title: ESXi VM List Discovery Via ESXCLI
id: 5f1573a7-363b-4114-9208-ad7a61de46eb
status: test
description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
references:
    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
    - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
    - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
    - attack.discovery
    - attack.execution
    - attack.t1033
    - attack.t1007
    - attack.t1059.012
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/esxcli'
        CommandLine|contains: 'vm process'
        CommandLine|endswith: ' list'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium

title: ESXi VSAN Information Discovery Via ESXCLI
id: d54c2f06-aca9-4e2b-81c9-5317858f4b79
status: test
description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
references:
    - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
    - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
    - attack.discovery
    - attack.execution
    - attack.t1033
    - attack.t1007
    - attack.t1059.012
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/esxcli'
        CommandLine|contains: 'vsan'
    selection_cli:
        CommandLine|contains:
            - ' get'
            - ' list'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium

title: ETW Logging/Processing Option Disabled On IIS Server
id: a5b40a90-baf5-4bf7-a6f7-373494881d22
status: test
description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
author: frack113, Nasreddine Bencherchali
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|endswith: '@logTargetW3C'
        OldValue|contains: 'ETW'
    filter_main_etw_added:
        NewValue|contains: 'ETW'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator activity
level: medium

title: EVTX Created In Uncommon Location
id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
status: test
description: |
    Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
    This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
    Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
references:
    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023-01-02
modified: 2024-03-26
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: file_event
    product: windows
    definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon configuration. Example: <TargetFilename condition="end with">.evtx<TargetFilename>'
detection:
    selection:
        TargetFilename|endswith: '.evtx'
    filter_main_path:
        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
    filter_main_baseimage:
        TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
        TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrator or backup activity
    - An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "<log_name">_<uuid>.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml

title: Elevated System Shell Spawned From Uncommon Parent Location
id: 178e615d-e666-498b-9630-9ed363038101
related:
    - id: 61065c72-5d7d-44ef-bf41-6a36684b545f
      type: similar
status: test
description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
references:
    - https://github.com/Wh04m1001/SysmonEoP
author: frack113, Tim Shelton (update fp)
date: 2022-12-05
modified: 2025-03-06
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.t1059
logsource:
    product: windows
    category: process_creation
detection:
    selection_shell:
        - Image|endswith:
              - '\powershell.exe'
              - '\powershell_ise.exe'
              - '\pwsh.exe'
              - '\cmd.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'powershell_ise.EXE'
              - 'pwsh.dll'
              - 'Cmd.Exe'
    selection_user:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
        LogonId: '0x3e7'
    filter_main_generic:
        # Example 1:
        #   C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers []
        # Example 2:
        #   ParentImage: C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe" /appid 000000ad-cb03-500b-9459-c46d000000ad
        #   CommandLine: C:\Windows\system32\cmd.exe /c C:\Program Files "(x86)\Varonis\DatAdvantage\GridCollector\handle_scopes.cmd C:\Collector" Working Share\VaronisWorkDirectoryCollector
        ParentImage|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\ProgramData\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\Temp\' # Installers
            - ':\Windows\WinSxS\'
    filter_optional_manageengine:
        # Example:
        #   ParentImage: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380
        #   CommandLine: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA)
        ParentImage|endswith: ':\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe'
        Image|endswith: '\cmd.exe'
    filter_optional_asgard:
        CommandLine|contains: ':\WINDOWS\system32\cmd.exe /c "'
        CurrentDirectory|contains: ':\WINDOWS\Temp\asgard2-agent\'
    filter_optional_ibm_spectrumprotect:
        ParentImage|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
        CommandLine|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
    filter_main_parent_null:
        ParentImage: null
    filter_main_parent_empty:
        ParentImage:
            - ''
            - '-'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Some legitimate applications may spawn shells from uncommon parent locations. Apply additional filters and perform an initial baseline before deploying.
level: medium

