title: HackTool - SafetyKatz Dump Indicator
id: e074832a-eada-4fd7-94a1-10642b130e16
status: test
description: Detects default lsass dump filename generated by SafetyKatz.
references:
    - https://github.com/GhostPack/SafetyKatz
    - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
author: Markus Neis
date: 2018-07-24
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\Temp\debug.bin'
    condition: selection
falsepositives:
    - Rare legitimate files with similar filename structure
level: high

title: HackTool - SharPersist Execution
id: 26488ad0-f9fd-4536-876f-52fea846a2e4
status: test
description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
references:
    - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
    - https://github.com/mandiant/SharPersist
author: Florian Roth (Nextron Systems)
date: 2022-09-15
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\SharPersist.exe'
        - Product: 'SharPersist'
    selection_cli_1:
        CommandLine|contains:
            - ' -t schtask -c '
            - ' -t startupfolder -c '
    selection_cli_2:
        CommandLine|contains|all:
            - ' -t reg -c '
            - ' -m add'
    selection_cli_3:
        CommandLine|contains|all:
            - ' -t service -c '
            - ' -m add'
    selection_cli_4:
        CommandLine|contains|all:
            - ' -t schtask -c '
            - ' -m add'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - SharpChisel Execution
id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
related:
    - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
      type: similar
status: test
description: Detects usage of the Sharp Chisel via the commandline arguments
references:
    - https://github.com/shantanu561993/SharpChisel
    - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2023-02-13
tags:
    - attack.command-and-control
    - attack.t1090.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SharpChisel.exe'
        - Product: 'SharpChisel'
    # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - SharpDPAPI Execution
id: c7d33b50-f690-4b51-8cfb-0fb912a31e57
status: test
description: |
    Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.
    SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
references:
    - https://github.com/GhostPack/SharpDPAPI
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - attack.t1134.003
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\SharpDPAPI.exe'
        - OriginalFileName: 'SharpDPAPI.exe'
    selection_other_cli:
        CommandLine|contains:
            - ' backupkey '
            - ' blob '
            - ' certificates '
            - ' credentials '
            - ' keepass '
            - ' masterkeys '
            - ' rdg '
            - ' vaults '
    selection_other_options_guid:
        CommandLine|contains|all:
            - ' {'
            - '}:'
    selection_other_options_flags:
        CommandLine|contains:
            - ' /file:'
            - ' /machine'
            - ' /mkfile:'
            - ' /password:'
            - ' /pvk:'
            - ' /server:'
            - ' /target:'
            - ' /unprotect'
    condition: selection_img or (selection_other_cli and 1 of selection_other_options_*)
falsepositives:
    - Unknown
level: high

title: HackTool - SharpEvtMute DLL Load
id: 49329257-089d-46e6-af37-4afce4290685
related:
    - id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c # Process Creation
      type: similar
status: test
description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
references:
    - https://github.com/bats3c/EvtMute
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2024-11-23
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B'
    condition: selection
falsepositives:
    - Other DLLs with the same Imphash
level: high

title: HackTool - SharpEvtMute Execution
id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c
related:
    - id: 49329257-089d-46e6-af37-4afce4290685 # DLL load
      type: similar
status: test
description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
references:
    - https://github.com/bats3c/EvtMute
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-02-14
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: '\SharpEvtMute.exe'
        - Description: 'SharpEvtMute'
        - CommandLine|contains:
              - '--Filter "rule '
              - '--Encoded --Filter \"'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - SharpImpersonation Execution
id: f89b08d0-77ad-4728-817b-9b16c5a69c7a
related:
    - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
      type: similar
status: test
description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
    - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/
    - https://github.com/S3cur3Th1sSh1t/SharpImpersonation
author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-27
modified: 2023-02-13
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - attack.t1134.003
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\SharpImpersonation.exe'
        - OriginalFileName: 'SharpImpersonation.exe'
    selection_cli:
        - CommandLine|contains|all:
              - ' user:'
              - ' binary:'
        - CommandLine|contains|all:
              - ' user:'
              - ' shellcode:'
        - CommandLine|contains:
              - ' technique:CreateProcessAsUserW'
              - ' technique:ImpersonateLoggedOnuser'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - SharpLdapWhoami Execution
id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d
status: test
description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
references:
    - https://github.com/bugch3ck/SharpLdapWhoami
author: Florian Roth (Nextron Systems)
date: 2022-08-29
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1033
    - car.2016-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        Image|endswith: '\SharpLdapWhoami.exe'
    selection_pe: # in case the file has been renamed after compilation
        - OriginalFileName|contains: 'SharpLdapWhoami'
        - Product: 'SharpLdapWhoami'
    selection_flags1:
        CommandLine|endswith:
            - ' /method:ntlm'
            - ' /method:kerb'
            - ' /method:nego'
            - ' /m:nego'
            - ' /m:ntlm'
            - ' /m:kerb'
    condition: 1 of selection*
falsepositives:
    - Programs that use the same command line flags
level: high

