith:
            - '/Library/StartupItems/'
            - '/System/Library/StartupItems'
        TargetFilename|endswith: '.plist'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low

title: Steganography Extract Files with Steghide
id: a5a827d9-1bbe-4952-9293-c59d897eb41b
status: test
description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
references:
    - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
author: 'Pawel Mazur'
date: 2021-09-11
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1027.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: steghide
        a1: extract
        a2: '-sf'
        a3|endswith:
            - '.jpg'
            - '.png'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Steganography Hide Files with Steghide
id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
status: test
description: Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
references:
    - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
author: 'Pawel Mazur'
date: 2021-09-11
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1027.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: steghide
        a1: embed
        a2:
            - '-cf'
            - '-ef'
        a4:
            - '-cf'
            - '-ef'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Steganography Hide Zip Information in Picture File
id: 45810b50-7edc-42ca-813b-bdac02fb946b
status: test
description: Detects appending of zip file to image
references:
    - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
author: 'Pawel Mazur'
date: 2021-09-09
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1027.003
logsource:
    product: linux
    service: auditd
detection:
    commands:
        type: EXECVE
        a0: cat
    a1:
        a1|endswith:
            - '.jpg'
            - '.png'
    a2:
        a2|endswith: '.zip'
    condition: commands and a1 and a2
falsepositives:
    - Unknown
level: low

title: Steganography Unzip Hidden Information From Picture File
id: edd595d7-7895-4fa7-acb3-85a18a8772ca
status: test
description: Detects extracting of zip file from image file
references:
    - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
author: 'Pawel Mazur'
date: 2021-09-09
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1027.003
logsource:
    product: linux
    service: auditd
detection:
    commands:
        type: EXECVE
        a0: unzip
    a1:
        a1|endswith:
            - '.jpg'
            - '.png'
    condition: commands and a1
falsepositives:
    - Unknown
level: low

title: Stop Windows Service Via Net.EXE
id: 88872991-7445-4a22-90b2-a3adadb0e827
related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsolete
status: test
description: Detects the stopping of a Windows service via the "net" utility.
references:
    - https://ss64.com/nt/net-service.html
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
    selection_cli:
        CommandLine|contains: ' stop '
    condition: all of selection_*
falsepositives:
    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
level: low

title: Stop Windows Service Via PowerShell Stop-Service
id: c49c5062-0966-4170-9efd-9968c913a6cf
related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsolete
status: test
description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc_net_img:
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
    selection_cli:
        CommandLine|contains: 'Stop-Service '
    condition: all of selection_*
falsepositives:
    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
level: low

title: Stop Windows Service Via Sc.EXE
id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1
related:
    - id: eb87818d-db5d-49cc-a987-d5da331fbd90
      type: obsolete
status: test
description: Detects the stopping of a Windows service via the "sc.exe" utility
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
modified: 2024-01-18
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'sc.exe'
        - Image|endswith: '\sc.exe'
    selection_cli:
        CommandLine|contains: ' stop '
    condition: all of selection_*
falsepositives:
    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/info.yml

title: Successful Account Login Via WMI
id: 5af54681-df95-4c26-854f-2565e13cfab0
status: stable
description: Detects successful logon attempts performed with WMI
references:
    - Internal Research
author: Thomas Patzke
date: 2019-12-04
modified: 2024-01-17
tags:
    - attack.execution
    - attack.t1047
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        ProcessName|endswith: '\WmiPrvSE.exe'
    condition: selection
falsepositives:
    - Monitoring tools
    - Legitimate system administration
level: low

title: Suspicious Connection to Remote Account
id: 1883444f-084b-419b-ac62-e0d0c5b3693f
status: test
description: |
    Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
    Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
author: frack113
date: 2021-12-27
tags:
    - attack.credential-access
    - attack.t1110.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier'
            - 'System.Net.NetworkCredential'
            - 'System.DirectoryServices.Protocols.LdapConnection'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Suspicious Deno File Written from Remote Source
id: 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
status: experimental
description: |
    Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
    This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
references:
    - https://taggart-tech.com/evildeno/
author: Josh Nickels, Michael Taggart
date: 2025-05-22
tags:
    - attack.execution
    - attack.t1204
    - attack.t1059.007
    - attack.command-and-control
    - attack.t1105
logsource:
    category: file_event
    product: windows
detection:
    selection_path:
        TargetFilename|contains:
            - '\deno\gen\'
            - '\deno\remote\https\'
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\'
    condition: selection_path
falsepositives:
    - Legitimate usage of deno to request a file or bring a DLL to a host
level: low