title: Enable BPF Kprobes Tracing
id: 7692f583-bd30-4008-8615-75dab3f08a99
status: test
description: Detects common command used to enable bpf kprobes tracing
references:
    - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
    - https://bpftrace.org/
    - https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-25
tags:
    - attack.execution
    - attack.stealth
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        CommandLine|contains|all:
            - 'echo 1 >'
            - '/sys/kernel/debug/tracing/events/kprobes/'
        CommandLine|contains:
            - '/myprobe/enable'
            - '/myretprobe/enable'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Enable Local Manifest Installation With Winget
id: fa277e82-9b78-42dd-b05c-05555c7b6015
status: test
description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
references:
    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.stealth
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\AppInstaller\EnableLocalManifestFiles'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Administrators or developers might enable this for testing purposes or to install custom private packages
level: medium

title: Enable Microsoft Dynamic Data Exchange
id: 63647769-326d-4dde-a419-b925cc0caf42
status: test
description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
references:
    - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021
author: frack113
date: 2022-02-26
modified: 2023-08-17
tags:
    - attack.execution
    - attack.t1559.002
logsource:
    category: registry_set
    product: windows
detection:
    selection_word:
        TargetObject|endswith: '\Word\Security\AllowDDE'
        Details:
            - 'DWORD (0x00000001)'
            - 'DWORD (0x00000002)'
    selection_excel:
        TargetObject|endswith:
            - '\Excel\Security\DisableDDEServerLaunch'
            - '\Excel\Security\DisableDDEServerLookup'
        Details: 'DWORD (0x00000000)'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
id: 4d431012-2ab5-4db7-a84e-b29809da2172
status: test
description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
references:
    - https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
author: X__Junior (Nextron Systems)
date: 2023-11-03
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: '\Microsoft\WBEM\CIMOM\AllowAnonymousCallback'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Administrative activity
level: medium

title: Enable Windows Remote Management
id: 991a9744-f2f0-44f2-bd33-9092eba17dc3
status: test
description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
author: frack113
date: 2022-01-07
tags:
    - attack.lateral-movement
    - attack.t1021.006
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains: 'Enable-PSRemoting '
    condition: selection_cmdlet
falsepositives:
    - Legitimate script
level: medium

title: Enabling COR Profiler Environment Variables
id: ad89044a-8f49-4673-9a55-cbd88a1b374f
status: test
description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
references:
    - https://twitter.com/jamieantisocial/status/1304520651248668673
    - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
    - https://www.sans.org/cyber-security-summit/archives
    - https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
date: 2020-09-10
modified: 2023-11-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.012
logsource:
    category: registry_set
    product: windows
detection:
    selection_1:
        TargetObject|endswith:
            - '\COR_ENABLE_PROFILING'
            - '\COR_PROFILER'
            - '\CORECLR_ENABLE_PROFILING'
    selection_2:
        TargetObject|contains: '\CORECLR_PROFILER_PATH'
    condition: 1 of selection_*
level: medium

title: End User Consent Blocked
id: 7091372f-623c-4293-bc37-20c32b3492be
status: test
description: Detects when end user consent is blocked due to risk-based consent.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-10
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        failure_status_reason: 'Microsoft.online.Security.userConsentBlockedForRiskyAppsExceptions'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Enumerate All Information With Whoami.EXE
id: c248c896-e412-4279-8c15-1c558067b6fa
status: test
description: Detects the execution of "whoami.exe" with the "/all" flag
references:
    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-04
modified: 2024-03-05
tags:
    - attack.discovery
    - attack.t1033
    - car.2016-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_main_img:
        - Image|endswith: '\whoami.exe'
        - OriginalFileName: 'whoami.exe'
    selection_main_cli:
        CommandLine|contains|windash: ' -all'
    condition: all of selection_main_*
falsepositives:
    - Unknown
level: medium

