title: Execution via WorkFolders.exe
id: 0bbc6369-43e3-453d-9944-cae58821c173
status: test
description: Detects using WorkFolders.exe to execute an arbitrary control.exe
references:
    - https://twitter.com/elliotkillick/status/1449812843772227588
author: Maxime Thiebaut (@0xThiebaut)
date: 2021-10-21
modified: 2022-12-25
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\control.exe'
        ParentImage|endswith: '\WorkFolders.exe'
    filter:
        Image: 'C:\Windows\System32\control.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate usage of the uncommon Windows Work Folders feature.
level: high

title: Execution via stordiag.exe
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
status: test
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
references:
    - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
    - https://twitter.com/eral4m/status/1451112385041911809
author: Austin Songer (@austinsonger)
date: 2021-10-21
modified: 2022-12-25
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\stordiag.exe'
        Image|endswith:
            - '\schtasks.exe'
            - '\systeminfo.exe'
            - '\fltmc.exe'
    filter:
        ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
            - 'c:\windows\system32\'
            - 'c:\windows\syswow64\'
    condition: selection and not filter
falsepositives:
    - Legitimate usage of stordiag.exe.
level: high

title: Exploit Framework User Agent
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
status: test
description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
references:
    - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2025-01-18
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent:
        # Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
            - 'Internet Explorer *'
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/

        # Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
            - 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
            - 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads

        # Metasploit Update by Florian Roth 08.07.2017
            - 'Mozilla/5.0'
            - 'Mozilla/4.0 (compatible; SPIPE/1.0'
        # - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'  # too many false positives expected
        # - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'  # too many false positives expected
            - 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
            - 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
            - 'X-FORWARDED-FOR'
            - 'DotDotPwn v2.1'
            - 'SIPDROID'
            - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

        # Empire
            - 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205     Firefox/27.0 Iceweasel/25.3.0'

        # Exploits
            - '*wordpress hash grabber*'
            - '*exploit*'

        # Havoc
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36'  # https://github.com/HavocFramework/Havoc/issues/519
    condition: selection
falsepositives:
    - Unknown
level: high

title: Explorer NOUACCHECK Flag
id: 534f2ef7-e8a2-4433-816d-c91bccde289b
status: test
description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
references:
    - https://twitter.com/ORCA6665/status/1496478087244095491
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2022-04-21
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\explorer.exe'
        CommandLine|contains: '/NOUACCHECK'
    filter_dc_logon:
        - ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
        - ParentImage: 'C:\Windows\System32\svchost.exe' # coarse filter needed for ID 4688 Events
    condition: selection and not 1 of filter_*
falsepositives:
    - Domain Controller User Logon
    - Unknown how many legitimate software products use that method
level: high

title: Exports Critical Registry Keys To a File
id: 82880171-b475-4201-b811-e9c826cd5eaa
related:
    - id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
      type: similar
status: test
description: Detects the export of a crital Registry key to a file.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-12
modified: 2024-03-13
tags:
    - attack.exfiltration
    - attack.discovery
    - attack.t1012
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\regedit.exe'
        - OriginalFileName: 'REGEDIT.EXE'
    selection_cli_1:
        CommandLine|contains|windash: ' -E '
    selection_cli_2:
        CommandLine|contains:
            - 'hklm'
            - 'hkey_local_machine'
    selection_cli_3:
        CommandLine|endswith:
            - '\system'
            - '\sam'
            - '\security'
    condition: all of selection_*
falsepositives:
    - Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high

title: Exports Registry Key To an Alternate Data Stream
id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
status: test
description: Exports the target Registry key and hides it in the specified alternate data stream.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1564.004
logsource:
    product: windows
    category: create_stream_hash
detection:
    selection:
        Image|endswith: '\regedit.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: External Remote SMB Logon from Public IP
id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
related:
    - id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
      type: derived
status: test
description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
references:
    - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
    - https://twitter.com/Purp1eW0lf/status/1616144561965002752
author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
date: 2023-01-19
modified: 2024-03-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1133
    - attack.t1078
    - attack.t1110
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 3
    filter_main_local_ranges:
        IpAddress|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    filter_main_empty:
        IpAddress: '-'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate or intentional inbound connections from public IP addresses on the SMB port.
level: high

