title: System Network Connections Discovery Via Net.EXE
id: 1c67a717-32ba-409b-a45d-0fb704a73a81
status: test
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
author: frack113
date: 2021-12-10
modified: 2023-02-21
tags:
    - attack.discovery
    - attack.t1049
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        - CommandLine|endswith:
              - ' use'
              - ' sessions'
        - CommandLine|contains:
              - ' use '
              - ' sessions '
    condition: all of selection_*
falsepositives:
    - Unknown
level: low

title: System Owner or User Discovery - Linux
id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
status: test
description: |
    Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
    Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2025-06-04
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
        a0:
            - 'hostname'
            - 'id'
            - 'last'
            - 'uname'
            - 'users'
            - 'w'
            - 'who'
            - 'whoami'
    condition: selection
falsepositives:
    - Admin activity
level: low

title: Tap Driver Installation - Security
id: 9c8afa4d-0022-48f0-9456-3712466f9701
related:
    - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
      type: derived
status: test
description: |
    Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
references:
    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2022-11-29
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    product: windows
    service: security
    definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains: 'tap0901'
    condition: selection
falsepositives:
    - Legitimate OpenVPN TAP installation
level: low

title: TeamViewer Log File Deleted
id: b1decb61-ed83-4339-8e95-53ea51901720
status: test
description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: frack113
date: 2022-01-16
modified: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|contains: '\TeamViewer_'
        TargetFilename|endswith: '.log'
    filter:
        Image: C:\Windows\system32\svchost.exe
    condition: selection and not filter
falsepositives:
    - Unknown
level: low

title: The Windows Defender Firewall Service Failed To Load Group Policy
id: 7ec15688-fd24-4177-ba43-1a950537ee39
status: test
description: Detects activity when The Windows Defender Firewall service failed to load Group Policy
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2023-01-17
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy
    condition: selection
level: low

title: USB Device Plugged
id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4
status: test
description: Detects plugged/unplugged USB devices
references:
    - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
    - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
author: Florian Roth (Nextron Systems)
date: 2017-11-09
modified: 2021-11-30
tags:
    - attack.initial-access
    - attack.t1200
logsource:
    product: windows
    service: driver-framework
    definition: 'Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational eventlog'
detection:
    selection:
        EventID:
            - 2003  # Loading drivers
            - 2100  # Pnp or power management
            - 2102  # Pnp or power management
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: low

title: Unauthorized System Time Modification
id: faa031b5-21ed-4e02-8881-2591f98d82ed
status: test
description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
references:
    - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
    - Live environment caused by malware
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
author: '@neu5ron'
date: 2019-02-05
modified: 2025-12-03
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
detection:
    selection:
        EventID: 4616
    filter_main_svchost:
        ProcessName: 'C:\Windows\System32\svchost.exe'
        SubjectUserSid: 'S-1-5-19'
    filter_optional_vmtools:
        ProcessName:
            - 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
            - 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
            - 'C:\Windows\System32\VBoxService.exe'
            - 'C:\Windows\System32\oobe\msoobe.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - HyperV or other virtualization technologies with binary not listed in filter portion of detection
level: low

title: Uncommon Process Access Rights For Target Image
id: a24e5861-c6ca-4fde-a93c-ba9256feddf0
status: test
description: |
    Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
references:
    - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-27
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.011
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith:
            # Note: Add additional uncommon targets to increase coverage.
            - '\calc.exe'
            - '\calculator.exe'
            - '\mspaint.exe'
            - '\notepad.exe'
            - '\ping.exe'
            - '\wordpad.exe'
            - '\write.exe'
        GrantedAccess: '0x1FFFFF' # PROCESS_ALL_ACCESS - All possible access rights for a process object.
    condition: selection
falsepositives:
    - Unknown
# Note: please upgrade to a higher level after an initial test/tuning.
level: low

title: Unmount Share Via Net.EXE
id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
status: test
description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020-10-08
modified: 2023-02-21
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'share'
            - '/delete'
    condition: all of selection*
falsepositives:
    - Administrators or Power users may remove their shares via cmd line
level: low