title: Enumerate Credentials from Windows Credential Manager With PowerShell
id: 603c6630-5225-49c1-8047-26c964553e0e
status: test
description: |
    Adversaries may search for common password storage locations to obtain user credentials.
    Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1555
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmd:
        ScriptBlockText|contains|all:
            - vaultcmd
            - '/listcreds:'
    selection_option:
        ScriptBlockText|contains:
            - 'Windows Credentials'
            - 'Web Credentials'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Enumeration for 3rd Party Creds From CLI
id: 87a476dc-0079-4583-a985-dee7a20a03de
related:
    - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
      type: derived
    - id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
      type: similar
status: test
description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
references:
    - https://isc.sans.edu/diary/More+Data+Exfiltration/25698
    - https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt
    - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2025-05-22
tags:
    - attack.credential-access
    - attack.t1552.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: # Add more paths as they are discovered
            - '\Software\Aerofox\Foxmail\V3.1'
            - '\Software\Aerofox\FoxmailPreview'
            - '\Software\DownloadManager\Passwords'
            - '\Software\FTPWare\COREFTP\Sites'
            - '\Software\IncrediMail\Identities'
            - '\Software\Martin Prikryl\WinSCP 2\Sessions'
            - '\Software\Mobatek\MobaXterm\'
            - '\Software\OpenSSH\Agent\Keys'
            - '\Software\OpenVPN-GUI\configs'
            - '\Software\ORL\WinVNC3\Password'
            - '\Software\Qualcomm\Eudora\CommandLine'
            - '\Software\RealVNC\WinVNC4'
            - '\Software\RimArts\B2\Settings'
            - '\Software\SimonTatham\PuTTY\Sessions'
            - '\Software\SimonTatham\PuTTY\SshHostKeys\'
            - '\Software\Sota\FFFTP'
            - '\Software\TightVNC\Server'
            - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
    filter_main_other_rule:  # matched by cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
        Image|endswith: 'reg.exe'
        CommandLine|contains:
            - 'export'
            - 'save'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Enumeration for Credentials in Registry
id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
status: test
description: |
    Adversaries may search the Registry on compromised systems for insecurely stored credentials.
    The Windows Registry stores configuration information that can be used by the system or other programs.
    Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1552.002
logsource:
    category: process_creation
    product: windows
detection:
    reg:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - ' query '
            - '/t '
            - 'REG_SZ'
            - '/s'
    hive:
        - CommandLine|contains|all:
              - '/f '
              - 'HKLM'
        - CommandLine|contains|all:
              - '/f '
              - 'HKCU'
        - CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions'
    condition: reg and hive
falsepositives:
    - Unknown
level: medium

title: Esentutl Gather Credentials
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
status: test
description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
references:
    - https://twitter.com/vxunderground/status/1423336151860002816
    - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
author: sam0x90
date: 2021-08-06
modified: 2022-10-09
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1003.003
    - attack.s0404
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'esentutl'
            - ' /p'
    condition: selection
falsepositives:
    - To be determined
level: medium

title: Esentutl Steals Browser Information
id: 6a69f62d-ce75-4b57-8dce-6351eb55b362
status: test
description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
references:
    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
    - https://redcanary.com/threat-detection-report/threats/qbot/
    - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
author: frack113
date: 2022-02-13
modified: 2024-03-05
tags:
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\esentutl.exe'
        - OriginalFileName: 'esentutl.exe'
    selection_flag:
        CommandLine|contains|windash: '-r'
    selection_webcache:
        CommandLine|contains: '\Windows\WebCache'
    condition: all of selection*
falsepositives:
    - Legitimate use
level: medium