title: Failed MSExchange Transport Agent Installation
id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
status: test
description: Detects a failed installation of a Exchange Transport Agent
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-07-12
tags:
    - attack.persistence
    - attack.t1505.002
logsource:
    service: msexchange-management
    product: windows
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        EventID: 6
        Data|contains: 'Install-TransportAgent'
    condition: selection
falsepositives:
    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: high

title: Fax Service DLL Search Order Hijack
id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
status: test
description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
references:
    - https://windows-internals.com/faxing-your-way-to-system/
author: NVISO
date: 2020-05-04
modified: 2022-06-02
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\fxssvc.exe'
        ImageLoaded|endswith: 'ualapi.dll'
    filter:
        ImageLoaded|startswith: 'C:\Windows\WinSxS\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high

title: File Creation In Suspicious Directory By Msdt.EXE
id: 318557a5-150c-4c8d-b70e-a9910e199857
status: test
description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
references:
    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
author: Vadim Varganov, Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2023-02-23
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
    - cve.2022-30190
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\msdt.exe'
        TargetFilename|contains:
            - '\Desktop\'
            - '\Start Menu\Programs\Startup\'
            - 'C:\PerfLogs\'
            - 'C:\ProgramData\'
            - 'C:\Users\Public\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: File Decoded From Base64/Hex Via Certutil.EXE
id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
status: test
description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
    - https://twitter.com/JohnLaTwC/status/835149808817991680
    - https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2023-02-15
modified: 2025-06-04
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|windash:
            - '-decode ' # Decode Base64
            - '-decodehex ' # Decode Hex
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/info.yml

title: File Download And Execution Via IEExec.EXE
id: 9801abb8-e297-4dbf-9fbd-57dde0e830ad
status: test
description: Detects execution of the IEExec utility to download and execute files
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-16
modified: 2023-11-09
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\IEExec.exe'
        - OriginalFileName: 'IEExec.exe'
    selection_cli:
        CommandLine|contains:
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: File Download From IP Based URL Via CertOC.EXE
id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
related:
    - id: 70ad0861-d1fe-491c-a45f-fa48148a300d
      type: similar
status: test
description: Detects when a user downloads a file from an IP based URL using CertOC.exe
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
    - attack.command-and-control
    - attack.execution
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certoc.exe'
        - OriginalFileName: 'CertOC.exe'
    selection_ip:
        CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
    selection_cli:
        CommandLine|contains: '-GetCACAPS'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: File Download Using Notepad++ GUP Utility
id: 44143844-0631-49ab-97a0-96387d6b2d7c
status: test
description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
references:
    - https://twitter.com/nas_bench/status/1535322182863179776
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2023-03-02
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\GUP.exe'
        - OriginalFileName: 'gup.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' -unzipTo '
            - 'http'
    filter:
        ParentImage|endswith: '\notepad++.exe'
    condition: all of selection* and not filter
falsepositives:
    - Other parent processes other than notepad++ using GUP that are not currently identified
level: high

title: File Download Via Bitsadmin To A Suspicious Target Folder
id: 2ddef153-167b-4e89-86b6-757a9e65dcac
related:
    - id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
      type: obsolete
    - id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
      type: similar
status: test
description: Detects usage of bitsadmin downloading a file to a suspicious target folder
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_folder:
        CommandLine|contains:
            - ':\Perflogs'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\'
            - '\$Recycle.Bin\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Desktop\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
            - '%ProgramData%'
            - '%public%'
            - '%temp%'
            - '%tmp%'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