title: Use Get-NetTCPConnection
id: b366adb4-d63d-422d-8a2c-186463b5ded0
status: test
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
author: frack113
date: 2021-12-10
modified: 2023-10-27
tags:
    - attack.discovery
    - attack.t1049
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains: 'Get-NetTCPConnection'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Use Get-NetTCPConnection - PowerShell Module
id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1
status: test
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
author: frack113
date: 2021-12-10
modified: 2022-12-02
tags:
    - attack.discovery
    - attack.t1049
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        ContextInfo|contains: 'Get-NetTCPConnection'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Use Of Hidden Paths Or Files
id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e
related:
    - id: d08722cd-3d09-449a-80b4-83ea2d9d4616
      type: similar
status: test
description: Detects calls to hidden files or files located in hidden directories in NIX systems.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: David Burkett, @signalblur
date: 2022-12-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'PATH'
        name|contains: '/.'
    filter:
        name|contains:
            - '/.cache/'
            - '/.config/'
            - '/.pyenv/'
            - '/.rustup/toolchains'
    condition: selection and not filter
falsepositives:
    - Unknown
level: low

title: Virtualbox Driver Installation or Starting of VMs
id: bab049ca-7471-4828-9024-38279a4c04da
status: test
description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
references:
    - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
    - https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
author: Janantha Marasinghe
date: 2020-09-26
modified: 2025-07-29
tags:
    - attack.stealth
    - attack.t1564.006
    - attack.t1564
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains:
            - 'VBoxRT.dll,RTR3Init'
            - 'VBoxC.dll'
            - 'VBoxDrv.sys'
    selection_2:
        CommandLine|contains:
            - 'startvm'
            - 'controlvm'
    condition: 1 of selection_*
falsepositives:
    - This may have false positives on hosts where Virtualbox is legitimately being used for operations
level: low

title: Volume Shadow Copy Mount
id: f512acbf-e662-4903-843e-97ce4652b740
status: test
description: Detects volume shadow copy mount via Windows event log
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-20
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: Microsoft-Windows-Ntfs
        EventID: 98
        DeviceName|contains: HarddiskVolumeShadowCopy
    condition: selection
falsepositives:
    - Legitimate use of volume shadow copy mounts (backups maybe).
level: low