title: EventLog EVTX File Deleted
id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc
status: test
description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
        TargetFilename|endswith: '.evtx'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Eventlog Cleared
id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
related:
    - id: f2f01843-e7b8-4f95-a35a-d23584476423
      type: obsolete
    - id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
      type: derived
    - id: 100ef69e-3327-481c-8e5c-6d80d9507556
      type: derived
status: test
description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
references:
    - https://twitter.com/deviouspolack/status/832535435960209408
    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-01-10
modified: 2023-11-15
tags:
    - attack.defense-impairment
    - attack.t1685.005
    - car.2016-04-002
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 104
        Provider_Name: 'Microsoft-Windows-Eventlog'
    filter_main_covered:
        # The channels below are already covered by the rule 100ef69e-3327-481c-8e5c-6d80d9507556
        Channel:
            - 'Microsoft-Windows-PowerShell/Operational'
            - 'Microsoft-Windows-Sysmon/Operational'
            - 'PowerShellCore/Operational'
            - 'Security'
            - 'System'
            - 'Windows PowerShell'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
    - System provisioning (system reset before the golden image creation)
level: medium

title: Executable from Webdav
id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
status: test
description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/'
references:
    - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
    - https://github.com/OTRF/detection-hackathon-apt29
author: 'SOC Prime, Adam Swan'
date: 2020-05-01
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    product: zeek
    service: http
detection:
    selection_webdav:
        - c-useragent|contains: 'WebDAV'
        - c-uri|contains: 'webdav'
    selection_executable:
        - resp_mime_types|contains: 'dosexec'
        - c-uri|endswith: '.exe'
    condition: selection_webdav and selection_executable
falsepositives:
    - Unknown
level: medium

title: Execute Code with Pester.bat
id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
    - https://twitter.com/Oddvarmoe/status/993383596244258816
    - https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
author: Julia Fomina, oscd.community
date: 2020-10-08
modified: 2023-11-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    powershell_module:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains|all:
            - 'Pester'
            - 'Get-Help'
    cmd_execution:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - 'pester'
            - ';'
    get_help:
        CommandLine|contains:
            - 'help'
            - '\?'
    condition: powershell_module or (cmd_execution and get_help)
falsepositives:
    - Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium

title: Execute Code with Pester.bat as Parent
id: 18988e1b-9087-4f8a-82fe-0414dce49878
related:
    - id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
      type: similar
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
    - https://twitter.com/Oddvarmoe/status/993383596244258816
    - https://twitter.com/_st0pp3r_/status/1560072680887525378
author: frack113, Nasreddine Bencherchali
date: 2022-08-20
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection_module:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        ParentCommandLine|contains: '\WindowsPowerShell\Modules\Pester\'
    selection_cli:
        ParentCommandLine|contains:
            - '{ Invoke-Pester -EnableExit ;'
            - '{ Get-Help "'
    condition: all of selection_*
falsepositives:
    - Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium

title: Execute Files with Msdeploy.exe
id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
status: test
description: Detects file execution using the msdeploy.exe lolbin
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/
    - https://twitter.com/pabraeken/status/995837734379032576
    - https://twitter.com/pabraeken/status/999090532839313408
author: Beyu Denis, oscd.community
date: 2020-10-18
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'verb:sync'
            - '-source:RunCommand'
            - '-dest:runCommand'
        Image|endswith: '\msdeploy.exe'
    condition: selection
falsepositives:
    - System administrator Usage
level: medium

title: Execute From Alternate Data Streams
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
status: test
description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-01
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1564.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_stream:
        CommandLine|contains: 'txt:'
    selection_tools_type:
        CommandLine|contains|all:
            - 'type '
            - ' > '
    selection_tools_makecab:
        CommandLine|contains|all:
            - 'makecab '
            - '.cab'
    selection_tools_reg:
        CommandLine|contains|all:
            - 'reg '
            - ' export '
    selection_tools_regedit:
        CommandLine|contains|all:
            - 'regedit '
            - ' /E '
    selection_tools_esentutl:
        CommandLine|contains|all:
            - 'esentutl '
            - ' /y '
            - ' /d '
            - ' /o '
    condition: selection_stream and (1 of selection_tools_*)
falsepositives:
    - Unknown
level: medium

title: Execute Invoke-command on Remote Host
id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
status: test
description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4
author: frack113
date: 2022-01-07
tags:
    - attack.lateral-movement
    - attack.t1021.006
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains|all:
            - 'invoke-command '
            - ' -ComputerName '
    condition: selection_cmdlet
falsepositives:
    - Legitimate script
level: medium

title: Execution Of Script Located In Potentially Suspicious Directory
id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7
status: test
description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
    - attack.execution
logsource:
    product: linux
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '/bash'
            - '/csh'
            - '/dash'
            - '/fish'
            - '/ksh'
            - '/sh'
            - '/zsh'
    selection_flag:
        CommandLine|contains: ' -c '
    selection_paths:
        # Note: Add more suspicious paths
        CommandLine|contains: '/tmp/'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Execution of Suspicious File Type Extension
id: c09dad97-1c78-4f71-b127-7edb2b8e491a
status: test
description: |
    Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.
    This rule might require some initial baselining to align with some third party tooling in the user environment.
references:
    - https://pentestlaboratories.com/2021/12/08/process-ghosting/
author: Max Altgelt (Nextron Systems)
date: 2021-12-09
modified: 2023-11-23
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    known_image_extension:
        Image|endswith:
            - '.bin'
            - '.cgi'
            - '.com'
            - '.exe'
            - '.scr'
            - '.tmp' # sadly many installers use this extension
    filter_main_image: # Windows utilities without extension
        Image:
            - 'System'
            - 'Registry'
            - 'MemCompression'
            - 'vmmem'
    filter_main_msi_installers:
        Image|contains: ':\Windows\Installer\MSI'
    filter_main_driver_store:
        Image|contains: ':\Windows\System32\DriverStore\FileRepository\'
    filter_main_msi_rollbackfiles:
        Image|contains: ':\Config.Msi\'
        Image|endswith:
            - '.rbf'
            - '.rbs'
    filter_main_windows_temp:
        - ParentImage|contains: ':\Windows\Temp\'
        - Image|contains: ':\Windows\Temp\'
    filter_main_deleted:
        Image|contains: ':\$Extend\$Deleted\'
    filter_main_empty:
        Image:
            - '-'
            - ''
    filter_main_null:
        Image: null
    filter_optional_avira:
        ParentImage|contains: ':\ProgramData\Avira\'
    filter_optional_nvidia:
        Image|contains: 'NVIDIA\NvBackend\'
        Image|endswith: '.dat'
    filter_optional_winpakpro:
        Image|contains:
            - ':\Program Files (x86)\WINPAKPRO\'
            - ':\Program Files\WINPAKPRO\'
        Image|endswith: '.ngn'
    filter_optional_myq_server:
        Image|endswith:
            - ':\Program Files (x86)\MyQ\Server\pcltool.dll'
            - ':\Program Files\MyQ\Server\pcltool.dll'
    filter_optional_wsl:
        Image|contains|all:
            - '\AppData\Local\Packages\'
            - '\LocalState\rootfs\'
    filter_optional_lzma_exe:
        Image|endswith: '\LZMA_EXE'
    filter_optional_firefox:
        Image|contains: ':\Program Files\Mozilla Firefox\'
    filter_optional_docker:
        ParentImage: 'C:\Windows\System32\services.exe'
        Image|endswith: 'com.docker.service'
    condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Explorer Process Tree Break
id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
status: test
description: |
  Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
  which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
references:
    - https://twitter.com/CyberRaiju/status/1273597319322058752
    - https://twitter.com/bohops/status/1276357235954909188?s=12
    - https://twitter.com/nas_bench/status/1535322450858233858
    - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
date: 2019-06-29
modified: 2025-10-31
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    # Note: See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference
    selection_factory:
        CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data
    selection_root:
        CommandLine|contains: 'explorer.exe'
        CommandLine|contains|windash: ' /root,'
        # There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example
        # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique.
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium

title: External Remote RDP Logon from Public IP
id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
related:
    - id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
      type: derived
status: test
description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
references:
    - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
    - https://twitter.com/Purp1eW0lf/status/1616144561965002752
author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
date: 2023-01-19
modified: 2024-03-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1133
    - attack.t1078
    - attack.t1110
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 10
    filter_main_local_ranges:
        IpAddress|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    filter_main_empty:
        IpAddress: '-'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate or intentional inbound connections from public IP addresses on the RDP port.
level: medium

title: Extracting Information with PowerShell
id: bd5971a7-626d-46ab-8176-ed643f694f68
status: test
description: |
    Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
    These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
    configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: frack113
date: 2021-12-19
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - ls
            - ' -R'
            - 'select-string '
            - '-Pattern '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: F5 BIG-IP iControl Rest API Command Execution - Proxy
id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
related:
    - id: 85254a62-22be-4239-b79c-2ec17e566c37
      type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
    - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
    - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
    - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: proxy
detection:
    selection:
        cs-method: 'POST'
        c-uri|endswith: '/mgmt/tm/util/bash'
    condition: selection
falsepositives:
    - Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium

title: F5 BIG-IP iControl Rest API Command Execution - Webserver
id: 85254a62-22be-4239-b79c-2ec17e566c37
related:
    - id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
      type: similar
status: test
description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
references:
    - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash
    - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029
    - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-11-08
tags:
    - attack.execution
    - attack.t1190
    - attack.initial-access
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'POST'
        cs-uri-query|endswith: '/mgmt/tm/util/bash'
    condition: selection
falsepositives:
    - Legitimate usage of the BIG IP REST API to execute command for administration purposes
level: medium

title: Failed DNS Zone Transfer
id: 6d444368-6da1-43fe-b2fc-44202430480e
status: test
description: Detects when a DNS zone transfer failed.
references:
    - https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp
author: Zach Mathis
date: 2023-05-24
tags:
    - attack.reconnaissance
    - attack.t1590.002
logsource:
    product: windows
    service: dns-server
detection:
    selection:
        EventID: 6004 # The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone %2.
    condition: selection
falsepositives:
    - Unlikely
level: medium

title: Failed Logon From Public IP
id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
status: test
description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
author: NVISO
date: 2020-05-06
modified: 2024-03-11
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.t1190
    - attack.t1133
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4625
    filter_main_ip_unknown:
        IpAddress|contains: '-'
    filter_main_local_ranges:
        IpAddress|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate logon attempts over the internet
    - IPv4-to-IPv6 mapped IPs
level: medium

title: File Access Of Signal Desktop Sensitive Data
id: 5d6c375a-18ae-4952-b4f6-8b803f6c8555
status: experimental
description: |
    Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.
    The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.
    Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.
    Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
references:
    - https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/
    - https://vmois.dev/query-signal-desktop-messages-sqlite/
author: Andreas Braathen (mnemonic.io)
date: 2025-10-19
tags:
    - attack.credential-access
    - attack.t1003
logsource:
    product: windows
    service: security
    definition: 'Requirements: System Access Control List (SACL) policy with attributes List folder/read data on Objects'
detection:
    selection:
        EventID: 4663
        ObjectType: 'File'
        ObjectName|contains: '\AppData\Roaming\Signal\'
        ObjectName|endswith:
            - '\config.json'
            - '\db.sqlite'
    filter_main_signal:
        ProcessName|endswith:
            - '\signal-portable.exe'
            - '\signal.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely, but possible from AV or backup software accessing the files.
level: medium

title: File Decryption Using Gpg4win
id: 037dcd71-33a8-4392-bb01-293c94663e5a
status: test
description: Detects usage of Gpg4win to decrypt files
references:
    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
    - https://www.gpg4win.de/documentation.html
    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-09
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_metadata:
        - Image|endswith:
              - '\gpg.exe'
              - '\gpg2.exe'
        - Description: 'GnuPG’s OpenPGP tool'
    selection_cli:
        CommandLine|contains|all:
            - ' -d '
            - 'passphrase'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: File Deleted Via Sysinternals SDelete
id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
status: test
description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/9
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|endswith:
            - '.AAA'
            - '.ZZZ'
    filter_wireshark:
        TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate usage
level: medium

title: File Download From Browser Process Via Inline URL
id: 94771a71-ba41-4b6e-a757-b531372eaab6
status: test
description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
references:
    - https://twitter.com/mrd0x/status/1478116126005641220
    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2025-10-27
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
    selection_http:
        CommandLine|contains: 'http'
    selection_extensions:
        - CommandLine|endswith:
              - '.7z'
              - '.dat'
              - '.dll'
              - '.exe'
              - '.hta'
              - '.ps1'
              - '.psm1'
              - '.txt'
              - '.vbe'
              - '.vbs'
              - '.zip'
        - CommandLine|contains:
              - '.7z"'
              - '.dat"'
              - '.dll"'
              - '.hta"'
              - '.ps1"'
              - '.psm1"'
              - '.txt"'
              - '.vbe"'
              - '.vbs"'
              - '.zip"'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml

title: File Download From IP URL Via Curl.EXE
id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218
related:
    - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
      type: similar
status: test
description: Detects file downloads directly from IP address URL using curl.exe
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
    - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\curl.exe'
        - OriginalFileName: 'curl.exe'
    selection_ip:
        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    selection_http:
        CommandLine|contains: 'http'
    selection_flag:
        CommandLine|contains:
            - ' -O'  # covers the alias for --remote-name and --output
            - '--remote-name'
            - '--output'
    filter_main_ext:
        # Note: This filter exists to avoid duplication with 5cb299fc-5fb1-4d07-b989-0644c68b6043
        CommandLine|endswith:
            - '.bat'
            - '.bat"'
            - '.dat'
            - '.dat"'
            - '.dll'
            - '.dll"'
            - '.exe'
            - '.exe"'
            - '.gif'
            - '.gif"'
            - '.hta'
            - '.hta"'
            - '.jpeg'
            - '.jpeg"'
            - '.log'
            - '.log"'
            - '.msi'
            - '.msi"'
            - '.png'
            - '.png"'
            - '.ps1'
            - '.ps1"'
            - '.psm1'
            - '.psm1"'
            - '.vbe'
            - '.vbe"'
            - '.vbs'
            - '.vbs"'
            - ".bat'"
            - ".dat'"
            - ".dll'"
            - ".exe'"
            - ".gif'"
            - ".hta'"
            - ".jpeg'"
            - ".log'"
            - ".msi'"
            - ".png'"
            - ".ps1'"
            - ".psm1'"
            - ".vbe'"
            - ".vbs'"
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml

title: File Download Using ProtocolHandler.exe
id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb
status: test
description: |
    Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/
author: frack113
date: 2021-07-13
modified: 2023-11-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\protocolhandler.exe'
        - OriginalFileName: 'ProtocolHandler.exe'
    selection_cli:
        CommandLine|contains:
            - 'ftp://'
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: File Download Via Bitsadmin
id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
status: test
description: Detects usage of bitsadmin downloading a file
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Michael Haag, FPT.EagleEye
date: 2017-03-09
modified: 2023-02-15
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_cmd:
        CommandLine|contains: ' /transfer '
    selection_cli_1:
        CommandLine|contains:
            - ' /create '
            - ' /addfile '
    selection_cli_2:
        CommandLine|contains: 'http'
    condition: selection_img and (selection_cmd or all of selection_cli_*)
falsepositives:
    - Some legitimate apps use this, but limited.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