title: Suspicious Execution of Hostname
id: 7be5fb68-f9ef-476d-8b51-0256ebece19e
status: test
description: Use of hostname to get information
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname
author: frack113
date: 2022-01-01
tags:
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\HOSTNAME.EXE'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Suspicious Execution of Systeminfo
id: 0ef56343-059e-4cb6-adc1-4c3c967c5e46
status: test
description: Detects usage of the "systeminfo" command to retrieve information
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
author: frack113
date: 2022-01-01
modified: 2022-07-14
tags:
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\systeminfo.exe'
        - OriginalFileName: 'sysinfo.exe'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Suspicious File Access to Browser Credential Storage
id: a1dfd976-4852-41d4-9507-dc6590a3ccd0
status: experimental
description: |
    Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.
    Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.
    This behavior is often commonly observed in credential stealing malware.
references:
    - https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
    - https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore
date: 2025-05-22
tags:
    - attack.credential-access
    - attack.t1555.003
    - attack.discovery
    - attack.t1217
logsource:
    category: file_access
    product: windows
detection:
    selection_browser_paths:
        FileName|contains:
            - '\Sputnik\Sputnik'
            - '\MapleStudio\ChromePlus'
            - '\QIP Surf'
            - '\BlackHawk'
            - '\7Star\7Star'
            - '\CatalinaGroup\Citrio'
            - '\Google\Chrome'
            - '\Coowon\Coowon'
            - '\CocCoc\Browser'
            - '\uCozMedia\Uran'
            - '\Tencent\QQBrowser'
            - '\Orbitum'
            - '\Slimjet'
            - '\Iridium'
            - '\Vivaldi'
            - '\Chromium'
            - '\GhostBrowser'
            - '\CentBrowser'
            - '\Xvast'
            - '\Chedot'
            - '\SuperBird'
            - '\360Browser\Browser'
            - '\360Chrome\Chrome'
            - '\Comodo\Dragon'
            - '\BraveSoftware\Brave-Browser'
            - '\Torch'
            - '\UCBrowser\'
            - '\Blisk'
            - '\Epic Privacy Browser'
            - '\Nichrome'
            - '\Amigo'
            - '\Kometa'
            - '\Xpom'
            - '\Microsoft\Edge'
            - '\Liebao7Default\EncryptedStorage'
            - '\AVAST Software\Browser'
            - '\Kinza'
            - '\Mozilla\SeaMonkey\'
            - '\Comodo\IceDragon\'
            - '\8pecxstudios\Cyberfox\'
            - '\FlashPeak\SlimBrowser\'
            - '\Moonchild Productions\Pale Moon\'
    selection_browser_subpaths:
        FileName|contains:
            - '\Profiles\'
            - '\User Data'
    selection_cred_files:
        - FileName|contains:
              - '\Login Data'
              - '\Cookies'
              - '\EncryptedStorage'
              - '\WebCache\'
        - FileName|endswith:
              - 'cert9.db'
              - 'cookies.sqlite'
              - 'formhistory.sqlite'
              - 'key3.db'
              - 'key4.db'
              - 'Login Data.sqlite'
              - 'logins.json'
              - 'places.sqlite'
    filter_main_img:
        Image|endswith:
            - '\Sputnik.exe'
            - '\ChromePlus.exe'
            - '\QIP Surf.exe'
            - '\BlackHawk.exe'
            - '\7Star.exe'
            - '\Sleipnir5.exe'
            - '\Citrio.exe'
            - '\Chrome SxS.exe'
            - '\Chrome.exe'
            - '\Coowon.exe'
            - '\CocCocBrowser.exe'
            - '\Uran.exe'
            - '\QQBrowser.exe'
            - '\Orbitum.exe'
            - '\Slimjet.exe'
            - '\Iridium.exe'
            - '\Vivaldi.exe'
            - '\Chromium.exe'
            - '\GhostBrowser.exe'
            - '\CentBrowser.exe'
            - '\Xvast.exe'
            - '\Chedot.exe'
            - '\SuperBird.exe'
            - '\360Browser.exe'
            - '\360Chrome.exe'
            - '\dragon.exe'
            - '\brave.exe'
            - '\torch.exe'
            - '\UCBrowser.exe'
            - '\BliskBrowser.exe'
            - '\Epic Privacy Browser.exe'
            - '\nichrome.exe'
            - '\AmigoBrowser.exe'
            - '\KometaBrowser.exe'
            - '\XpomBrowser.exe'
            - '\msedge.exe'
            - '\LiebaoBrowser.exe'
            - '\AvastBrowser.exe'
            - '\Kinza.exe'
            - '\seamonkey.exe'
            - '\icedragon.exe'
            - '\cyberfox.exe'
            - '\SlimBrowser.exe'
            - '\palemoon.exe'
    filter_main_path:
        Image|contains:
            - '\Sputnik\'
            - '\MapleStudio\'
            - '\QIP Surf\'
            - '\BlackHawk\'
            - '\7Star\'
            - '\Fenrir Inc\'
            - '\CatalinaGroup\'
            - '\Google\'
            - '\Coowon\'
            - '\CocCoc\'
            - '\uCozMedia\'
            - '\Tencent\'
            - '\Orbitum\'
            - '\Slimjet\'
            - '\Iridium\'
            - '\Vivaldi\'
            - '\Chromium\'
            - '\GhostBrowser\'
            - '\CentBrowser\'
            - '\Xvast\'
            - '\Chedot\'
            - '\SuperBird\'
            - '\360Browser\'
            - '\360Chrome\'
            - '\Comodo\'
            - '\BraveSoftware\'
            - '\Torch\'
            - '\UCBrowser\'
            - '\Blisk\'
            - '\Epic Privacy Browser\'
            - '\Nichrome\'
            - '\Amigo\'
            - '\Kometa\'
            - '\Xpom\'
            - '\Microsoft\'
            - '\Liebao7\'
            - '\AVAST Software\'
            - '\Kinza\'
            - '\Mozilla\'
            - '\8pecxstudios\'
            - '\FlashPeak\'
            - '\Moonchild Productions\'
    filter_main_system:
        Image: System
        ParentImage: Idle
    filter_main_generic:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_defender:
        Image|contains: '\Microsoft\Windows Defender\'
        Image|endswith:
            - '\MpCopyAccelerator.exe'
            - '\MsMpEng.exe'
    filter_optional_thor:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    filter_optional_msiexec:
        ParentImage: 'C:\Windows\System32\msiexec.exe'
    filter_optional_other:
        Image|endswith: '\everything.exe'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Antivirus, Anti-Spyware, Anti-Malware Software
    - Legitimate software accessing browser data for synchronization or backup purposes.
    - Legitimate software installed on partitions other than "C:\"
level: low

title: Suspicious GPO Discovery With Get-GPO
id: eb2fd349-ec67-4caa-9143-d79c7fb34441
status: test
description: Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
    - https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
author: frack113
date: 2022-06-04
tags:
    - attack.discovery
    - attack.t1615
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Get-GPO
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low

title: Suspicious Get Information for SMB Share
id: 95f0643a-ed40-467c-806b-aac9542ec5ab
status: test
description: |
    Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as
    a precursor for Collection and to identify potential systems of interest for Lateral Movement.
    Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: get-smbshare
    condition: selection
falsepositives:
    - Unknown
level: low

title: Suspicious Get Information for SMB Share - PowerShell Module
id: 6942bd25-5970-40ab-af49-944247103358
status: test
description: |
    Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and
    to identify potential systems of interest for Lateral Movement.
    Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2022-12-02
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        - Payload|contains: get-smbshare
        - ContextInfo|contains: get-smbshare
    condition: selection
falsepositives:
    - Administrator script
level: low

title: Suspicious Get Local Groups Information
id: cef24b90-dddc-4ae1-a09a-8764872f69fc
related:
    - id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
      type: similar
status: test
description: |
    Detects the use of PowerShell modules and cmdlets to gather local group information.
    Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2025-08-22
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_localgroup:
        - Payload|contains:
              - 'get-localgroup '
              - 'get-localgroupmember '
        - ContextInfo|contains:
              - 'get-localgroup '
              - 'get-localgroupmember '
    selection_wmi_module:
        - Payload|contains:
              - 'get-wmiobject '
              - 'gwmi '
              - 'get-ciminstance '
              - 'gcim '
        - ContextInfo|contains|all:
              - 'get-wmiobject '
              - 'gwmi '
              - 'get-ciminstance '
              - 'gcim '
    selection_wmi_class:
        - Payload|contains: 'win32_group'
        - ContextInfo|contains: 'win32_group'
    condition: selection_localgroup or all of selection_wmi_*
falsepositives:
    - Administrator script
level: low