title: File Download Via Windows Defender MpCmpRun.EXE
id: 46123129-1024-423e-9fae-43af4a0fa9a5
status: test
description: Detects the use of Windows Defender MpCmdRun.EXE to download files
references:
    - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
    - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
author: Matthew Matchen
date: 2020-09-04
modified: 2023-11-09
tags:
    - attack.stealth
    - attack.t1218
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'MpCmdRun.exe'
        - Image|endswith: '\MpCmdRun.exe'
        - CommandLine|contains: 'MpCmdRun.exe'
        - Description: 'Microsoft Malware Protection Command Line Utility'
    selection_cli:
        CommandLine|contains|all:
            - 'DownloadFile'
            - 'url'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: File Download with Headless Browser
id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
related:
    - id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
      type: derived
status: test
description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
references:
    - https://twitter.com/mrd0x/status/1478234484881436672?s=12
    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Sreeman, Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2025-10-07
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1105
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
        CommandLine|contains|all:
            - '--headless'
            - 'dump-dom'
            - 'http'
    filter_optional_edge_1:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\'
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
            - 'C:\Program Files\Microsoft\Edge\Application\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeWebView\'
            - 'C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\MicrosoftEdge.exe'
        CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
    filter_optional_edge_2:
        Image|contains:
            - '\AppData\Local\Microsoft\WindowsApps\'
            - '\Windows\SystemApps\Microsoft.MicrosoftEdge'
        Image|endswith:
            - '\msedge.exe'
            - '\MicrosoftEdge.exe'
        CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml

title: File Encryption/Decryption Via Gpg4win From Suspicious Locations
id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d
status: test
description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
references:
    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-11-30
modified: 2023-08-09
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_metadata:
        - Image|endswith:
              - '\gpg.exe'
              - '\gpg2.exe'
        - Product: 'GNU Privacy Guard (GnuPG)'
        - Description: 'GnuPG’s OpenPGP tool'
    selection_cli:
        CommandLine|contains: '-passphrase'
    selection_paths:
        CommandLine|contains:
            - ':\PerfLogs\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4
status: test
description: |
    Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
author: '@Kostastsale'
references:
    - https://ss64.com/nt/shell.html
date: 2022-12-22
modified: 2024-08-23
tags:
    - attack.discovery
    - attack.t1135
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith: '\explorer.exe'
        CommandLine|contains: 'shell:mycomputerfolder'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml

title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE
id: 82a6714f-4899-4f16-9c1e-9a333544d4c3
related:
    - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
      type: derived
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
references:
    - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior
    - https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior
    - https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior
    - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|windash: '-encode'
    selection_extension:
        CommandLine|contains:
            # Note: Add more suspicious locations to increase coverage
            - '\AppData\Roaming\'
            - '\Desktop\'
            - '\Local\Temp\'
            - '\PerfLogs\'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - '$Recycle.Bin'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml

title: File With Suspicious Extension Downloaded Via Bitsadmin
id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
status: test
description: Detects usage of bitsadmin downloading a file with a suspicious extension
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-05-30
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_extension:
        CommandLine|contains:
            - '.7z'
            - '.asax'
            - '.ashx'
            - '.asmx'
            - '.asp'
            - '.aspx'
            - '.bat'
            - '.cfm'
            - '.cgi'
            - '.chm'
            - '.cmd'
            - '.dll'
            - '.gif'
            - '.jpeg'
            - '.jpg'
            - '.jsp'
            - '.jspx'
            - '.log'
            - '.png'
            - '.ps1'
            - '.psm1'
            - '.rar'
            - '.scf'
            - '.sct'
            - '.txt'
            - '.vbe'
            - '.vbs'
            - '.war'
            - '.wsf'
            - '.wsh'
            - '.xll'
            - '.zip'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