title: File Download Via InstallUtil.EXE
id: 75edd216-1939-4c73-8d61-7f3a0d85b5cc
status: test
description: |
    Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
references:
    - https://github.com/LOLBAS-Project/LOLBAS/pull/239
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2023-11-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\InstallUtil.exe'
        - OriginalFileName: 'InstallUtil.exe'
    selection_cli:
        CommandLine|contains:
            - 'ftp://'
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: File Download Via Nscurl - MacOS
id: 6d8a7cf1-8085-423b-b87d-7e880faabbdf
status: test
description: Detects the execution of the nscurl utility in order to download files.
references:
    - https://www.loobins.io/binaries/nscurl/
    - https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl
    - https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd
author: Daniel Cortez
date: 2024-06-04
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/nscurl'
        CommandLine|contains:
            - '--download '
            - '--download-directory '
            - '--output '
            - '-dir '
            - '-dl '
            - '-ld'
            - '-o '
    condition: selection
falsepositives:
    - Legitimate usage of nscurl by administrators and users.
level: medium

title: File Download via CertOC.EXE
id: 70ad0861-d1fe-491c-a45f-fa48148a300d
related:
    - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
      type: similar
status: test
description: Detects when a user downloads a file by using CertOC.exe
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-16
modified: 2023-10-18
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certoc.exe'
        - OriginalFileName: 'CertOC.exe'
    selection_cli:
        CommandLine|contains|all:
            - '-GetCACAPS'
            - 'http'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

title: File Encoded To Base64 Via Certutil.EXE
id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-02-24
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|windash: '-encode'
    condition: all of selection_*
falsepositives:
    - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/info.yml

title: File Encryption Using Gpg4win
id: 550bbb84-ce5d-4e61-84ad-e590f0024dcd
status: test
description: Detects usage of Gpg4win to encrypt files
references:
    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
    - https://www.gpg4win.de/documentation.html
    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-09
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_metadata:
        - Image|endswith:
              - '\gpg.exe'
              - '\gpg2.exe'
        - Description: 'GnuPG’s OpenPGP tool'
    selection_cli:
        CommandLine|contains|all:
            - ' -c '
            - 'passphrase'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: File Recovery From Backup Via Wbadmin.EXE
id: 6fe4aa1e-0531-4510-8be2-782154b73b48
related:
    - id: 84972c80-251c-4c3a-9079-4f00aad93938
      type: derived
status: test
description: |
    Detects the recovery of files from backups via "wbadmin.exe".
    Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
    - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-10
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wbadmin.exe'
        - OriginalFileName: 'WBADMIN.EXE'
    selection_cli:
        CommandLine|contains|all:
            - ' recovery'
            - 'recoveryTarget'
            - 'itemtype:File'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: File Time Attribute Change
id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
status: test
description: Detect file time attribute change to hide new or changes to existing files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: Igor Fits, Mikhail Larin, oscd.community
date: 2020-10-19
modified: 2022-01-12
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/touch'
        CommandLine|contains:
            - '-t'
            - '-acmr'
            - '-d'
            - '-r'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: File Time Attribute Change - Linux
id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
status: test
description: Detect file time attribute change to hide new or changes to existing files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2022-11-28
tags:
    - attack.stealth
    - attack.t1070.006
logsource:
    product: linux
    service: auditd
detection:
    execve:
        type: 'EXECVE'
    touch:
        - 'touch'
    selection2:
        - '-t'
        - '-acmr'
        - '-d'
        - '-r'
    condition: execve and touch and selection2
falsepositives:
    - Unknown
level: medium
simulation:
    - type: atomic-red-team
      name: Set a file's access timestamp
      technique: T1070.006
      atomic_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
    - type: atomic-red-team
      name: Set a file's modification timestamp
      technique: T1070.006
      atomic_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
    - type: atomic-red-team
      name: Modify file timestamps using reference file
      technique: T1070.006
      atomic_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50