title: Browser Started with Remote Debugging
id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
related:
    - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
      type: derived
status: test
description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
references:
    - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf
    - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/
    - https://github.com/defaultnamehere/cookie_crimes/
    - https://github.com/wunderwuzzi23/firefox-cookiemonster
author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-27
modified: 2022-12-23
tags:
    - attack.credential-access
    - attack.collection
    - attack.t1185
logsource:
    category: process_creation
    product: windows
detection:
    selection_chromium_based:
        # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
        CommandLine|contains: ' --remote-debugging-'
    selection_firefox:
        Image|endswith: '\firefox.exe'
        CommandLine|contains: ' -start-debugger-server'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: C# IL Code Compilation Via Ilasm.EXE
id: 850d55f9-6eeb-4492-ad69-a72338f65ba4
status: test
description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ilasm/
    - https://www.echotrail.io/insights/search/ilasm.exe
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-07
modified: 2022-05-16
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\ilasm.exe'
        - OriginalFileName: 'ilasm.exe'
    selection_cli:
        CommandLine|contains:
            - ' /dll'
            - ' /exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: CA Policy Removed by Non Approved Actor
id: 26e7c5e2-6545-481e-b7e6-050143459635
status: test
description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Corissa Koopmans, '@corissalea'
date: 2022-07-19
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Delete conditional access policy
    condition: selection
falsepositives:
    - Misconfigured role permissions
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium

title: CA Policy Updated by Non Approved Actor
id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
status: test
description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Corissa Koopmans, '@corissalea'
date: 2022-07-19
modified: 2024-05-28
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1548
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Update conditional access policy
    condition: selection
falsepositives:
    - Misconfigured role permissions
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium

title: CLR DLL Loaded Via Office Applications
id: d13c43f0-f66b-4279-8b2c-5912077c1780
status: test
description: Detects CLR DLL being loaded by an Office Product
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\outlook.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|contains: '\clr.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: COM Hijacking via TreatAs
id: dc5c24af-6995-49b2-86eb-a9ff62199e82
status: test
description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
    - https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s
author: frack113
date: 2022-08-28
modified: 2025-07-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'TreatAs\(Default)'
    filter_office:
        Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_office2:
        Image:
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
    filter_svchost:
        # Example of target object by svchost
        # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
        # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
        Image: 'C:\Windows\system32\svchost.exe'
    filter_misexec:
        # This FP has been seen during installation/updates
        Image:
            - 'C:\Windows\system32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate use
level: medium

title: COM Object Execution via Xwizard.EXE
id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
status: test
description: |
    Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument.
    This utility can be abused in order to run custom COM object created in the registry.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
    - https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html
    - https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-07
modified: 2024-08-15
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine: 'RunWizard'
        CommandLine|re: '\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: CSExec Service File Creation
id: f0e2b768-5220-47dd-b891-d57b96fc0ec1
status: test
description: Detects default CSExec service filename which indicates CSExec service installation and execution
references:
    - https://github.com/malcomvetter/CSExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-04
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\csexecsvc.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: CSExec Service Installation
id: a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12
status: test
description: Detects CSExec service installation and execution events
references:
    - https://github.com/malcomvetter/CSExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ServiceName: 'csexecsvc'
        - ImagePath|endswith: '\csexecsvc.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Capture Credentials with Rpcping.exe
id: 93671f99-04eb-4ab4-a161-70d446a84003
status: test
description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
    - https://twitter.com/vysecurity/status/974806438316072960
    - https://twitter.com/vysecurity/status/873181705024266241
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
author: Julia Fomina, oscd.community
date: 2020-10-09
modified: 2025-10-31
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection_main_img:
        - Image|endswith: '\RpcPing.exe'
        - OriginalFileName: '\RpcPing.exe'
    selection_main_flag:
        CommandLine|contains|windash: '-s'
    selection_cli_ntlm:
        CommandLine|contains|windash: '-u'
        CommandLine|contains: 'NTLM'
    selection_cli_ncacn:
        CommandLine|contains|windash: '-t'
        CommandLine|contains: 'ncacn_np'
    condition: all of selection_main_* and 1 of selection_cli_*
falsepositives:
    - Unlikely
level: medium