title: Vulnerable Driver Load By Name
id: 72cd00d6-490c-4650-86ff-1d11f491daa1
status: test
description: Detects the load of known vulnerable drivers via the file name of the drivers.
references:
    - https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-03
modified: 2023-12-02
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
    - attack.t1068
logsource:
    product: windows
    category: driver_load
detection:
    selection:
        ImageLoaded|endswith:
            - '\panmonfltx64.sys'
            - '\dbutil.sys'
            - '\fairplaykd.sys'
            - '\nvaudio.sys'
            - '\superbmc.sys'
            - '\bsmi.sys'
            - '\smarteio64.sys'
            - '\bwrsh.sys'
            - '\agent64.sys'
            - '\asmmap64.sys'
            - '\dellbios.sys'
            - '\chaos-rootkit.sys'
            - '\wcpu.sys'
            - '\dh_kernel.sys'
            - '\sbiosio64.sys'
            - '\bw.sys'
            - '\asrdrv102.sys'
            - '\nt6.sys'
            - '\mhyprot3.sys'
            - '\winio64c.sys'
            - '\asupio64.sys'
            - '\blackbonedrv10.sys'
            - '\d.sys'
            - '\driver7-x86.sys'
            - '\sfdrvx32.sys'
            - '\enetechio64.sys'
            - '\gdrv.sys'
            - '\sysinfodetectorx64.sys'
            - '\fh-ethercat_dio.sys'
            - '\asromgdrv.sys'
            - '\my.sys'
            - '\dcprotect.sys'
            - '\irec.sys'
            - '\gedevdrv.sys'
            - '\winio32a.sys'
            - '\gvcidrv64.sys'
            - '\winio32.sys'
            - '\bs_hwmio64.sys'
            - '\nstr.sys'
            - '\inpoutx64.sys'
            - '\hw.sys'
            - '\winio64.sys'
            - '\hpportiox64.sys'
            - '\iobitunlocker.sys'
            - '\b1.sys'
            - '\aoddriver.sys'
            - '\elbycdio.sys'
            - '\protects.sys'
            - '\kprocesshacker.sys'
            - '\speedfan.sys'
            - '\radhwmgr.sys'
            - '\iscflashx64.sys'
            - '\black.sys'
            - '\b4.sys'
            - '\hwos2ec10x64.sys'
            - '\winflash64.sys'
            - '\corsairllaccess64.sys'
            - '\bs_i2cio.sys'
            - '\d3.sys'
            - '\windows-xp-64.sys'
            - '\aswvmm.sys'
            - '\bs_i2c64.sys'
            - '\1.sys'
            - '\nchgbios2x64.sys'
            - '\cpuz141.sys'
            - '\segwindrvx64.sys'
            - '\tdeio64.sys'
            - '\ntiolib.sys'
            - '\gtckmdfbs.sys'
            - '\iomap64.sys'
            - '\avalueio.sys'
            - '\semav6msr.sys'
            - '\lgdcatcher.sys'
            - '\b.sys'
            - '\hwdetectng.sys'
            - '\nt4.sys'
            - '\tgsafe.sys'
            - '\mydrivers.sys'
            - '\eneio64.sys'
            - '\procexp.sys'
            - '\viragt64.sys'
            - '\fpcie2com.sys'
            - '\lenovodiagnosticsdriver.sys'
            - '\cp2x72c.sys'
            - '\kerneld.amd64'
            - '\bs_def64.sys'
            - '\piddrv.sys'
            - '\amifldrv64.sys'
            - '\cpuz_x64.sys'
            - '\proxy32.sys'
            - '\wsdkd.sys'
            - '\t8.sys'
            - '\ucorew64.sys'
            - '\atszio.sys'
            - '\lmiinfo.sys'
            - '\80.sys'
            - '\nt3.sys'
            - '\ngiodriver.sys'
            - '\lv561av.sys'
            - '\gpcidrv64.sys'
            - '\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'
            - '\rtport.sys'
            - '\full.sys'
            - '\viragt.sys'
            - '\fiddrv64.sys'
            - '\cupfixerx64.sys'
            - '\cpupress.sys'
            - '\hwos2ec7x64.sys'
            - '\driver7-x86-withoutdbg.sys'
            - '\asrdrv10.sys'
            - '\nvflsh64.sys'
            - '\asrrapidstartdrv.sys'
            - '\tmcomm.sys'
            - '\wiseunlo.sys'
            - '\rwdrv.sys'
            - '\asio64.sys'
            - '\nvoclock.sys'
            - '\panio.sys'
            - '\mtcbsv64.sys'
            - '\amigendrv64.sys'
            - '\capcom.sys'
            - '\netflt.sys'
            - '\phlashnt.sys'
            - '\dbutil_2_3.sys'
            - '\ni.sys'
            - '\ntiolib_x64.sys'
            - '\atszio64.sys'
            - '\lgcoretemp.sys'
            - '\lha.sys'
            - '\phymem64.sys'
            - '\dbutildrv2.sys'