title: File With Uncommon Extension Created By An Office Application
id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
status: test
description: Detects the creation of files with an executable or script extension by an Office application.
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-23
modified: 2025-10-17
tags:
    - attack.t1204.002
    - attack.execution
logsource:
    product: windows
    category: file_event
detection:
    # Note: Please add more file extensions to the logic of your choice.
    selection1:
        Image|endswith:
            - '\excel.exe'
            - '\msaccess.exe'
            - '\mspub.exe'
            - '\powerpnt.exe'
            - '\visio.exe'
            - '\winword.exe'
    selection2:
        TargetFilename|endswith:
            - '.bat'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.ocx'
            - '.proj'
            - '.ps1'
            - '.scf'
            - '.scr'
            - '.sys'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    filter_main_localassembly:
        TargetFilename|contains: '\AppData\Local\assembly\tmp\'
        TargetFilename|endswith: '.dll'
    filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
        TargetFilename|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Microsoft\Office\'
            - '\WebServiceCache\AllUsers'
        TargetFilename|endswith: '.com'
    filter_optional_webex:
        Image|endswith: '\winword.exe'
        TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\ODB-user@domain.com
        TargetFilename|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Microsoft\Office\'
            - '\BackstageInAppNavCache\'
        TargetFilename|endswith: '.com'
    condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: FileFix - Command Evidence in TypedPaths
id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
related:
    - id: 4be03877-d5b6-4520-85c9-a5911c0a656c
      type: similar
status: experimental
description: |
    Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
references:
    - https://x.com/russianpanda9xx/status/1940831134759506029
    - https://mrd0x.com/filefix-clickfix-alternative/
    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Alfie Champion (delivr.to), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-05
modified: 2025-11-19
tags:
    - attack.execution
    - attack.t1204.004
logsource:
    category: registry_set
    product: windows
detection:
    selection_base:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
        Details|contains|all:
            - '#'
            - 'http'
    selection_cmd:
        - Details|contains:
              # Add more suspicious keywords
              - 'account'
              - 'anti-bot'
              - 'botcheck'
              - 'captcha'
              - 'challenge'
              - 'confirmation'
              - 'fraud'
              - 'human'
              - 'identification'
              - 'identificator'
              - 'identity'
              - 'robot'
              - 'validation'
              - 'verification'
              - 'verify'
        - Details|contains:
              - '%comspec%'
              - 'bitsadmin'
              - 'certutil'
              - 'cmd'
              - 'cscript'
              - 'curl'
              - 'finger'
              - 'mshta'
              - 'powershell'
              - 'pwsh'
              - 'regsvr32'
              - 'rundll32'
              - 'schtasks'
              - 'wget'
              - 'wscript'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Findstr GPP Passwords
id: 91a2c315-9ee6-4052-a853-6f6a8238f90d
status: test
description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
author: frack113
date: 2021-12-27
modified: 2023-11-11
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'cpassword'
            - '\sysvol\'
            - '.xml'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml
simulation:
    - type: atomic-red-team
      name: GPP Passwords (findstr)
      technique: T1552.006
      atomic_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f

title: Finger.EXE Execution
id: af491bca-e752-4b44-9c86-df5680533dbc
related:
    - id: c082c2b0-525b-4dbc-9a26-a57dc4692074
      type: similar
    - id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
      type: similar
status: test
description: |
    Detects execution of the "finger.exe" utility.
    Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
    Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
references:
    - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
    - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
    - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
author: Florian Roth (Nextron Systems), omkar72, oscd.community
date: 2021-02-24
modified: 2024-06-27
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'finger.exe'
        - Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Admin activity (unclear what they do nowadays with finger.exe)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/info.yml

title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
    - https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden
date: 2019-04-03
modified: 2023-03-14
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection1:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
    false_positives:
        RelativeTargetName:
            - 'atsvc'
            - 'samr'
            - 'lsarpc'
            - 'lsass'
            - 'winreg'
            - 'netlogon'
            - 'srvsvc'
            - 'protected_storage'
            - 'wkssvc'
            - 'browser'
            - 'netdfs'
            - 'svcctl'
            - 'spoolss'
            - 'ntsvcs'
            - 'LSM_API_service'
            - 'HydraLsPipe'
            - 'TermSrv_API_service'
            - 'MsFteWds'
            - 'sql\query'
            - 'eventlog'
    condition: selection1 and not false_positives
falsepositives:
    - Update the excluded named pipe to filter out any newly observed legit named pipe
level: high