title: Certificate Exported From Local Certificate Store
id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017
status: test
description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
references:
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Zach Mathis
date: 2023-05-13
tags:
    - attack.credential-access
    - attack.t1649
logsource:
    product: windows
    service: certificateservicesclient-lifecycle-system
detection:
    selection:
        EventID: 1007 # A certificate has been exported
    condition: selection
falsepositives:
    - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed
level: medium

title: Certificate Exported Via Certutil.EXE
id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5
status: test
description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
references:
    - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|windash: '-exportPFX '
    condition: all of selection_*
falsepositives:
    - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml

title: Certificate Exported Via PowerShell
id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
related:
    - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
      type: similar
status: test
description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
references:
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
    - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-18
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1552.004
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Export-PfxCertificate '
            - 'Export-Certificate '
    condition: selection
falsepositives:
    - Legitimate certificate exports by administrators. Additional filters might be required.
level: medium

title: Certificate Exported Via PowerShell - ScriptBlock
id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
related:
    - id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
      type: similar
status: test
description: Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
references:
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
    - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2023-05-18
tags:
    - attack.credential-access
    - attack.t1552.004
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Export-PfxCertificate'
            - 'Export-Certificate'
    filter_optional_module_export:
        ScriptBlockText|contains: 'CmdletsToExport = @('
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate certificate exports by administrators. Additional filters might be required.
level: medium

title: Certificate Private Key Acquired
id: e2b5163d-7deb-4566-9af3-40afea6858c3
status: test
description: Detects when an application acquires a certificate private key
references:
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Zach Mathis
date: 2023-05-13
tags:
    - attack.credential-access
    - attack.t1649
logsource:
    product: windows
    service: capi2
    definition: 'Requirements: The CAPI2 Operational log needs to be enabled'
detection:
    selection:
        EventID: 70 # Acquire Certificate Private Key
    condition: selection
falsepositives:
    - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed
level: medium

title: Certificate Use With No Strong Mapping
id: 993c2665-e6ef-40e3-a62a-e1a97686af79
status: test
description: |
    Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)
    This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.
    Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.
references:
    - https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
author: '@br4dy5'
date: 2023-10-09
modified: 2025-09-22
tags:
    - attack.privilege-escalation
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name:
            - 'Kerberos-Key-Distribution-Center'
            - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
        EventID:
            - 39
            - 41 # For Windows Server 2008 R2 SP1 and Windows Server 2008 SP2
    condition: selection
falsepositives:
    - If prevalent in the environment, filter on events where the AccountName and CN of the Subject do not reference the same user
    - If prevalent in the environment, filter on CNs that end in a dollar sign indicating it is a machine name
level: medium

title: Certificate-Based Authentication Enabled
id: c2496b41-16a9-4016-a776-b23f8910dc58
status: test
description: Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
references:
    - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
    - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
author: Harjot Shah Singh, '@cyb3rjy0t'
date: 2024-03-26
tags:
    - attack.credential-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        OperationName: 'Authentication Methods Policy Update'
        TargetResources.modifiedProperties|contains: 'AuthenticationMethodsPolicy'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Change PowerShell Policies to an Insecure Level
id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
related:
    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
      type: similar
    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock
      type: similar
    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
      type: similar
status: test
description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
    - https://adsecurity.org/?p=2604
    - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
author: frack113
date: 2021-11-01
modified: 2025-10-07
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - OriginalFileName:
              - 'powershell_ise.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
        - Image|endswith:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
    selection_option:
        CommandLine|contains:
            - '-executionpolicy '
            - ' -ep '
            - ' -exec '
    selection_level:
        CommandLine|contains:
            - 'Bypass'
            - 'Unrestricted'
    filter_main_powershell_core:
        ParentImage:
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\msiexec.exe'
        CommandLine|contains:
            - '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\PowerShell\7\'
            - '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files (x86)\PowerShell\7\'
    filter_optional_avast:
        ParentImage|contains:
            - 'C:\Program Files\Avast Software\Avast\'
            - 'C:\Program Files (x86)\Avast Software\Avast\'
            - '\instup.exe'
        CommandLine|contains:
            - '-ExecutionPolicy ByPass -File "C:\Program Files\Avast Software\Avast'
            - '-ExecutionPolicy ByPass -File "C:\Program Files (x86)\Avast Software\Avast\'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrator scripts
level: medium