title: HackTool - SharpMove Tool Execution
id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
status: test
description: |
    Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
references:
    - https://github.com/0xthirteen/SharpMove/
    - https://pentestlab.blog/tag/sharpmove/
author: Luca Di Bartolomeo (CrimpSec)
date: 2024-01-29
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\SharpMove.exe'
        - OriginalFileName: SharpMove.exe
    selection_cli_computer:
        # In its current implementation the "computername" flag is required in all actions
        CommandLine|contains: 'computername='
    selection_cli_actions:
        CommandLine|contains:
            - 'action=create'
            - 'action=dcom'
            - 'action=executevbs'
            - 'action=hijackdcom'
            - 'action=modschtask'
            - 'action=modsvc'
            - 'action=query'
            - 'action=scm'
            - 'action=startservice'
            - 'action=taskscheduler'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Unknown
level: high

title: HackTool - SharpView Execution
id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
related:
    - id: dcd74b95-3f36-4ed9-9598-0490951643aa
      type: similar
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
    - https://github.com/tevora-threat/SharpView/
    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
author: frack113
date: 2021-12-10
modified: 2023-02-14
tags:
    - attack.discovery
    - attack.t1049
    - attack.t1069.002
    - attack.t1482
    - attack.t1135
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'SharpView.exe'
        - Image|endswith: '\SharpView.exe'
        - CommandLine|contains:
              # - 'Add-DomainGroupMember'
              # - 'Add-DomainObjectAcl'
              # - 'Add-ObjectAcl'
              - 'Add-RemoteConnection'
              - 'Convert-ADName'
              - 'ConvertFrom-SID'
              - 'ConvertFrom-UACValue'
              - 'Convert-SidToName'
              # - 'ConvertTo-SID'
              - 'Export-PowerViewCSV'
              # - 'Find-DomainLocalGroupMember'
              - 'Find-DomainObjectPropertyOutlier'
              - 'Find-DomainProcess'
              - 'Find-DomainShare'
              - 'Find-DomainUserEvent'
              - 'Find-DomainUserLocation'
              - 'Find-ForeignGroup'
              - 'Find-ForeignUser'
              - 'Find-GPOComputerAdmin'
              - 'Find-GPOLocation'
              - 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile'
              - 'Find-LocalAdminAccess'
              - 'Find-ManagedSecurityGroups'
              # - 'Get-ADObject'
              - 'Get-CachedRDPConnection'
              - 'Get-DFSshare'
              # - 'Get-DNSRecord'
              # - 'Get-DNSZone'
              # - 'Get-Domain'
              - 'Get-DomainComputer'
              - 'Get-DomainController'
              - 'Get-DomainDFSShare'
              - 'Get-DomainDNSRecord'
              # - 'Get-DomainDNSZone'
              - 'Get-DomainFileServer'
              - 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser'
              - 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping'
              - 'Get-DomainGroup' # 'Get-DomainGroupMember'
              - 'Get-DomainGUIDMap'
              - 'Get-DomainManagedSecurityGroup'
              - 'Get-DomainObject' # 'Get-DomainObjectAcl'
              - 'Get-DomainOU'
              - 'Get-DomainPolicy' # 'Get-DomainPolicyData'
              - 'Get-DomainSID'
              - 'Get-DomainSite'
              - 'Get-DomainSPNTicket'
              - 'Get-DomainSubnet'
              - 'Get-DomainTrust' # 'Get-DomainTrustMapping'
              # - 'Get-DomainUser'
              - 'Get-DomainUserEvent'
              # - 'Get-Forest'
              - 'Get-ForestDomain'
              - 'Get-ForestGlobalCatalog'
              - 'Get-ForestTrust'
              - 'Get-GptTmpl'
              - 'Get-GroupsXML'
              # - 'Get-GUIDMap'
              # - 'Get-IniContent'
              # - 'Get-IPAddress'
              - 'Get-LastLoggedOn'
              - 'Get-LoggedOnLocal'
              - 'Get-NetComputer' # 'Get-NetComputerSiteName'
              - 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust'
              - 'Get-NetFileServer'
              - 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust'
              - 'Get-NetGPO' # 'Get-NetGPOGroup'
              # - 'Get-NetGroup'
              - 'Get-NetGroupMember'
              - 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember'
              - 'Get-NetLoggedon'
              - 'Get-NetOU'
              - 'Get-NetProcess'
              - 'Get-NetRDPSession'
              - 'Get-NetSession'
              - 'Get-NetShare'
              - 'Get-NetSite'
              - 'Get-NetSubnet'
              - 'Get-NetUser'
              # - 'Get-ObjectAcl'
              - 'Get-PathAcl'
              - 'Get-PrincipalContext'
              # - 'Get-Proxy'
              - 'Get-RegistryMountedDrive'
              - 'Get-RegLoggedOn'
              # - 'Get-SiteName'
              # - 'Get-UserEvent'
              # - 'Get-WMIProcess'
              - 'Get-WMIRegCachedRDPConnection'
              - 'Get-WMIRegLastLoggedOn'
              - 'Get-WMIRegMountedDrive'
              - 'Get-WMIRegProxy'
              - 'Invoke-ACLScanner'
              - 'Invoke-CheckLocalAdminAccess'
              - 'Invoke-Kerberoast'
              - 'Invoke-MapDomainTrust'
              - 'Invoke-RevertToSelf'
              - 'Invoke-Sharefinder'
              - 'Invoke-UserImpersonation'
              # - 'New-DomainGroup'
              # - 'New-DomainUser'
              - 'Remove-DomainObjectAcl'
              - 'Remove-RemoteConnection'
              - 'Request-SPNTicket'
              # - 'Resolve-IPAddress'
              # - 'Set-ADObject'
              - 'Set-DomainObject'
              # - 'Set-DomainUserPassword'
              - 'Test-AdminAccess'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - SharpWSUS/WSUSpendu Execution
id: b0ce780f-10bd-496d-9067-066d23dc3aa5
status: test
description: |
    Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.
    Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
references:
    - https://labs.nettitude.com/blog/introducing-sharpwsus/
    - https://github.com/nettitude/SharpWSUS
    - https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1
author: '@Kostastsale, Nasreddine Bencherchali (Nextron Systems)'
date: 2022-10-07
modified: 2024-08-23
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1210
logsource:
    product: windows
    category: process_creation
detection:
    selection_wsuspendu_inject:
        CommandLine|contains: ' -Inject '
    selection_wsuspendu_payload:
        CommandLine|contains:
            - ' -PayloadArgs '
            - ' -PayloadFile '
    selection_sharpwsus_commands:
        CommandLine|contains:
            - ' approve '
            - ' create '
            - ' check '
            - ' delete '
    selection_sharpwsus_flags:
        CommandLine|contains:
            - ' /payload:'
            - ' /payload='
            - ' /updateid:'
            - ' /updateid='
    condition: all of selection_wsuspendu_* or all of selection_sharpwsus_*
falsepositives:
    - Unknown
level: high