            - '\asrdrv103.sys'
            - '\rtcore64.sys'
            - '\bs_hwmio64_w10.sys'
            - '\ene.sys'
            - '\winio64b.sys'
            - '\piddrv64.sys'
            - '\directio32.sys'
            - '\monitor_win10_x64.sys'
            - '\nt5.sys'
            - '\asrsmartconnectdrv.sys'
            - '\rtif.sys'
            - '\atillk64.sys'
            - '\directio.sys'
            - '\asribdrv.sys'
            - '\kfeco11x64.sys'
            - '\citmdrv_ia64.sys'
            - '\sysdrv3s.sys'
            - '\amp.sys'
            - '\vboxdrv.sys'
            - '\adv64drv.sys'
            - '\hostnt.sys'
            - '\phymem_ext64.sys'
            - '\echo_driver.sys'
            - '\winiodrv.sys'
            - '\pdfwkrnl.sys'
            - '\glckio2.sys'
            - '\asrdrv106.sys'
            - '\nscm.sys'
            - '\bs_rcio64.sys'
            - '\ncpl.sys'
            - '\sandra.sys'
            - '\fiddrv.sys'
            - '\hwrwdrv.sys'
            - '\mhyprot.sys'
            - '\asrsetupdrv103.sys'
            - '\iqvw64.sys'
            - '\b3.sys'
            - '\ssport.sys'
            - '\bs_def.sys'
            - '\computerz.sys'
            - '\windows8-10-32.sys'
            - '\nstrwsk.sys'
            - '\lurker.sys'
            - '\bsmemx64.sys'
            - '\wyproxy64.sys'
            - '\asio.sys'
            - '\t3.sys'
            - '\cpuz.sys'
            - '\rtkio.sys'
            - '\driver7-x64.sys'
            - '\netfilterdrv.sys'
            - '\ioaccess.sys'
            - '\testbone.sys'
            - '\gameink.sys'
            - '\kevp64.sys'
            - '\mhyprot2.sys'
            - '\se64a.sys'
            - '\vboxusb.sys'
            - '\windows7-32.sys'
            - '\vproeventmonitor.sys'
            - '\winio64a.sys'
            - '\asrdrv101.sys'
            - '\netproxydriver.sys'
            - '\elrawdsk.sys'
            - '\zam64.sys'
            - '\cg6kwin2k.sys'
            - '\asupio.sys'
            - '\stdcdrvws64.sys'
            - '\81.sys'
            - '\citmdrv_amd64.sys'
            - '\amdryzenmasterdriver.sys'
            - '\vmdrv.sys'
            - '\sysinfo.sys'
            - '\alsysio64.sys'
            - '\directio64.sys'
            - '\rzpnk.sys'
            - '\amdpowerprofiler.sys'
            - '\truesight.sys'
            - '\wirwadrv.sys'
            - '\phymemx64.sys'
            - '\msio64.sys'
            - '\sepdrv3_1.sys'
            - '\gametersafe.sys'
            - '\bs_rcio.sys'
            - '\d4.sys'
            - '\t.sys'
            - '\eio.sys'
            - '\nt2.sys'
            - '\winring0.sys'
            - '\physmem.sys'
            - '\libnicm.sys'
            - '\msio32.sys'
            - '\asrautochkupddrv.sys'
            - '\asio32.sys'
            - '\etdsupp.sys'
            - '\smep_namco.sys'
            - '\bandai.sys'
            - '\d2.sys'
            - '\magdrvamd64.sys'
            - '\nvflash.sys'
            - '\goad.sys'
            - '\proxy64.sys'
            - '\amsdk.sys'
            - '\kbdcap64.sys'
            - '\vdbsv64.sys'
            - '\pchunter.sys'
            - '\sysconp.sys'
            - '\dh_kernel_10.sys'
            - '\msrhook.sys'
            - '\bedaisy.sys'
            - '\dcr.sys'
            - '\panmonflt.sys'
            - '\bsmixp64.sys'
            - '\otipcibus.sys'
            - '\fidpcidrv.sys'
            - '\kfeco10x64.sys'
            - '\asrdrv104.sys'
            - '\c.sys'
            - '\tdklib64.sys'
            - '\bsmix64.sys'
            - '\bs_flash64.sys'
            - '\stdcdrv64.sys'
            - '\naldrv.sys'
            - '\ctiio64.sys'
            - '\bwrs.sys'
            - '\nicm.sys'
            - '\winio32b.sys'
            - '\paniox64.sys'
            - '\ecsiodriverx64.sys'
            - '\iomem64.sys'
            - '\fidpcidrv64.sys'
            - '\aswarpot.sys'
            - '\bs_rciow1064.sys'
            - '\asmio64.sys'
            - '\openlibsys.sys'
            - '\viraglt64.sys'
            - '\dbk64.sys'
            - '\t7.sys'
            - '\atlaccess.sys'
            - '\nbiolib_x64.sys'
            - '\smep_capcom.sys'
            - '\iqvw64e.sys'
    condition: selection
falsepositives:
    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
    - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
level: low