title: First Time Seen Remote Named Pipe - Zeek
id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
related:
    - id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
      type: derived
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
    - https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: zeek
    service: smb_files
detection:
    selection:
        path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
    filter_keywords:
        - 'samr'
        - 'lsarpc'
        - 'winreg'
        - 'netlogon'
        - 'srvsvc'
        - 'protected_storage'
        - 'wkssvc'
        - 'browser'
        - 'netdfs'
        - 'svcctl'
        - 'spoolss'
        - 'ntsvcs'
        - 'LSM_API_service'
        - 'HydraLsPipe'
        - 'TermSrv_API_service'
        - 'MsFteWds'
    condition: selection and not 1 of filter_*
falsepositives:
    - Update the excluded named pipe to filter out any newly observed legit named pipe
level: high

title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1189
    - attack.execution
    - attack.t1204.002
    - attack.t1036.005
logsource:
    category: proxy
detection:
    selection:
        - c-uri|contains: '/flash_install.php'
        - c-uri|endswith: '/install_flash_player.exe'
    filter:
        cs-host|endswith: '.adobe.com'
    condition: selection and not filter
falsepositives:
    - Unknown flash download locations
level: high

title: Folder Removed From Exploit Guard ProtectedFolders List - Registry
id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40
status: test
description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
references:
    - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-08
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_delete
    product: windows
detection:
    selection:
        EventType: DeleteValue
        TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders'
    condition: selection
falsepositives:
    - Legitimate administrators removing applications (should always be investigated)
level: high

title: Forfiles.EXE Child Process Masquerading
id: f53714ec-5077-420e-ad20-907ff9bb2958
status: test
description: |
    Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
references:
    - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2024-01-05
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Notes:
        #   - The parent must not have CLI options
        #   - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
        #   - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
        ParentCommandLine|endswith:
            - '.exe'
            - '.exe"'
        Image|endswith: '\cmd.exe'
        CommandLine|startswith: '/c echo "'
    filter_main_parent_not_sys:
        ParentImage|contains:
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
        ParentImage|endswith: '\forfiles.exe'
        Image|contains:
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
        Image|endswith: '\cmd.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
status: stable
description: |
  Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
  Might be used by ransomwares during the attack (seen by NotPetya and others).
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
    - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
    - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
author: Ecco, E.M. Anhaus, oscd.community
date: 2019-09-26
modified: 2023-09-09
tags:
    - attack.impact
    - attack.stealth
    - attack.t1070
    - attack.t1485
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\fsutil.exe'
        - OriginalFileName: 'fsutil.exe'
    selection_cli:
        CommandLine|contains:
            - 'deletejournal'        # usn deletejournal ==> generally ransomware or attacker
            - 'createjournal'        # usn createjournal ==> can modify config to set it to a tiny size
            - 'setZeroData'          # file setZeroData  ==> empties a file with zeroes
    condition: all of selection_*
falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
level: high

title: GAC DLL Loaded Via Office Applications
id: 90217a70-13fc-48e4-b3db-0d836c5824ac
status: test
description: Detects any GAC DLL being loaded by an Office Product
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
    condition: selection
falsepositives:
    - Legitimate macro usage. Add the appropriate filter according to your environment
level: high

title: Github High Risk Configuration Disabled
id: 8622c92d-c00e-463c-b09d-fd06166f6794
status: test
description: Detects when a user disables a critical security feature for an organization.
references:
    - https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
    - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository
    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-29
modified: 2024-07-22
tags:
    - attack.credential-access
    - attack.persistence
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'business_advanced_security.disabled_for_new_repos'
            - 'business_advanced_security.disabled_for_new_user_namespace_repos'
            - 'business_advanced_security.disabled'
            - 'business_advanced_security.user_namespace_repos_disabled'
            - 'org.advanced_security_disabled_for_new_repos'
            - 'org.advanced_security_disabled_on_all_repos'
            - 'org.advanced_security_policy_selected_member_disabled'
            - 'org.disable_oauth_app_restrictions'
            - 'org.disable_two_factor_requirement'
            - 'repo.advanced_security_disabled'
    condition: selection
falsepositives:
    - Approved administrator/owner activities.
level: high