title: Change PowerShell Policies to an Insecure Level - PowerShell
id: 61d0475c-173f-4844-86f7-f3eebae1c66b
related:
    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
      type: similar
    - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
      type: similar
    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
      type: similar
status: test
description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
    - https://adsecurity.org/?p=2604
author: frack113
date: 2021-10-20
modified: 2023-12-14
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains: 'Set-ExecutionPolicy'
    selection_option:
        ScriptBlockText|contains:
            - 'Unrestricted'
            - 'bypass'
    filter_optional_chocolatey:
        ScriptBlockText|contains:
            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')"
            - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Administrator script
level: medium

title: Change User Agents with WebRequest
id: d4488827-73af-4f8d-9244-7b7662ef046e
status: test
description: |
    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
    Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
author: frack113
date: 2022-01-23
modified: 2025-07-18
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_webrequest:
        ScriptBlockText|contains:
            - 'Invoke-WebRequest'
            - 'Invoke-RestMethod'
            - ' irm ' # Space before and after to avoid false positives with 'irm' as a variable
            - 'iwr '
    selection_useragent:
        ScriptBlockText|contains: '-UserAgent '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Change to Authentication Method
id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
status: test
description: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556
    - attack.persistence
    - attack.t1098
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        LoggedByService: 'Authentication Methods'
        Category: 'UserManagement'
        OperationName: 'User registered security info'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Changing Existing Service ImagePath Value Via Reg.EXE
id: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
    Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
author: frack113
date: 2021-12-30
modified: 2024-03-13
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - 'add '
            - 'SYSTEM\CurrentControlSet\Services\'
            - ' ImagePath '
    selection_value:
        CommandLine|contains|windash: ' -d '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: Chmod Targeting Sensitive Directories
id: 6419afd1-3742-47a5-a7e6-b50386cd15f8
status: test
description: |
    Detects chmod targeting files in sensitive directory paths on Linux systems.
    Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.
references:
    - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-03
modified: 2026-03-18
tags:
    - attack.defense-impairment
    - attack.t1222.002
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/chmod'
        CommandLine|contains:
            - '/tmp/'
            - '/.Library/'
            - '/etc/'
            - '/opt/'
    filter_main_update_shells:
        CommandLine|contains: 'chmod --reference=/etc/shells'
        ParentCommandLine|endswith: '/update-shells'
    filter_main_postinst:
        CommandLine|contains: '/etc/'
        ParentCommandLine|contains|all:
            - '/var/lib/dpkg/info/'
            - '.postinst configure'
    filter_main_apt_key:
        CommandLine|startswith: 'chmod 700 /tmp/apt-key-gpghome.'
    filter_main_mkinitramfs:
        CommandLine|startswith: 'chmod 755 /var/tmp/mkinitramfs'
    filter_main_landscape:
        CommandLine: 'chmod 0775 /etc/landscape/'
    filter_main_ubuntu_apparmor:
        CommandLine: 'chmod 644 /etc/apparmor.d/tunables/home.d/ubuntu'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some false positives are to be expected. Apply additional filters as needed before pushing to production.
level: medium

title: Chromium Browser Instance Executed With Custom Extension
id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
related:
    - id: 27ba3207-dd30-4812-abbf-5d20c57d474e
      type: similar
status: test
description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
references:
    - https://redcanary.com/blog/chromeloader/
    - https://emkc.org/s/RJjuLa
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Aedan Russell, frack113, X__Junior (Nextron Systems)
date: 2022-06-19
modified: 2023-11-28
tags:
    - attack.persistence
    - attack.t1176.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
        CommandLine|contains: '--load-extension='
    condition: selection
falsepositives:
    - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml

title: Cisco Denial of Service
id: d94a35f0-7a29-45f6-90a0-80df6159967c
status: test
description: Detect a system being shutdown or put into different boot mode
author: Austin Clark
date: 2019-08-15
modified: 2023-01-04
tags:
    - attack.impact
    - attack.t1495
    - attack.t1529
    - attack.t1565.001
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'shutdown'
        - 'config-register 0x2100'
        - 'config-register 0x2142'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands, though rarely.
level: medium

title: Cisco Dot1x Disabled
id: ef0ff092-a24a-4fbc-beea-06c08d53e085
status: experimental
description: |
    Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface.
    Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network.
    This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices.
references:
    - https://www.cisco.com/en/US/docs/ios-xml/ios/san/command/san-xe-3se-3850-cr-book_chapter_00.html#wp3394428680 # Modern IOS-XE
    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3850-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_010.html#wp3502072400 # Older IOS
    - https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/command/reference/2960ComRef/cli1.html#47220 # Legacy
author: Luc Génaux
date: 2026-04-28
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1685
    - attack.t1556.004
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        # xxx port-control force-authorized : disables 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required
        # no xxx port-control : causes the port to fallback to the default setting which is "force-authorized", thereby disabling 802.1X
        - 'access-session port-control force-authorized' # Modern IOS-XE
        - 'authentication port-control force-authorized' # Older IOS
        - 'dot1x port-control force-authorized' # Legacy
        - 'no access-session port-control' # Modern IOS-XE
        - 'no authentication port-control' # Older IOS
        - 'no dot1x port-control' # Legacy
        - 'no dot1x system-auth-control' # disables 802.1X globally
    condition: keywords
falsepositives:
    - Administrator troubleshooting connectivity issues
level: medium
# regression_tests_path: regression_data/rules/cisco/aaa/cisco_cli_dot1x_disabled/info.yml

title: Cisco Duo Successful MFA Authentication Via Bypass Code
id: 6f7e1c10-2dc9-4312-adb6-9574ff09a5c8
status: test
description: |
    Detects when a successful MFA authentication occurs due to the use of a bypass code.
    A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
references:
    - https://duo.com/docs/adminapi#logs
    - https://help.duo.com/s/article/6327?language=en_US
author: Nikita Khalimonenkov
date: 2024-04-17
tags:
    - attack.credential-access
    - attack.initial-access
    - attack.stealth
logsource:
    product: cisco
    service: duo
detection:
    selection:
        event_type: authentication
        reason: bypass_user
    condition: selection
falsepositives:
    - Legitimate user that was assigned on purpose to a bypass group
level: medium

title: Cisco File Deletion
id: 71d65515-c436-43c0-841b-236b1f32c21e
status: test
description: See what files are being deleted from flash file systems
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.impact
    - attack.stealth
    - attack.t1070.004
    - attack.t1561.001
    - attack.t1561.002
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'erase'
        - 'delete'
        - 'format'
    condition: keywords
falsepositives:
    - Will be used sometimes by admins to clean up local flash space
level: medium

title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: test
description: Modifications to a config that will serve an adversary's impacts or persistence
author: Austin Clark
date: 2019-08-12
modified: 2025-04-28
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.impact
    - attack.t1490
    - attack.t1505
    - attack.t1565.002
    - attack.t1053
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'ip http server'
        - 'ip https server'
        - 'kron policy-list'
        - 'kron occurrence'
        - 'policy-list'
        - 'access-list'
        - 'ip access-group'
        - 'archive maximum'
        - 'ntp server'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands
level: medium

title: Cisco Show Commands Input
id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
status: test
description: See what commands are being input into the device by other people, full credentials can be in the history
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
    - attack.credential-access
    - attack.t1552.003
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'show history'
        - 'show history all'
        - 'show logging'
    condition: keywords
falsepositives:
    - Not commonly run by administrators, especially if remote logging is configured
level: medium

title: Cisco Sniffing
id: b9e1f193-d236-4451-aaae-2f3d2102120d
status: test
description: Show when a monitor or a span/rspan is setup or modified
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
    - attack.credential-access
    - attack.discovery
    - attack.t1040
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'monitor capture point'
        - 'set span'
        - 'set rspan'
    condition: keywords
falsepositives:
    - Admins may setup new or modify old spans, or use a monitor for troubleshooting
level: medium