title: WebDav Put Request
id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
status: test
description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/17
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-03-13
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: zeek
    service: http
detection:
    selection:
        user_agent|contains: 'WebDAV'
        method: 'PUT'
    filter:
        id.resp_h|cidr:
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
    condition: selection and not filter
falsepositives:
    - Unknown
level: low

title: Windows Defender Firewall Has Been Reset To Its Default Configuration
id: 04b60639-39c0-412a-9fbe-e82499c881a3
status: test
description: Detects activity when Windows Defender Firewall has been reset to its default configuration
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2023-04-21
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2032 # Windows Defender Firewall has been reset to its default configuration
            - 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11)
    condition: selection
level: low

title: Windows Defender Submit Sample Feature Disabled
id: 91903aba-1088-42ee-b680-d6d94fe002b0
related:
    - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
      type: similar
    - id: a3ab73f1-bd46-4319-8f06-4b20d0617886
      type: similar
    - id: 801bd44f-ceed-4eb6-887c-11544633c0aa
      type: similar
status: stable
description: Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-06
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5007 # The antimalware platform configuration changed.
        NewValue|contains: '\Real-Time Protection\SubmitSamplesConsent = 0x0'
    condition: selection
falsepositives:
    - Administrator activity (must be investigated)
level: low

title: Windows Event Auditing Disabled
id: 69aeb277-f15f-4d2d-b32a-55e883609563
related:
    - id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
      type: derived
status: test
description: |
    Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.
    This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.
    Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
    Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
references:
    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)'
date: 2017-11-19
modified: 2023-11-15
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    product: windows
    service: security
    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
    selection:
        EventID: 4719
        AuditPolicyChanges|contains:
            - '%%8448' # This is "Success removed"
            - '%%8450' # This is "Failure removed"
    filter_main_guid:
        # Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
        SubcategoryGuid:
            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
            - '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: low # Increase this after a testing period in your environment

title: Windows Firewall Settings Have Been Changed
id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064
status: test
description: Detects activity when the settings of the Windows firewall have been changed
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-19
modified: 2023-04-21
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2002 # A Windows Defender Firewall setting has changed.
            - 2083 # A Windows Defender Firewall setting has changed. (Windows 11)
            - 2003 # A Windows Firewall setting in the profile has changed
            - 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11)
            - 2008  # Windows Firewall Group Policy settings have changed. The new settings have been applied
            # - 2010  # Network profile changed on an interface.
    condition: selection
level: low

title: Windows MSIX Package Support Framework AI_STUBS Execution
id: af5732ed-764e-489d-826d-0447c8b36242
status: experimental
description: |
    Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
    This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
references:
    - https://redcanary.com/blog/threat-intelligence/msix-installers/
    - https://redcanary.com/threat-detection-report/techniques/installer-packages/
    - https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework
    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1218
    - attack.t1553.005
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\AI_STUBS\AiStubX64Elevated.exe'
            - '\AI_STUBS\AiStubX86Elevated.exe'
            - '\AI_STUBS\AiStubX64.exe'
            - '\AI_STUBS\AiStubX86.exe'
        OriginalFileName: 'popupwrapper.exe'
    condition: selection
falsepositives:
    - Legitimate applications packaged with Advanced Installer using Package Support Framework
level: low

title: Windows Processes Suspicious Parent Directory
id: 96036718-71cc-4027-a538-d1587e0006a7
status: test
description: Detect suspicious parent processes of well-known Windows processes
references:
    - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
    - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
    - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
author: vburov
date: 2019-02-23
modified: 2025-03-06
tags:
    - attack.stealth
    - attack.t1036.003
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\svchost.exe'
            - '\taskhost.exe'
            - '\lsm.exe'
            - '\lsass.exe'
            - '\services.exe'
            - '\lsaiso.exe'
            - '\csrss.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
    filter_sys:
        - ParentImage|endswith:
              - '\SavService.exe'
              - '\ngen.exe'
        - ParentImage|contains:
              - '\System32\'
              - '\SysWOW64\'
    filter_msmpeng:
        ParentImage|contains:
            - '\Windows Defender\'
            - '\Microsoft Security Client\'
        ParentImage|endswith: '\MsMpEng.exe'
    filter_null:
        - ParentImage: null
        - ParentImage:
              - ''
              - '-'
    condition: selection and not 1 of filter_*
falsepositives:
    - Some security products seem to spawn these
level: low

title: Windows Service Terminated With Error
id: acfa2210-0d71-4eeb-b477-afab494d596c
related:
    - id: d6b5520d-3934-48b4-928c-2aa3f92d6963
      type: similar
status: test
description: Detects Windows services that got terminated for whatever reason
references:
    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-14
tags:
    - attack.stealth
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7023 # The X Service service terminated with the following error
    condition: selection
falsepositives:
    - False positives could occur since service termination could happen due to multiple reasons
level: low

title: Windows Share Mount Via Net.EXE
id: f117933c-980c-4f78-b384-e3d838111165
related:
    - id: 3abd6094-7027-475f-9630-8ab9be7b9725
      type: similar
status: test
description: Detects when a share is mounted using the "net.exe" utility
references:
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-02
modified: 2023-02-21
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains:
            - ' use '
            - ' \\\\'
    condition: all of selection_*
falsepositives:
    - Legitimate activity by administrators and scripts
level: low

title: Winget Admin Settings Modification
id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236
status: test
description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
references:
    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
    - https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        Image|endswith: '\winget.exe'
        TargetObject|startswith: '\REGISTRY\A\'
        TargetObject|endswith: '\LocalState\admin_settings'
    condition: selection
falsepositives:
    - The event doesn't contain information about the type of change. False positives are expected with legitimate changes
level: low