title: HackTool - Stracciatella Execution
id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539
status: test
description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
references:
    - https://github.com/mgeeky/Stracciatella
author: pH-T (Nextron Systems)
date: 2023-04-17
modified: 2024-11-23
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1059
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Stracciatella.exe'
        - OriginalFileName: 'Stracciatella.exe'
        - Description: 'Stracciatella'
        - Hashes|contains:
              - 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956'
              - 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - SysmonEnte Execution
id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
status: test
description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
references:
    - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
    - https://github.com/codewhitesec/SysmonEnte/
    - https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-11-28
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    category: process_access
    product: windows
detection:
    selection_sysmon:
        TargetImage|contains:
            - ':\Windows\Sysmon.exe'
            - ':\Windows\Sysmon64.exe'
        GrantedAccess: '0x1400'
    selection_calltrace:
        CallTrace: 'Ente'
    filter_main_generic:
        SourceImage|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
    filter_main_msdefender:
        SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
        SourceImage|endswith: '\MsMpEng.exe'
    condition: ( selection_sysmon and not 1 of filter_main_* ) or selection_calltrace
falsepositives:
    - Unknown
level: high

title: HackTool - TruffleSnout Execution
id: 69ca006d-b9a9-47f5-80ff-ecd4d25d481a
status: test
description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md
    - https://github.com/dsnezhkov/TruffleSnout
    - https://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md
author: frack113
date: 2022-08-20
modified: 2023-02-13
tags:
    - attack.discovery
    - attack.t1482
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'TruffleSnout.exe'
        - Image|endswith: '\TruffleSnout.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Typical HiveNightmare SAM File Export
id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
status: test
description: Detects files written by the different tools that exploit HiveNightmare
references:
    - https://github.com/GossiTheDog/HiveNightmare
    - https://github.com/FireFart/hivenightmare/
    - https://github.com/WiredPulse/Invoke-HiveNightmare
    - https://twitter.com/cube0x0/status/1418920190759378944
author: Florian Roth (Nextron Systems)
date: 2021-07-23
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1552.001
    - cve.2021-36934
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - TargetFilename|contains:
              - '\hive_sam_'  # Go version
              - '\SAM-2021-'  # C++ version
              - '\SAM-2022-'  # C++ version
              - '\SAM-2023-'  # C++ version
              - '\SAM-haxx'   # Early C++ versions
              - '\Sam.save'   # PowerShell version
        - TargetFilename: 'C:\windows\temp\sam'  # C# version of HiveNightmare
    condition: selection
falsepositives:
    - Files that accidentally contain these strings
level: high