title: Classes Autorun Keys Modification
id: 9df5f547-c86a-433e-b533-f2794357e242
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: |
    Detects modification of Windows Registry Classes keys used for persistence.
    Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed.
    Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths,
    thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_classes_base:
        TargetObject|contains: '\Software\Classes'
    selection_classes_target:
        TargetObject|contains:
            - '\Folder\ShellEx\ExtShellFolderViews'
            - '\Folder\ShellEx\DragDropHandlers'
            - '\Folder\Shellex\ColumnHandlers'
            - '\Filter'
            - '\Exefile\Shell\Open\Command\(Default)'
            - '\Directory\Shellex\DragDropHandlers'
            - '\Directory\Shellex\CopyHookHandlers'
            - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
            - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
            - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
            - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
            - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers'
            - '\.exe'
            - '\.cmd'
            - '\ShellEx\PropertySheetHandlers'
            - '\ShellEx\ContextMenuHandlers'
    filter_main_drivers:
        Image: 'C:\Windows\System32\drvinst.exe'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_svchost:
        Image: 'C:\Windows\System32\svchost.exe'
        # If more targets are found from "svchost". Please exclude the whole image
        TargetObject|contains: '\lnkfile\shellex\ContextMenuHandlers\'
    filter_optional_msoffice:
        Details: '{807583E5-5146-11D5-A672-00B0D022E945}'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Clear PowerShell History - PowerShell
id: 26b692dc-1722-49b2-b496-a8258aa6371d
related:
    - id: dfba4ce1-e0ea-495f-986e-97140f31af2d
      type: derived
status: test
description: Detects keywords that could indicate clearing PowerShell history
references:
    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2022-01-25
modified: 2022-12-02
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection1a:
        ScriptBlockText|contains:
            - 'del'
            - 'Remove-Item'
            - 'rm'
    selection1b:
        ScriptBlockText|contains: '(Get-PSReadlineOption).HistorySavePath'
    selection_2:
        ScriptBlockText|contains|all:
            - 'Set-PSReadlineOption'
            - '–HistorySaveStyle'  # not sure if the homoglyph –/- is intended, just checking for both
            - 'SaveNothing'
    selection_3:
        ScriptBlockText|contains|all:
            - 'Set-PSReadlineOption'
            - '-HistorySaveStyle'
            - 'SaveNothing'
    condition: 1 of selection_* or all of selection1*
falsepositives:
    - Legitimate PowerShell scripts
level: medium

title: Clear PowerShell History - PowerShell Module
id: f99276ad-d122-4989-a09a-d00904a5f9d2
related:
    - id: dfba4ce1-e0ea-495f-986e-97140f31af2d
      type: derived
status: test
description: Detects keywords that could indicate clearing PowerShell history
references:
    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2019-10-25
modified: 2022-12-02
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_1a_payload:
        Payload|contains:
            - 'del'
            - 'Remove-Item'
            - 'rm'
    selection_1b_payload:
        Payload|contains: '(Get-PSReadlineOption).HistorySavePath'
    selection_payload_2:
        Payload|contains|all:
            - 'Set-PSReadlineOption'
            - '–HistorySaveStyle'  # not sure if the homoglyph –/- is intended, just checking for both
            - 'SaveNothing'
    selection_payload_3:
        Payload|contains|all:
            - 'Set-PSReadlineOption'
            - '-HistorySaveStyle'
            - 'SaveNothing'
    condition: 1 of selection_payload_* or all of selection_1*
falsepositives:
    - Legitimate PowerShell scripts
level: medium