title: Github Push Protection Disabled
id: ccd55945-badd-4bae-936b-823a735d37dd
status: test
description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
references:
    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
    - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'business_secret_scanning_custom_pattern_push_protection.disabled'
            - 'business_secret_scanning_push_protection.disable'
            - 'business_secret_scanning_push_protection.disabled_for_new_repos'
            - 'org.secret_scanning_custom_pattern_push_protection_disabled'
            - 'org.secret_scanning_push_protection_disable'
            - 'org.secret_scanning_push_protection_new_repos_disable'
            - 'repository_secret_scanning_custom_pattern_push_protection.disabled'
    condition: selection
falsepositives:
    - Allowed administrative activities.
level: high

title: Github Secret Scanning Feature Disabled
id: 3883d9a0-fd0f-440f-afbb-445a2a799bb8
status: test
description: Detects if the secret scanning feature is disabled for an enterprise or repository.
references:
    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
modified: 2024-07-19
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'business_secret_scanning.disable'
            - 'business_secret_scanning.disabled_for_new_repos'
            - 'repository_secret_scanning.disable'
            - 'secret_scanning_new_repos.disable'
            - 'secret_scanning.disable'
    condition: selection
falsepositives:
    - Allowed administrative activities.
level: high

title: Guacamole Two Users Sharing Session Anomaly
id: 1edd77db-0669-4fef-9598-165bda82826d
status: test
description: Detects suspicious session with two users present
references:
    - https://research.checkpoint.com/2020/apache-guacamole-rce/
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1212
logsource:
    product: linux
    service: guacamole
detection:
    selection:
        - '(2 users now present)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HKTL - SharpSuccessor Privilege Escalation Tool Execution
id: 38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8
status: experimental
description: |
    Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.
    Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
references:
    - https://github.com/logangoins/SharpSuccessor
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-06
tags:
    - attack.privilege-escalation
    - attack.t1068
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SharpSuccessor.exe'
        - OriginalFileName: 'SharpSuccessor.exe'
        - CommandLine|contains: 'SharpSuccessor'
        - CommandLine|contains|all:
              - ' add '
              - ' /impersonate'
              - ' /path'
              - ' /account'
              - ' /name'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
    - attack.execution
    - attack.initial-access
    - attack.stealth
    - attack.t1047
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218
    - attack.t1218.001
    - attack.t1218.010
    - attack.t1218.011
    - attack.t1566
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\hh.exe'
        Image|endswith:
            - '\CertReq.exe'
            - '\CertUtil.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\installutil.exe'
            - '\MSbuild.exe'
            - '\MSHTA.EXE'
            - '\msiexec.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HTTP Logging Disabled On IIS Server
id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
status: test
description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
author: frack113
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration: '/system.webServer/httpLogging/@dontLog'
        NewValue: 'true'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
references:
    - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-07-07
tags:
    - attack.initial-access
    - attack.t1190
    - attack.credential-access
    - attack.t1110
logsource:
    category: proxy
detection:
    selection:
        c-useragent|contains:
            # Vulnerability scanner and brute force tools
            - '(hydra)'
            - ' arachni/'
            - ' BFAC '
            - ' brutus '
            - ' cgichk '
            - 'core-project/1.0'
            - ' crimscanner/'
            - 'datacha0s'
            - 'dirbuster'
            - 'domino hunter'
            - 'dotdotpwn'
            - 'FHScan Core'
            - 'floodgate'
            - 'get-minimal'
            - 'gootkit auto-rooter scanner'
            - 'grendel-scan'
            - ' inspath '
            - 'internet ninja'
            - 'jaascois'
            - ' zmeu '
            - 'masscan'
            - ' metis '
            - 'morfeus fucking scanner'
            - 'n-stealth'
            - 'nsauditor'
            - 'pmafind'
            - 'security scan'
            - 'springenwerk'
            - 'teh forest lobster'
            - 'toata dragostea'
            - ' vega/'
            - 'voideye'
            - 'webshag'
            - 'webvulnscan'
            - ' whcc/'
            # SQL Injection
            - ' Havij'
            - 'absinthe'
            - 'bsqlbf'
            - 'mysqloit'
            - 'pangolin'
            - 'sql power injector'
            - 'sqlmap'
            - 'sqlninja'
            - 'uil2pn'
            # Hack tool
            - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - ADCSPwn Execution
id: cd8c163e-a19b-402e-bdd5-419ff5859f12
status: test
description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
references:
    - https://github.com/bats3c/ADCSPwn
author: Florian Roth (Nextron Systems)
date: 2021-07-31
modified: 2023-02-04
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1557.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' --adcs '
            - ' --port '
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
    - https://github.com/BloodHoundAD/BloodHound
    - https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Product|contains: 'SharpHound'
        - Description|contains: 'SharpHound'
        - Company|contains:
              - 'SpecterOps'
              - 'evil corp'
        - Image|contains:
              - '\Bloodhound.exe'
              - '\SharpHound.exe'
    selection_cli_1:
        CommandLine|contains:
            - ' -CollectionMethod All '
            - ' --CollectionMethods Session '
            - ' --Loop --Loopduration '
            - ' --PortScanTimeout '
            - '.exe -c All -d '
            - 'Invoke-Bloodhound'
            - 'Get-BloodHoundData'
    selection_cli_2:
        CommandLine|contains|all:
            - ' -JsonFolder '
            - ' -ZipFileName '
    selection_cli_3:
        CommandLine|contains|all:
            - ' DCOnly '
            - ' --NoSaveCache '
    condition: 1 of selection_*
falsepositives:
    - Other programs that use these command line option and accepts an 'All' parameter
level: high

title: HackTool - CACTUSTORCH Remote Thread Creation
id: 2e4e488a-6164-4811-9ea1-f960c7359c40
status: test
description: Detects remote thread creation from CACTUSTORCH as described in references.
references:
    - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
    - https://github.com/mdsecactivebreach/CACTUSTORCH
author: '@SBousseaden (detection), Thomas Patzke (rule)'
date: 2019-02-01
modified: 2023-05-05
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1055.012
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\System32\cscript.exe'
            - '\System32\wscript.exe'
            - '\System32\mshta.exe'
            - '\winword.exe'
            - '\excel.exe'
        TargetImage|contains: '\SysWOW64\'
        StartModule: null
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Certify Execution
id: 762f2482-ff21-4970-8939-0aa317a886bb
status: test
description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
references:
    - https://github.com/GhostPack/Certify
author: pH-T (Nextron Systems)
date: 2023-04-17
modified: 2023-04-25
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1649
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\Certify.exe'
        - OriginalFileName: 'Certify.exe'
        - Description|contains: 'Certify'
    selection_cli_commands:
        CommandLine|contains:
            - '.exe cas '
            - '.exe find '
            - '.exe pkiobjects '
            - '.exe request '
            - '.exe download '
    selection_cli_options:
        CommandLine|contains:
            - ' /vulnerable'
            - ' /template:'
            - ' /altname:'
            - ' /domain:'
            - ' /path:'
            - ' /ca:'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Unknown
level: high

title: HackTool - Certipy Execution
id: 6938366d-8954-4ddc-baff-c830b3ba8fcd
status: test
description: |
    Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
references:
    - https://github.com/ly4k/Certipy
    - https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
author: pH-T (Nextron Systems), Sittikorn Sangrattanapitak
date: 2023-04-17
modified: 2024-10-08
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1649
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\Certipy.exe'
        - OriginalFileName: 'Certipy.exe'
        - Description|contains: 'Certipy'
    selection_cli_commands:
        CommandLine|contains:
            - ' account '
            - ' auth '
            # - ' ca ' # Too short to be used with just one CLI
            - ' cert '
            - ' find '
            - ' forge '
            - ' ptt '
            - ' relay '
            - ' req '
            - ' shadow '
            - ' template '
    selection_cli_flags:
        CommandLine|contains:
            - ' -bloodhound'
            - ' -ca-pfx '
            - ' -dc-ip '
            - ' -kirbi'
            - ' -old-bloodhound'
            - ' -pfx '
            - ' -target'
            - ' -template'
            - ' -username '
            - ' -vulnerable'
            - 'auth -pfx'
            - 'shadow auto'
            - 'shadow list'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Unlikely
level: high