title: Suspicious Get Local Groups Information - PowerShell
id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
related:
    - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
      type: similar
status: test
description: |
    Detects the use of PowerShell modules and cmdlets to gather local group information.
    Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2025-08-22
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_localgroup:
        ScriptBlockText|contains:
            - 'get-localgroup '
            - 'get-localgroupmember '
    selection_wmi_module:
        ScriptBlockText|contains:
            - 'get-wmiobject '
            - 'gwmi '
            - 'get-ciminstance '
            - 'gcim '
    selection_wmi_class:
        ScriptBlockText|contains: 'win32_group' # Covers both win32_group and win32_groupuser
    condition: selection_localgroup or all of selection_wmi_*
falsepositives:
    - Inventory scripts or admin tasks
level: low

title: Suspicious Inbox Forwarding
id: 6c220477-0b5b-4b25-bb90-66183b4089e8
status: test
description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-22
modified: 2022-10-09
tags:
    - attack.exfiltration
    - attack.t1020
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Suspicious inbox forwarding'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: low

title: Suspicious Mount-DiskImage
id: 29e1c216-6408-489d-8a06-ee9d151ef819
status: test
description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
author: frack113
date: 2022-02-01
tags:
    - attack.defense-impairment
    - attack.t1553.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Mount-DiskImage '
            - '-ImagePath '
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low

title: Suspicious Network Command
id: a29c1813-ab1f-4dde-b489-330b952e91ae
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-12-07
modified: 2025-10-19
tags:
    - attack.discovery
    - attack.t1016
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|re:
            - 'ipconfig\s+/all'
            - 'netsh\s+interface show interface'
            - 'arp\s+-a'
            - 'nbtstat\s+-n'
            - 'net\s+config'
            - 'route\s+print'
    condition: selection
falsepositives:
    - Administrator, hotline ask to user
level: low

title: Suspicious Network Communication With IPFS
id: eb6c2004-1cef-427f-8885-9042974e5eb6
status: test
description: Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
references:
    - https://blog.talosintelligence.com/ipfs-abuse/
    - https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11
    - https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638
author: Gavin Knapp
date: 2023-03-16
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1056
logsource:
    category: proxy
detection:
    selection:
        cs-uri|re: '(?i)(ipfs\.io/|ipfs\.io\s).+\..+@.+\.[a-z]+'
    condition: selection
falsepositives:
    - Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this.
level: low

title: Suspicious PowerShell Get Current User
id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
status: test
description: Detects the use of PowerShell to identify the current logged user.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script
author: frack113
date: 2022-04-04
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - '[System.Environment]::UserName'
            - '$env:UserName'
            - '[System.Security.Principal.WindowsIdentity]::GetCurrent()'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low

title: Suspicious Process Discovery With Get-Process
id: af4c87ce-bdda-4215-b998-15220772e993
status: test
description: Get the processes that are running on the local computer.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4
author: frack113
date: 2022-03-17
tags:
    - attack.discovery
    - attack.t1057
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: Get-Process
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low

title: Suspicious Query of MachineGUID
id: f5240972-3938-4e56-8e4b-e33893176c1f
status: test
description: Use of reg to get MachineGuid information
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery
author: frack113
date: 2022-01-01
tags:
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - 'SOFTWARE\Microsoft\Cryptography'
            - '/v '
            - 'MachineGuid'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Suspicious SSL Connection
id: 195626f3-5f1b-4403-93b7-e6cfd4d6a078
status: test
description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2
    - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
author: frack113
date: 2022-01-23
tags:
    - attack.command-and-control
    - attack.t1573
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - System.Net.Security.SslStream
            - Net.Security.RemoteCertificateValidationCallback
            - '.AuthenticateAsClient'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: low

title: Suspicious Where Execution
id: 725a9768-0f5e-4cb3-aec2-bc5719c6831a
status: test
description: |
    Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
    Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
    internal network resources such as servers, tools/dashboards, or other related infrastructure.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-13
modified: 2022-06-29
tags:
    - attack.discovery
    - attack.t1217
logsource:
    category: process_creation
    product: windows
detection:
    where_exe:
        - Image|endswith: '\where.exe'
        - OriginalFileName: 'where.exe'
    where_opt:
        CommandLine|contains:
            # Firefox Data
            - 'places.sqlite'
            - 'cookies.sqlite'
            - 'formhistory.sqlite'
            - 'logins.json'
            - 'key4.db'
            - 'key3.db'
            - 'sessionstore.jsonlz4'
            # Chrome Data
            - 'History'
            - 'Bookmarks'
            - 'Cookies'
            - 'Login Data'
    condition: all of where_*
falsepositives:
    - Unknown
level: low

title: Sysinternals Tools AppX Versions Execution
id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
status: test
description: |
    Detects execution of Sysinternals tools via an AppX package.
    Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
modified: 2023-09-12
tags:
    - attack.execution
    - attack.stealth
logsource:
    product: windows
    service: appmodel-runtime
detection:
    selection:
        EventID: 201
        ImageName:
            - 'procdump.exe'
            - 'psloglist.exe'
            - 'psexec.exe'
            - 'livekd.exe'
            - 'ADExplorer.exe'
    condition: selection
falsepositives:
    - Legitimate usage of sysinternals applications from the Windows Store will trigger this. Apply exclusions as needed.
level: low

title: System Info Discovery via Sysinfo Syscall
id: b207d563-a1d9-4275-b349-77d1eb55aa6d
status: experimental
description: |
    Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
    Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
references:
    - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
    - https://man7.org/linux/man-pages/man2/sysinfo.2.html
author: Milad Cheraghi
date: 2025-05-30
modified: 2025-12-05
tags:
    - attack.discovery
    - attack.t1057
    - attack.t1082
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall
        -a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL: 'sysinfo'
    filter_optional_splunk:
        exe|endswith: '/bin/splunkd'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrative activity
level: low

title: System Information Discovery - Auditd
id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
status: test
description: Detects System Information Discovery commands
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md
author: Pawel Mazur
date: 2021-09-03
modified: 2023-03-06
tags:
    - attack.discovery
    - attack.t1082
logsource:
    product: linux
    service: auditd
detection:
    selection_1:
        type: PATH
        name:
            - /etc/lsb-release
            - /etc/redhat-release
            - /etc/issue
    selection_2:
        type: EXECVE
        a0:
            - uname
            - uptime
            - lsmod
            - hostname
            - env
    selection_3:
        type: EXECVE
        a0: grep
        a1|contains:
            - vbox
            - vm
            - xen
            - virtio
            - hv
    selection_4:
        type: EXECVE
        a0: kmod
        a1: list
    condition: 1 of selection_*
falsepositives:
    - Likely
level: low

title: System Information Discovery via Registry Queries
id: 0022869c-49f7-4ff2-ba03-85ac42ddac58
status: experimental
description: Detects attempts to query system information directly from the Windows Registry.
references:
    - https://cert.gov.ua/article/6277849
    - https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
    - https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
author: lazarg
date: 2025-06-12
modified: 2025-10-25
tags:
    - attack.discovery
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd_reg:
        Image|endswith: '\reg.exe'
        CommandLine|contains: 'query'
        CommandLine|contains|windash: '-v'
    selection_cmd_powershell:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'Get-ItemPropertyValue'
            - 'gpv'
    selection_keys:
        CommandLine|contains:
            - '\SOFTWARE\Microsoft\Windows Defender' # Details about defender state
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' # Provides details about the OS
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' # Lists installed programs
            - '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' # Contains time zone details
            - '\SYSTEM\CurrentControlSet\Services' # Details about existing services
    condition: 1 of selection_cmd_* and selection_keys
falsepositives:
    - Unlikely
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml
simulation:
    - type: atomic-red-team
      name: System Information Discovery
      technique: T1010
      atomic_guid: 66703791-c902-4560-8770-42b8a91f7667
    - type: atomic-red-team
      name: Discover OS Product Name via Registry
      technique: T1082
      atomic_guid: be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7
    - type: atomic-red-team
      name: Discover OS Build Number via Registry
      technique: T1082
      atomic_guid: acfcd709-0013-4f1e-b9ee-bc1e7bafaaec

title: System Integrity Protection (SIP) Enumeration
id: 53821412-17b0-4147-ade0-14faae67d54b
status: test
description: |
    Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
references:
    - https://ss64.com/osx/csrutil.html
    - https://objective-see.org/blog/blog_0x6D.html
    - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
    - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-02
tags:
    - attack.discovery
    - attack.t1518.001
logsource:
    product: macos
    category: process_creation
detection:
    # VT Query: behavior_processes:"csrutil status" p:5+ type:mac
    selection:
        Image|endswith: '/csrutil'
        CommandLine|contains: 'status'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low

title: System Network Connections Discovery - Linux
id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
status: test
description: Detects usage of system utilities to discover system network connections
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2023-01-17
tags:
    - attack.discovery
    - attack.t1049
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/who'
            - '/w'
            - '/last'
            - '/lsof'
            - '/netstat'
    filter_landscape_sysinfo:
        ParentCommandLine|contains: '/usr/bin/landscape-sysinfo'
        Image|endswith: '/who'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate activities
level: low