title: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
id: eca5e022-d368-4043-98e5-9736fb01f72f
status: experimental
description: |
    Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
    (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
    ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
    or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
references:
    - https://man7.org/linux/man-pages/man2/syslog.2.html
    - https://man7.org/linux/man-pages/man1/dmesg.1.html
author: Milad Cheraghi
date: 2025-05-27
modified: 2025-12-05
tags:
    - attack.defense-impairment
    - attack.t1685.006
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -a always,exit -F arch=b64 -S syslog -F a0=4 -k clear_dmesg_logs
        -a always,exit -F arch=b64 -S syslog -F a0=5 -k clear_dmesg_logs
        -a always,exit -F arch=b64 -S syslog -F a0=6 -k disable_dmesg_logs
        -a always,exit -F arch=b32 -S syslog -F a0=4 -k clear_dmesg_logs
        -a always,exit -F arch=b32 -S syslog -F a0=5 -k clear_dmesg_logs
        -a always,exit -F arch=b32 -S syslog -F a0=6 -k disable_dmesg_logs
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL: 'syslog'
        a0:
            - 4 # SYSLOG_ACTION_READ_CLEAR : Read and clear log
            - 5 # SYSLOG_ACTION_CLEAR: Clear kernel ring buffer (without reading)
            - 6 # SYSLOG_ACTION_CONSOLE_OFF: Disable logging to console
    condition: selection
falsepositives:
    - System administrators or scripts that intentionally clear logs
    - Debugging scripts
level: medium

title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d
status: experimental
description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
references:
    - https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/
    - https://x.com/Threatlabz/status/1879956781360976155
author: X__Junior
date: 2025-01-20
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: image_load
    product: windows
detection:
    selection_dll:
        ImageLoaded|endswith: '\clfs.sys'
    selection_folders_1:
        Image|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - '\Temporary Internet'
            - '\Windows\Temp\'
    selection_folders_2:
        - Image|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - Image|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - Image|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - Image|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: selection_dll and 1 of selection_folders_*
falsepositives:
    - Unknown
level: medium

title: ClickOnce Trust Prompt Tampering
id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb
status: test
description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
    - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior
author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-06-12
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\'
        TargetObject|endswith:
            - '\Internet'
            - '\LocalIntranet'
            - '\MyComputer'
            - '\TrustedSites'
            - '\UntrustedSites'
        Details: 'Enabled'
    condition: selection
falsepositives:
    - Legitimate internal requirements.
level: medium

title: Cloudflared Portable Execution
id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd
status: test
description: |
    Detects the execution of the "cloudflared" binary from a non standard location.
references:
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
    - https://github.com/cloudflare/cloudflared
    - https://www.intrinsec.com/akira_ransomware/
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
    - https://github.com/cloudflare/cloudflared/releases
author: Nasreddine Bencherchali (Nextron Systems)
tags:
    - attack.command-and-control
    - attack.t1090.001
date: 2023-12-20
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\cloudflared.exe'
    filter_main_admin_location:
        Image|contains:
            - ':\Program Files (x86)\cloudflared\'
            - ':\Program Files\cloudflared\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate usage of Cloudflared portable versions
level: medium

title: Cloudflared Quick Tunnel Execution
id: 222129f7-f4dc-4568-b0d2-22440a9639ba
related:
    - id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
      type: similar
    - id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
      type: similar
status: test
description: |
    Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.
    The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.
    The tool has been observed in use by threat groups including Akira ransomware.
references:
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
    - https://github.com/cloudflare/cloudflared
    - https://www.intrinsec.com/akira_ransomware/
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
author: Sajid Nawaz Khan
tags:
    - attack.command-and-control
    - attack.t1090.001
date: 2023-12-20
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\cloudflared.exe'
              - '\cloudflared-windows-386.exe'
              - '\cloudflared-windows-amd64.exe'
        - Hashes|contains:
              - 'SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29'
              - 'SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8'
              - 'SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039'
              - 'SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28'
              - 'SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7'
              - 'SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373'
              - 'SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670'
              - 'SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a'
              - 'SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0'
              - 'SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1'
              - 'SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2'
              - 'SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac'
              - 'SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f'
              - 'SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d'
              - 'SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499'
              - 'SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b'
              - 'SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f'
              - 'SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032'
              - 'SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234'
              - 'SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f'
              - 'SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058'
              - 'SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c'
              - 'SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f'
              - 'SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5'
              - 'SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3'
              - 'SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4'
              - 'SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c'
              - 'SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4'
              - 'SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f'
              - 'SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad'
              - 'SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7'
              - 'SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75'
              - 'SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6'
              - 'SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688'
              - 'SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f'
              - 'SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663'
              - 'SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77'
              - 'SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078'
    # Note:
    #   Accounts for the cloudflared binaries being renamed
    #   `tunnel` is optional, but has been included to reduce the possibility of parameter collision when not observed with known binary names
    selection_param:
        - CommandLine|contains|all:
              - '-url'
              - 'tunnel'
        - CommandLine|contains:
              - '.exe -url'
              - '.exe --url'
    selection_other:
        CommandLine|contains|all:
            - '-url'
            - '-no-autoupdate'
    condition: (selection_img and selection_param) or selection_other
falsepositives:
    - Legitimate usage of Cloudflare Quick Tunnel
level: medium