title: HackTool - CobaltStrike BOF Injection Pattern
id: 09706624-b7f6-455d-9d02-adee024cee1d
status: test
description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
references:
    - https://github.com/boku7/injectAmsiBypass
    - https://github.com/boku7/spawn
author: Christian Burkard (Nextron Systems)
date: 2021-08-04
modified: 2023-11-28
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1106
    - attack.t1685
logsource:
    category: process_access
    product: windows
detection:
    selection:
        CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$'
        GrantedAccess:
            - '0x1028'
            - '0x1fffff'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
id: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac
related:
    - id: 953b895e-5cc9-454b-b183-7f3db555452e
      type: obsolete
    - id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
      type: obsolete
    - id: 37325383-740a-403d-b1a2-b2b4ab7992e7
      type: obsolete
    - id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
      type: obsolete
status: test
description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
references:
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
    - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
author: Markus Neis, Florian Roth (Nextron Systems)
date: 2024-02-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection_amazon_1:
        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
        cs-method: 'GET'
        c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
        cs-host: 'www.amazon.com'
        cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
    selection_amazon_2:
        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
        cs-method: 'POST'
        c-uri: '/N4215/adj/amzn.us.sr.aps'
        cs-host: 'www.amazon.com'
    selection_generic_1:
        c-useragent:
            - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
            - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
    selection_generic_2:
        c-useragent|endswith: '; MANM; MANM)'
    selection_oscp:
        c-uri|contains: '/oscp/'
        cs-host: 'ocsp.verisign.com'
    selection_onedrive:
        cs-method: 'GET'
        c-uri|endswith: '\?manifest=wac'
        cs-host: 'onedrive.live.com'
    filter_main_onedrive:
        c-uri|startswith: 'http'
        c-uri|contains: '://onedrive.live.com/'
    condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: HackTool - CoercedPotato Execution
id: e8d34729-86a4-4140-adfd-0a29c2106307
status: test
description: Detects the use of CoercedPotato, a tool for privilege escalation
references:
    - https://github.com/hackvens/CoercedPotato
    - https://blog.hackvens.fr/articles/CoercedPotato.html
author: Florian Roth (Nextron Systems)
date: 2023-10-11
modified: 2024-11-23
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection_loader_img:
        Image|endswith: '\CoercedPotato.exe'
    selection_params:
        CommandLine|contains: ' --exploitId '
    selection_loader_imphash:
        Hashes|contains:
            - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6'
            - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9'
            - 'IMPHASH=14C81850A079A87E83D50CA41C709A15'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - CoercedPotato Named Pipe Creation
id: 4d0083b3-580b-40da-9bba-626c19fe4033
status: test
description: Detects the pattern of a pipe name as used by the hack tool CoercedPotato
references:
    - https://blog.hackvens.fr/articles/CoercedPotato.html
    - https://github.com/hackvens/CoercedPotato
author: Florian Roth (Nextron Systems)
date: 2023-10-11
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains: '\coerced\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Covenant PowerShell Launcher
id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
status: test
description: Detects suspicious command lines used in Covenant luanchers
references:
    - https://posts.specterops.io/covenant-v0-5-eee0507b85ba
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2020-06-04
modified: 2023-02-21
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains|all:
            - '-Sta'
            - '-Nop'
            - '-Window'
            - 'Hidden'
        CommandLine|contains:
            - '-Command'
            - '-EncodedCommand'
    selection_2:
        CommandLine|contains:
            - 'sv o (New-Object IO.MemorySteam);sv d '
            - 'mshta file.hta'
            - 'GruntHTTP'
            - '-EncodedCommand cwB2ACAAbwAgA'
    condition: 1 of selection_*
level: high