title: HackTool - UACMe Akagi Execution
id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177
status: test
description: Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
references:
    - https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
date: 2021-08-30
modified: 2024-11-23
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_pe:
        - Product: 'UACMe'
        - Company:
              - 'REvol Corp'
              - 'APT 92'
              - 'UG North'
              - 'Hazardous Environments'
              - 'CD Project Rekt'
        - Description:
              - 'UACMe main module'
              - 'Pentesting utility'
        - OriginalFileName:
              - 'Akagi.exe'
              - 'Akagi64.exe'
    selection_img:
        Image|endswith:
            - '\Akagi64.exe'
            - '\Akagi.exe'
    selection_hashes_sysmon:
        Hashes|contains:
            - 'IMPHASH=767637C23BB42CD5D7397CF58B0BE688'
            - 'IMPHASH=14C4E4C72BA075E9069EE67F39188AD8'
            - 'IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC'
            - 'IMPHASH=7D010C6BB6A3726F327F7E239166D127'
            - 'IMPHASH=89159BA4DD04E4CE5559F132A9964EB3'
            - 'IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F'
            - 'IMPHASH=5834ED4291BDEB928270428EBBAF7604'
            - 'IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38'
            - 'IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894'
            - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74'
            - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - WSASS Execution
id: 589ac73f-8e12-409c-964e-31a2f5775ae2
status: experimental
description: |
    Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
    (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
references:
    - https://github.com/TwoSevenOneT/WSASS
    - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-23
modified: 2026-01-09
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\wsass.exe'
    selection_hash:
        Hashes|contains: 'IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42'
    selection_cli:
        # change to |re|i after Sigma v2.0 release
        # plain string without quotation marks as it has to match for both ' and "
        CommandLine|re: (?i)\.exe[\"\']?\s+[^\"]{0,64}werfaultsecure\.exe[\"\']?\s+\d{2,10} # wsass.exe "path to werfaultsecure" lsass_pid
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml

title: HackTool - WinPwn Execution
id: d557dc06-62e8-4468-a8e8-7984124908ce
related:
    - id: 851fd622-b675-4d26-b803-14bc7baa517a
      type: similar
status: test
description: |
    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - WinPwn Execution - ScriptBlock
id: 851fd622-b675-4d26-b803-14bc7baa517a
related:
    - id: d557dc06-62e8-4468-a8e8-7984124908ce
      type: similar
status: test
description: |
    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: ps_script
    product: windows
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
level: high

title: HackTool - Wmiexec Default Powershell Command
id: 022eaba8-f0bf-4dd9-9217-4604b0bb3bb0
status: test
description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
references:
    - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-08
tags:
    - attack.lateral-movement
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - XORDump Execution
id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
status: test
description: Detects suspicious use of XORDump process memory dumping utility
references:
    - https://github.com/audibleblink/xordump
author: Florian Roth (Nextron Systems)
date: 2022-01-28
modified: 2023-02-08
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\xordump.exe'
        - CommandLine|contains:
              - ' -process lsass.exe '
              - ' -m comsvcs '
              - ' -m dbghelp '
              - ' -m dbgcore '
    condition: selection
falsepositives:
    - Another tool that uses the command line switches of XORdump
level: high