title: Cloudflared Tunnel Connections Cleanup
id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
status: test
description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
references:
    - https://github.com/cloudflare/cloudflared
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-21
tags:
    - attack.command-and-control
    - attack.t1102
    - attack.t1090
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' tunnel '
            - 'cleanup '
        CommandLine|contains:
            - '-config '
            - '-connector-id '
    condition: selection
falsepositives:
    - Legitimate usage of Cloudflared.
level: medium

title: Cloudflared Tunnel Execution
id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
status: test
description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
references:
    - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
    - https://github.com/cloudflare/cloudflared
    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-20
tags:
    - attack.command-and-control
    - attack.t1102
    - attack.t1090
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' tunnel '
            - ' run '
        CommandLine|contains:
            - '-config '
            - '-credentials-contents '
            - '-credentials-file '
            - '-token '
    condition: selection
falsepositives:
    - Legitimate usage of Cloudflared tunnel.
level: medium

title: Cloudflared Tunnels Related DNS Requests
id: a1d9eec5-33b2-4177-8d24-27fe754d0812
related:
    - id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
      type: similar
status: test
description: |
    Detects DNS requests to Cloudflared tunnels domains.
    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-20
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1572
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|endswith:
            - '.v2.argotunnel.com'
            - 'protocol-v2.argotunnel.com'
            - 'trycloudflare.com'
            - 'update.argotunnel.com'
    condition: selection
falsepositives:
    - Legitimate use of cloudflare tunnels will also trigger this.
level: medium

title: Cmd Launched with Hidden Start Flags to Suspicious Targets
id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
status: experimental
description: |
    Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
    To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
    This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
references:
    - https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
    - https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
    - https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
tags:
    - attack.stealth
    - attack.t1564.003
author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cmd_hidden_start_1:
        CommandLine|contains|windash:
            - 'start '
            - 'start/b'
            - 'start/min'
    selection_cmd_hidden_start_2:
        CommandLine|contains|windash:
            - '/b '
            - '/b"'
            - '/min '
            - '/min"'
    selection_cli_uncommon_location:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Windows\Temp\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Documents\'
            - '\Downloads\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\'
            - '\Music\'
            - '\Photos\'
            - '\Temporary Internet\'
            - '\Users\Public\'
            - '\Videos\'
    selection_cli_susp_extension:
        CommandLine|contains:
            - '.bat'
            - '.cmd'
            - '.cpl'
            - '.hta'
            - '.js'
            - '.ps1'
            - '.scr'
            - '.vbe'
            - '.vbs'
    selection_cli_susp_pattern:
        CommandLine|contains:
            - ' -nop '
            - ' -sta '
            - '.downloadfile(' # PowerShell download command
            - '.downloadstring(' # PowerShell download command
            - '-noni '
            - '-w hidden '
    condition: all of selection_cmd_* and 1 of selection_cli_*
falsepositives:
    - Legitimate administrative scripts running from temporary folders.
    - Niche software updaters utilizing hidden batch files in ProgramData.
level: medium # Can be increased after an initial baseline and tuning
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml

title: Code Execution via Pcwutl.dll
id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
status: test
description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
references:
    - https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/
    - https://twitter.com/harr0ey/status/989617817849876488
author: Julia Fomina, oscd.community
date: 2020-10-05
modified: 2023-02-09
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'pcwutl'
            - 'LaunchApplication'
    condition: all of selection_*
falsepositives:
    - Use of Program Compatibility Troubleshooter Helper
level: medium