title: HackTool - winPEAS Execution
id: 98b53e78-ebaf-46f8-be06-421aafd176d9
status: test
description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
references:
    - https://github.com/carlospolop/PEASS-ng
    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
author: Georg Lauenstein (sure[secure])
date: 2022-09-19
modified: 2023-03-23
tags:
    - attack.privilege-escalation
    - attack.discovery
    - attack.t1082
    - attack.t1087
    - attack.t1046
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'winPEAS.exe'
        - Image|endswith:
              - '\winPEASany_ofs.exe'
              - '\winPEASany.exe'
              - '\winPEASx64_ofs.exe'
              - '\winPEASx64.exe'
              - '\winPEASx86_ofs.exe'
              - '\winPEASx86.exe'
    selection_cli_option:
        CommandLine|contains:
            - ' applicationsinfo' # Search installed applications information
            - ' browserinfo' # Search browser information
            - ' eventsinfo' # Display interesting events information
            - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
            - ' filesinfo' # Search generic files that can contains credentials
            - ' processinfo' # Search processes information
            - ' servicesinfo' # Search services information
            - ' windowscreds' # Search windows credentials
    selection_cli_dl:
        CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
    selection_cli_specific:
        - ParentCommandLine|endswith: ' -linpeas'
        - CommandLine|endswith: ' -linpeas'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool Named File Stream Created
id: 19b041f6-e583-40dc-b842-d6fa8011493f
status: test
description: Detects the creation of a named file stream with the imphash of a well-known hack tool
references:
    - https://github.com/gentilkiwi/mimikatz
    - https://github.com/topotam/PetitPotam
    - https://github.com/ohpe/juicy-potato
    - https://github.com/antonioCoco/RoguePotato
    - https://www.tarasco.org/security/pwdump_7/
    - https://github.com/fortra/nanodump
    - https://github.com/codewhitesec/HandleKatz
    - https://github.com/xuanxuan0/DripLoader
    - https://github.com/hfiref0x/UACME
    - https://github.com/outflanknl/Dumpert
    - https://github.com/wavestone-cdt/EDRSandblast
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2024-11-23
tags:
    - attack.stealth
    - attack.s0139
    - attack.t1564.004
logsource:
    product: windows
    category: create_stream_hash
    definition: 'Requirements: Sysmon config with Imphash logging activated'
detection:
    selection:
        Hash|contains: # Sysmon field hashes contains all types
            - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
            - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
            - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
            - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
            - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
            - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
            - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
            - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
            - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
            - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
            - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
            - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
            - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
            - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
            - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
            - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
            - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
            - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
            - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
            - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
            - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
            - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
            - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
            - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
            - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
            - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
            - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
            - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
            - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
            - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
            - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
            - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
            - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
            - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
            - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
            - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
            - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
            - IMPHASH=730073214094CD328547BF1F72289752 # Htran
            - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
            - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
            - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
            - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
            - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
            - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
            - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
            - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
            - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
            - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
            - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
            - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
            - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
            - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
            - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
            - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
            - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
            - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
            - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
            - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
            - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
            - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
            - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
            - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
            - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
            - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
            - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
            - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
            - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
            - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
            - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
            - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
            - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
            - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
            - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
            - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
            - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
            - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
            - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
            - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
            - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
            - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
            - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
            - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
            - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
            - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
            - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
            - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
            - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
            - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
            - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
            - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
            - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
            - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
            - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
            - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
            - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
            - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
            - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
            - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
            - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
            - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
            - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool Service Registration or Execution
id: d26ce60c-2151-403c-9a42-49420d87b5e4
status: test
description: Detects installation or execution of services
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-21
modified: 2023-08-07
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID:
            - 7045
            - 7036
    selection_service_name:
        ServiceName|contains:
            - 'cachedump'
            - 'DumpSvc'
            - 'gsecdump'
            - 'pwdump'
            - 'UACBypassedService'
            - 'WCE SERVICE'
            - 'WCESERVICE'
            - 'winexesvc'
    selection_service_image:
        ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159
    condition: selection_eid and 1 of selection_service_*
falsepositives:
    - Unknown
level: high

title: Hacktool - EDR-Freeze Execution
id: c598cc0c-9e70-4852-b9eb-8921af79f598
status: experimental
description: |
    Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.
    EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.
    This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
references:
    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
    - https://github.com/TwoSevenOneT/EDR-Freeze
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
modified: 2025-11-27
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|contains:
            - '\EDR-Freeze'
            - '\EDRFreeze'
        Image|endswith: '.exe'
    selection_imphash:
        Hashes|contains:
            - 'IMPHASH=1195F7935954A2CD09157390C33F8E8C'
            - 'IMPHASH=129F58DE3D687FB7F012BF6C3D679997'
            - 'IMPHASH=2C617A175D0086251642C6619F7CC8BA'
            - 'IMPHASH=8828F0B906F7844358FB92A899E9520F'
            - 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447'
            - 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5'
            - 'IMPHASH=8B2D5B54AFCFEC60D54F6B31D80ED4A0'
            - 'IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml

title: Hacktool Execution - PE Metadata
id: 37c1333a-a0db-48be-b64b-7393b2386e3b
status: test
description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
references:
    - https://github.com/cube0x0
    - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
author: Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2024-01-15
tags:
    - attack.credential-access
    - attack.resource-development
    - attack.t1588.002
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Company: 'Cube0x0' # Detects the use of tools created by a well-known hacktool producer named "Cube0x0", which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec, etc.)
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Hacktool Ruler
id: 24549159-ac1b-479c-8175-d42aea947cae
status: test
description: This events that are generated when using the hacktool Ruler by Sensepost
references:
    - https://github.com/sensepost/ruler
    - https://github.com/sensepost/ruler/issues/47
    - https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
author: Florian Roth (Nextron Systems)
date: 2017-05-31
modified: 2022-10-09
tags:
    - attack.discovery
    - attack.execution
    - attack.collection
    - attack.lateral-movement
    - attack.t1087
    - attack.t1114
    - attack.t1059
    - attack.t1550.002
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID: 4776
        Workstation: 'RULER'
    selection2:
        EventID:
            - 4624
            - 4625
        WorkstationName: 'RULER'
    condition: (1 of selection*)
falsepositives:
    - Go utilities that use staaldraad awesome NTLM library
level: high

title: Hidden Local User Creation
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
status: test
description: Detects the creation of a local hidden user account which should not happen for event ID 4720.
references:
    - https://twitter.com/SBousseaden/status/1387743867663958021
author: Christian Burkard (Nextron Systems)
date: 2021-05-03
modified: 2024-01-16
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4720
        TargetUserName|endswith: '$'
    filter_main_homegroup:
        TargetUserName: 'HomeGroupUser$'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Hide Schedule Task Via Index Value Tamper
id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61
related:
    - id: acd74772-5f88-45c7-956b-6a7b36c294d2
      type: similar
    - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
      type: similar
status: test
description: |
  Detects when the "index" value of a scheduled task is modified from the registry
  Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
references:
    - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-26
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
            - 'Index'
        Details: DWORD (0x00000000)
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Hiding User Account Via SpecialAccounts Registry Key
id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
related:
    - id: 8a58209c-7ae6-4027-afb0-307a78e4589a
      type: obsolete
    - id: 9ec9fb1b-e059-4489-9642-f270c207923d
      type: similar
status: test
description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md#atomic-test-3---create-hidden-user-in-registry
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-07-12
modified: 2023-01-26
tags:
    - attack.stealth
    - attack.t1564.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_special_accounts/info.yml
simulation:
    - type: atomic-red-team
      name: Create Hidden User in Registry
      technique: T1564.002
      atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c

title: Hijack Legit RDP Session to Move Laterally
id: 52753ea4-b3a0-4365-910d-36cff487b789
status: test
description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
author: Samir Bousseaden
references:
    - Internal Research
date: 2019-02-21
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\mstsc.exe'
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: History File Deletion
id: 1182f3b3-e716-4efa-99ab-d2685d04360f
status: test
description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
references:
    - https://github.com/sleventyeleven/linuxprivchecker/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
    - attack.impact
    - attack.t1565.001
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/rm'
            - '/unlink'
            - '/shred'
    selection_history:
        - CommandLine|contains:
              - '/.bash_history'
              - '/.zsh_history'
        - CommandLine|endswith:
              - '_history'
              - '.history'
              - 'zhistory'
    condition: all of selection*
falsepositives:
    - Legitimate administration activities
level: high

title: HybridConnectionManager Service Installation
id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
status: test
description: Rule to detect the Hybrid Connection Manager service installation.
references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.t1554
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceName: HybridConnectionManager
        ServiceFileName|contains: HybridConnectionManager
    condition: selection
falsepositives:
    - Legitimate use of Hybrid Connection Manager via Azure function apps.
level: high

title: HybridConnectionManager Service Installation - Registry
id: ac8866c7-ce44-46fd-8c17-b24acff96ca8
status: test
description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2022-11-27
tags:
    - attack.resource-development
    - attack.t1608
logsource:
    category: registry_event
    product: windows
detection:
    selection1:
        TargetObject|contains: '\Services\HybridConnectionManager'
    selection2:
        EventType: SetValue
        Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe'
    condition: selection1 or selection2
falsepositives:
    - Unknown
level: high

title: HybridConnectionManager Service Running
id: b55d23e5-6821-44ff-8a6e-67218891e49f
status: test
description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2024-08-05
tags:
    - attack.persistence
    - attack.t1554
logsource:
    product: windows
    service: microsoft-servicebus-client # Change to servicebus-client once validators are up to date
detection:
    selection:
        EventID:
            - 40300
            - 40301
            - 40302
    keywords:
        - 'HybridConnection'
        - 'sb://'
        - 'servicebus.windows.net'
        - 'HybridConnectionManage'
    condition: selection and keywords
falsepositives:
    - Legitimate use of Hybrid Connection Manager via Azure function apps.
level: high

title: Hypervisor Enforced Paging Translation Disabled
id: 7f2954d2-99c2-4d42-a065-ca36740f187b
status: test
description: |
    Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
references:
    - https://twitter.com/standa_t/status/1808868985678803222
    - https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-05
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\DisableHypervisorEnforcedPagingTranslation'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
related:
    - id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
      type: similar
status: experimental
description: |
    Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.
    HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.
    Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
references:
    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
    - https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-26
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli:
        CommandLine|contains:
            - 'add '
            - 'New-ItemProperty '
            - 'Set-ItemProperty '
            - 'si '  # SetItem Alias
    selection_cli_base:
        CommandLine|contains: '\DeviceGuard'
    selection_cli_key:
        CommandLine|contains:
            - 'EnableVirtualizationBasedSecurity'
            - 'HypervisorEnforcedCodeIntegrity'
    condition: all of selection_*
falsepositives:
    - Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/info.yml
simulation:
    - type: atomic-red-team
      name: Disable Hypervisor-Enforced Code Integrity (HVCI)
      technique: T1562.001
      atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020

title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724
related:
    - id: 10344bb3-7f65-46c2-b915-2d00d47be5b0
      type: similar
status: test
description: |
    Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
references:
    - https://twitter.com/M_haggis/status/1699056847154725107
    - https://twitter.com/JAMESWT_MHT/status/1699042827261391247
    - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
    - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)
date: 2023-09-05
tags:
    - attack.stealth
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults'
        TargetObject|endswith:
            - '\http'
            - '\https'
        Details|contains: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: high

title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
id: 10344bb3-7f65-46c2-b915-2d00d47be5b0
related:
    - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724
      type: similar
status: test
description: |
    Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
references:
    - https://twitter.com/M_haggis/status/1699056847154725107
    - https://twitter.com/JAMESWT_MHT/status/1699042827261391247
    - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
    - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-05
tags:
    - attack.execution
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults'
            - 'http'
            - ' 0'
    condition: selection
falsepositives:
    - Unknown
level: high

title: ISO File Created Within Temp Folders
id: 2f9356ae-bf43-41b8-b858-4496d83b2acb
status: test
description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
references:
    - https://twitter.com/Sam0x90/status/1552011547974696960
    - https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
author: '@sam0x90'
date: 2022-07-30
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: file_event
    product: windows
detection:
    selection_1:
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - '.zip\'
        TargetFilename|endswith: '.iso'
    selection_2:
        TargetFilename|contains: '\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\'
        TargetFilename|endswith: '.iso'
    condition: 1 of selection*
falsepositives:
    - Potential FP by sysadmin opening a zip file containing a legitimate ISO file
level: high

title: ImagingDevices Unusual Parent/Child Processes
id: f11f2808-adb4-46c0-802a-8660db50fa99
status: test
description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
references:
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
modified: 2022-12-29
tags:
    - attack.execution
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            # Add more if known
            - \WmiPrvSE.exe
            - \svchost.exe
            - \dllhost.exe
        Image|endswith: '\ImagingDevices.exe'
    selection_child:
        # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
        ParentImage|endswith: '\ImagingDevices.exe'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Impacket PsExec Execution
id: 32d56ea1-417f-44ff-822b-882873f5f43b
status: test
description: Detects execution of Impacket's psexec.py.
references:
    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Bhabesh Raj
date: 2020-12-14
modified: 2022-09-22
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection1:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName|contains:
            - 'RemCom_stdin'
            - 'RemCom_stdout'
            - 'RemCom_stderr'
    condition: selection1
falsepositives:
    - Unknown
level: high

title: Important Scheduled Task Deleted or Disabled
id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
related:
    - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
      type: similar
    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
      type: similar
    - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable
      type: similar
status: test
description: |
    Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
references:
    - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
author: frack113
date: 2023-01-13
modified: 2026-03-11
tags:
    - attack.impact
    - attack.t1489
logsource:
    product: windows
    service: taskscheduler
    definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
    selection:
        EventID:
            - 141 # Task Deleted
            - 142 # Task Disabled
        TaskName|contains:
            - '\Windows\SystemRestore\SR'
            - '\Windows\Windows Defender\'
            - '\Windows\BitLocker'
            - '\Windows\WindowsBackup\'
            - '\Windows\WindowsUpdate\'
            - '\Windows\UpdateOrchestrator\'
            - '\Windows\ExploitGuard'
    filter_main_user:
        UserName|contains:
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - Disable the SR scheduled task
      technique: T1490
      atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034

title: Important Scheduled Task Deleted/Disabled
id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad
related:
    - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
      type: similar
    - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable
      type: similar
    - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
      type: similar
status: test
description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2023-03-13
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1053.005
logsource:
    product: windows
    service: security
    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
    selection:
        EventID:
            - 4699 # Task Deleted Event
            - 4701 # Task Disabled Event
        TaskName|contains:
            # Add more important tasks
            - '\Windows\SystemRestore\SR'
            - '\Windows\Windows Defender\'
            - '\Windows\BitLocker'
            - '\Windows\WindowsBackup\'
            - '\Windows\WindowsUpdate\'
            - '\Windows\UpdateOrchestrator\Schedule'
            - '\Windows\ExploitGuard'
    filter_main_defender_update:
        EventID: 4699
        SubjectUserName|endswith: '$'  # False positives during upgrades of Defender, where its tasks get removed and added
        TaskName|contains: '\Windows\Windows Defender\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - Disable the SR scheduled task
      technique: T1490
      atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034

title: Important Windows Event Auditing Disabled
id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
related:
    - id: 69aeb277-f15f-4d2d-b32a-55e883609563
      type: derived
status: test
description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
references:
    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
    - https://github.com/SigmaHQ/sigma/blob/ad1bfd3d28aa0ccc9656240f845022518ef65a2e/documentation/logsource-guides/windows/service/security.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-20
modified: 2023-11-17
tags:
    - attack.defense-impairment
    - attack.t1685.001
logsource:
    product: windows
    service: security
    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
    selection_state_success_and_failure:
        EventID: 4719
        SubcategoryGuid:
            # Note: Add or remove GUID as you see fit in your env
            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service
        AuditPolicyChanges|contains:
            - '%%8448' # This is "Success removed"
            - '%%8450' # This is "Failure removed"
    selection_state_success_only:
        EventID: 4719
        SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
        AuditPolicyChanges|contains: '%%8448'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: Important Windows Eventlog Cleared
id: 100ef69e-3327-481c-8e5c-6d80d9507556
related:
    - id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
      type: derived
status: test
description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
references:
    - https://twitter.com/deviouspolack/status/832535435960209408
    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-17
modified: 2023-11-15
tags:
    - attack.defense-impairment
    - attack.t1685.005
    - car.2016-04-002
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 104
        Provider_Name: 'Microsoft-Windows-Eventlog'
        Channel:
            - 'Microsoft-Windows-PowerShell/Operational'
            - 'Microsoft-Windows-Sysmon/Operational'
            - 'PowerShellCore/Operational'
            - 'Security'
            - 'System'
            - 'Windows PowerShell'
    condition: selection
falsepositives:
    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
    - System provisioning (system reset before the golden image creation)
level: high

title: Important Windows Service Terminated Unexpectedly
id: 56abae0c-6212-4b97-adc0-0b559bb950c3
status: test
description: Detects important or interesting Windows services that got terminated unexpectedly.
references:
    - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-14
tags:
    - attack.stealth
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7034 # The X service terminated unexpectedly. It has done this Y time(s).
    selection_name:
        # Note that these names contained in "param1" are "Display Names" and are language specific. If you're using a non-english system these can and will be different
        - param1|contains: 'Message Queuing'
        # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.
        - Binary|contains:
              - '4d0053004d005100' # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case
              - '6d0073006d007100' # msmq
    condition: all of selection_*
falsepositives:
    - Rare false positives could occur since service termination could happen due to multiple reasons
level: high

title: Important Windows Service Terminated With Error
id: d6b5520d-3934-48b4-928c-2aa3f92d6963
related:
    - id: acfa2210-0d71-4eeb-b477-afab494d596c
      type: similar
status: test
description: Detects important or interesting Windows services that got terminated for whatever reason
references:
    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-14
tags:
    - attack.stealth
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7023 # The X Service service terminated with the following error
    selection_name:
        - param1|contains:
              # Note that these names are "Display Names" and are language specific. If you're using a non-english system these can and will be different
              - ' Antivirus'
              - ' Firewall'
              - 'Application Guard'
              - 'BitLocker Drive Encryption Service'
              - 'Encrypting File System'
              - 'Microsoft Defender'
              - 'Threat Protection'
              - 'Windows Event Log'
        # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.
        - Binary|contains:
              - '770069006e0064006500660065006e006400' # windefend (Microsoft Defender Antivirus Service)
              - '4500760065006e0074004c006f006700' # EventLog
              - '6d0070007300730076006300' # mpssvc (Windows Defender Firewall)
              - '530065006e0073006500' # Sense (Windows Defender Advanced Threat Protection Service)
              - '450046005300' # EFS (Encrypting File System)
              - '420044004500530056004300' # BDESVC (BitLocker Drive Encryption Service)
    condition: all of selection_*
falsepositives:
    - Rare false positives could occur since service termination could happen due to multiple reasons
level: high

title: Imports Registry Key From an ADS
id: 0b80ade5-6997-4b1d-99a1-71701778ea61
related:
    - id: 73bba97f-a82d-42ce-b315-9182e76c57b1
      type: similar
status: test
description: Detects the import of a alternate datastream to the registry with regedit.exe.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-12
modified: 2024-03-13
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\regedit.exe'
        - OriginalFileName: 'REGEDIT.EXE'
    selection_cli:
        CommandLine|contains:
            - ' /i '
            - '.reg'
        CommandLine|re: ':[^ \\]'
    filter:
        CommandLine|contains|windash:
            - ' -e '
            - ' -a '
            - ' -c '
    condition: all of selection_* and not filter
falsepositives:
    - Unknown
level: high

title: Impossible Travel
id: b2572bf9-e20a-4594-b528-40bde666525a
status: test
description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
references:
    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: riskdetection
detection:
    selection:
        riskEventType: 'impossibleTravel'
    condition: selection
falsepositives:
    - Connecting to a VPN, performing activity and then dropping and performing additional activity.
level: high