title: CodePage Modification Via MODE.COM To Russian Language
id: 12fbff88-16b5-4b42-9754-cd001a789fb3
related:
    - id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e
      type: derived
status: test
description: |
    Detects a CodePage modification using the "mode.com" utility to Russian language.
    This behavior has been used by threat actors behind Dharma ransomware.
references:
    - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode
    - https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
    - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-17
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    # VT Query: behavior:"mode con cp select=1251"
    # VT Query: behavior:"mode con cp select=866"
    selection_img:
        - Image|endswith: '\mode.com'
        - OriginalFileName: 'MODE.COM'
    selection_cli:
        CommandLine|contains|all:
            - ' con '
            - ' cp '
            - ' select='
        CommandLine|endswith:
            - '=1251' # ANSI Cyrillic; Cyrillic (Windows) - Observed ITW by Dharma ransomware
            - '=866' # OEM Russian; Cyrillic (DOS) - Observed ITW by other malware
    condition: all of selection_*
falsepositives:
    - Russian speaking people changing the CodePage
level: medium

title: Command Line Execution with Suspicious URL and AppData Strings
id: 1ac8666b-046f-4201-8aba-1951aaec03a3
status: test
description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
references:
    - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
    - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2021-11-27
tags:
    - attack.execution
    - attack.command-and-control
    - attack.t1059.003
    - attack.t1059.001
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - 'http' # captures both http and https
            - '://'
            - '%AppData%'
    condition: selection
falsepositives:
    - High
level: medium

title: Common Autorun Keys Modification
id: f59c3faf-50f3-464b-9f4c-1b67ab512d99
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
    - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
date: 2019-10-25
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
            - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'
            - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components'
            - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect'
            - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect'
            - '\SYSTEM\Setup\CmdLine'
            - '\Software\Microsoft\Ctf\LangBarAddin'
            - '\Software\Microsoft\Command Processor\Autorun'
            - '\SOFTWARE\Microsoft\Active Setup\Installed Components'
            - '\SOFTWARE\Classes\Protocols\Handler'
            - '\SOFTWARE\Classes\Protocols\Filter'
            - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)'
            - '\Environment\UserInitMprLogonScript'
            - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe'
            - '\Software\Microsoft\Internet Explorer\UrlSearchHooks'
            - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components'
            - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32'
            - '\Control Panel\Desktop\Scrnsave.exe'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
    filter_optional_msoffice:
        - TargetObject|contains:
              - '\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\'
              - '\ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\'
        - Details:
              - '{314111c7-a502-11d2-bbca-00c04f8ec294}'
              - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
              - '{42089D2D-912D-4018-9087-2B87803E93FB}'
              - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
              - '{807583E5-5146-11D5-A672-00B0D022E945}'
    filter_optional_chrome:
        TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}'
    filter_optional_edge:
        TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}'
    filter_optional_IE:
        TargetObject|contains: '\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}'
    filter_optional_integrator:
        Image:
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
    filter_optional_office:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium

title: Communication To Uncommon Destination Ports
id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
related:
    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
      type: similar
status: test
description: Detects programs that connect to uncommon destination ports
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2024-03-12
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1571
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 8080
            - 8888
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_optional_sys_directories:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
id: 9fbf5927-5261-4284-a71d-f681029ea574
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2023-03-13
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Description|contains: '7-Zip'
        - Image|endswith:
              - '\7z.exe'
              - '\7zr.exe'
              - '\7za.exe'
        - OriginalFileName:
              - '7z.exe'
              - '7za.exe'
    selection_password:
        CommandLine|contains: ' -p'
    selection_action:
        CommandLine|contains:
            - ' a '
            - ' u '
    condition: all of selection_*
falsepositives:
    - Legitimate activity is expected since compressing files with a password is common.
level: medium

title: Compress Data and Lock With Password for Exfiltration With WINZIP
id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_winzip:
        CommandLine|contains:
            - 'winzip.exe'
            - 'winzip64.exe'
    selection_password:
        CommandLine|contains: '-s"'
    selection_other:
        CommandLine|contains:
            - ' -min '
            - ' -a '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium