title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
    - id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
      type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
    - https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-04
modified: 2022-08-19
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\createdump.exe'
        - OriginalFileName: 'FX_VER_INTERNALNAME_STR'
    selection_cli:
        CommandLine|contains:
            - ' -u ' # Short version of '--full'
            - ' --full '
            - ' -f ' # Short version of '--name'
            - ' --name '
            - '.dmp '
    condition: all of selection_*
falsepositives:
    - Command lines that use the same flags
level: high

title: File Download Via Bitsadmin To A Suspicious Target Folder
id: 2ddef153-167b-4e89-86b6-757a9e65dcac
related:
    - id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
      type: obsolete
    - id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
      type: similar
status: test
description: Detects usage of bitsadmin downloading a file to a suspicious target folder
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_folder:
        CommandLine|contains:
            - ':\Perflogs'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\'
            - '\$Recycle.Bin\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Desktop\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
            - '%ProgramData%'
            - '%public%'
            - '%temp%'
            - '%tmp%'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

title: File With Suspicious Extension Downloaded Via Bitsadmin
id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
status: test
description: Detects usage of bitsadmin downloading a file with a suspicious extension
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-05-30
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_extension:
        CommandLine|contains:
            - '.7z'
            - '.asax'
            - '.ashx'
            - '.asmx'
            - '.asp'
            - '.aspx'
            - '.bat'
            - '.cfm'
            - '.cgi'
            - '.chm'
            - '.cmd'
            - '.dll'
            - '.gif'
            - '.jpeg'
            - '.jpg'
            - '.jsp'
            - '.jspx'
            - '.log'
            - '.png'
            - '.ps1'
            - '.psm1'
            - '.rar'
            - '.scf'
            - '.sct'
            - '.txt'
            - '.vbe'
            - '.vbs'
            - '.war'
            - '.wsf'
            - '.wsh'
            - '.xll'
            - '.zip'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1189
    - attack.execution
    - attack.t1204.002
    - attack.t1036.005
logsource:
    category: proxy
detection:
    selection:
        - c-uri|contains: '/flash_install.php'
        - c-uri|endswith: '/install_flash_player.exe'
    filter:
        cs-host|endswith: '.adobe.com'
    condition: selection and not filter
falsepositives:
    - Unknown flash download locations
level: high

title: Forfiles.EXE Child Process Masquerading
id: f53714ec-5077-420e-ad20-907ff9bb2958
status: test
description: |
    Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
references:
    - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2024-01-05
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Notes:
        #   - The parent must not have CLI options
        #   - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
        #   - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
        ParentCommandLine|endswith:
            - '.exe'
            - '.exe"'
        Image|endswith: '\cmd.exe'
        CommandLine|startswith: '/c echo "'
    filter_main_parent_not_sys:
        ParentImage|contains:
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
        ParentImage|endswith: '\forfiles.exe'
        Image|contains:
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
        Image|endswith: '\cmd.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: HackTool - XORDump Execution
id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
status: test
description: Detects suspicious use of XORDump process memory dumping utility
references:
    - https://github.com/audibleblink/xordump
author: Florian Roth (Nextron Systems)
date: 2022-01-28
modified: 2023-02-08
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\xordump.exe'
        - CommandLine|contains:
              - ' -process lsass.exe '
              - ' -m comsvcs '
              - ' -m dbghelp '
              - ' -m dbgcore '
    condition: selection
falsepositives:
    - Another tool that uses the command line switches of XORdump
level: high

title: LOL-Binary Copied From System Directory
id: f5d19838-41b5-476c-98d8-ba8af4929ee2
related:
    - id: fff9d2b7-e11c-4a69-93d3-40ef66189767
      type: derived
status: test
description: |
    Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
references:
    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
    - https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-29
modified: 2025-11-27
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'copy '
    selection_tools_pwsh:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'copy-item'
            - ' copy '
            - 'cpi '
            - ' cp '
    selection_tools_other:
        - Image|endswith:
              - '\robocopy.exe'
              - '\xcopy.exe'
        - OriginalFileName:
              - 'robocopy.exe'
              - 'XCOPY.EXE'
    selection_target_path:
        CommandLine|contains:
            - '\System32'
            - '\SysWOW64'
            - '\WinSxS'
    selection_target_lolbin:
        CommandLine|contains:
            # Note: add more binaries to increase coverage
            - '\bitsadmin.exe'
            - '\calc.exe'
            - '\certutil.exe'
            - '\cmdl32.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
            - '\ie4uinit.exe'
    condition: 1 of selection_tools_* and all of selection_target_*
falsepositives:
    - Unknown
level: high

title: MMC Executing Files with Reversed Extensions Using RTLO Abuse
id: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44
status: experimental
description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
references:
    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
    - https://en.wikipedia.org/wiki/Right-to-left_override
    - https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.execution
    - attack.stealth
    - attack.t1204.002
    - attack.t1218.014
    - attack.t1036.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        - Image|endswith: '\mmc.exe'
        - OriginalFileName: 'MMC.exe'
    selection_commandline:
        CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file
            - 'cod.msc'  # Reversed `.doc`
            - 'fdp.msc'  # Reversed `.pdf`
            - 'ftr.msc'  # Reversed `.rtf`
            - 'lmth.msc'  # Reversed `.html`
            - 'slx.msc'  # Reversed `.xls`
            - 'tdo.msc'  # Reversed `.odt`
            - 'xcod.msc'  # Reversed `.docx`
            - 'xslx.msc'  # Reversed `.xlsx`
            - 'xtpp.msc'  # Reversed `.pptx`
    condition: all of selection_*
falsepositives:
    - Legitimate administrative actions using MMC to execute misnamed `.msc` files.
    - Unconventional but non-malicious usage of RLO or reversed extensions.
level: high

title: Password Protected ZIP File Opened (Suspicious Filenames)
id: 54f0434b-726f-48a1-b2aa-067df14516e4
status: test
description: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
references:
    - https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1027
    - attack.t1105
    - attack.t1036
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5379
        TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
    selection_filename:
        TargetName|contains:
            - 'invoice'
            - 'new order'
            - 'rechnung'
            - 'factura'
            - 'delivery'
            - 'purchase'
            - 'order'
            - 'payment'
    condition: selection and selection_filename
falsepositives:
    - Legitimate used of encrypted ZIP files
level: high

title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
related:
    - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
      type: similar
    - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific
      type: derived
    - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec
      type: obsolete
    - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell
      type: obsolete
    - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32
      type: obsolete
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
    - https://twitter.com/christophetd/status/1164506034720952320
    - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
    - https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
date: 2019-06-15
modified: 2026-02-12
tags:
    - attack.stealth
    - attack.t1036.003
    - car.2013-05-009
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'Execute processes remotely'
        - Product: 'Sysinternals PsExec'
        - Description|startswith:
              - 'Windows PowerShell'
              - 'pwsh'
        - OriginalFileName:
              - 'certutil.exe'
              - 'cmstp.exe'
              - 'cscript.exe'
              - 'IE4UINIT.EXE'
              - 'finger.exe'
              - 'mshta.exe'
              - 'msiexec.exe'
              - 'msxsl.exe'
              - 'powershell_ise.exe'
              - 'powershell.exe'
              - 'psexec.c'        # old versions of psexec (2016 seen)
              - 'psexec.exe'
              - 'psexesvc.exe'
              - 'pwsh.dll'
              - 'reg.exe'
              - 'regsvr32.exe'
              - 'rundll32.exe'
              - 'WerMgr'
              - 'wmic.exe'
              - 'wscript.exe'
    filter:
        Image|endswith:
            - '\certutil.exe'
            - '\cmstp.exe'
            - '\cscript.exe'
            - '\ie4uinit.exe'
            - '\finger.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\msxsl.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\psexec.exe'
            - '\psexec64.exe'
            - '\PSEXESVC.exe'
            - '\pwsh.exe'
            - '\reg.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wermgr.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection and not filter
falsepositives:
    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
    - PsExec installed via Windows Store doesn't contain original filename field (False negative)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml

title: Potential Defense Evasion Via Right-to-Left Override
id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
related:
    - id: e0552b19-5a83-4222-b141-b36184bb8d79
      type: derived
    - id: 584bca0f-3608-4402-80fd-4075ff6072e3
      type: derived
status: test
description: |
    Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
    This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
references:
    - https://redcanary.com/blog/right-to-left-override/
    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
    - https://unicode-explorer.com/c/202E
    - https://tria.ge/241015-l98snsyeje/behavioral2
    - https://unprotect.it/technique/right-to-left-override-rlo-extension-spoofing/
author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems), Luc Génaux
date: 2023-02-15
modified: 2026-03-20
tags:
    - attack.stealth
    - attack.t1036.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '\u202e'  # Unicode RTLO character
            - '[U+202E]'
            # Real char U+202E copied/pasted below
            - '‮'
    condition: selection
falsepositives:
    - Commandlines that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml

title: Potential File Extension Spoofing Using Right-to-Left Override
id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
related:
    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
      type: derived
status: test
description: |
    Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
references:
    - https://redcanary.com/blog/right-to-left-override/
    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
    - https://tria.ge/241015-l98snsyeje/behavioral2
    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-11-17
modified: 2026-03-20
tags:
    - attack.execution
    - attack.stealth
    - attack.t1036.002
logsource:
    category: file_event
    product: windows
detection:
    selection_rtlo_unicode:
        TargetFilename|contains:
            - '\u202e'  # Unicode RTLO character
            - '[U+202E]'
            # Real char U+202E copied/pasted below
            - '‮'
    selection_extensions:
        TargetFilename|contains:
            - '3pm.'  # Reversed `.mp3`
            - '4pm.'  # Reversed `.mp4`
            - 'cod.'  # Reversed `.doc`
            - 'fdp.'  # Reversed `.pdf`
            - 'ftr.'  # Reversed `.rtf`
            - 'gepj.'  # Reversed `.jpeg`
            - 'gnp.'  # Reversed `.png`
            - 'gpj.'  # Reversed `.jpg`
            - 'ism.'  # Reversed `.msi`
            - 'lmth.'  # Reversed `.html`
            - 'nls.' # Reversed `.sln`
            - 'piz.'  # Reversed `.zip`
            - 'slx.'  # Reversed `.xls`
            - 'tdo.'  # Reversed `.odt`
            - 'vsc.'  # Reversed `.csv`
            - 'vwm.'  # Reversed `.wmv`
            - 'xcod.'  # Reversed `.docx`
            - 'xslx.'  # Reversed `.xlsx`
            - 'xtpp.'  # Reversed `.pptx`
    condition: all of selection_*
falsepositives:
    - Filenames that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml

title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
    Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
    This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
    LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
    Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
    - https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
    - https://x.com/wietze/status/1958302556033065292?s=12
author: Florian Roth (Nextron Systems)
date: 2018-10-30
modified: 2025-10-19
tags:
    - attack.stealth
    - attack.t1036
    - attack.credential-access
    - attack.t1003.001
    - car.2013-05-009
logsource:
    category: process_creation
    product: windows
detection:
    selection_flags:
        CommandLine|contains|windash:
            - ' -ma '
            - ' -mm ' # Mini dump
            - ' -mp ' # Miniplus dump
    selection_process:
        CommandLine|contains:
            - ' ls' # Short for lsass
            - ' keyiso'
            - ' samss'
    condition: all of selection_*
falsepositives:
    - Unlikely, because no one should dump an lsass process memory
    - Another tool that uses command line flags similar to ProcDump
level: high

title: Potential MsiExec Masquerading
id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
status: test
description: Detects the execution of msiexec.exe from an uncommon directory
references:
    - https://twitter.com/200_okay_/status/1194765831911215104
author: Florian Roth (Nextron Systems)
date: 2019-11-14
modified: 2023-02-21
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\msiexec.exe'
        - OriginalFileName: '\msiexec.exe'
    filter:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Potential SysInternals ProcDump Evasion
id: 79b06761-465f-4f88-9ef2-150e24d3d737
status: test
description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
references:
    - https://twitter.com/mrd0x/status/1480785527901204481
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-05-09
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains:
            - 'copy procdump'
            - 'move procdump'
    selection_2:
        CommandLine|contains|all:
            - 'copy '
            - '.dmp '
        CommandLine|contains:
            - '2.dmp'
            - 'lsass'
            - 'out.dmp'
    selection_3:
        CommandLine|contains:
            - 'copy lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp
            - 'move lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp
    condition: 1 of selection_*
falsepositives:
    - False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming
level: high

title: Potential WerFault ReflectDebugger Registry Value Abuse
id: 0cf2e1c6-8d10-4273-8059-738778f981ad
related:
    - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
      type: derived
status: test
description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
references:
    - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
    - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
author: X__Junior
date: 2023-05-18
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Process Execution From A Potentially Suspicious Folder
id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
status: test
description: Detects a potentially suspicious execution from an uncommon folder.
references:
    - https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt
    - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
    - https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-01-16
modified: 2024-07-12
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - ':\Perflogs\'
            - ':\Users\All Users\'
            - ':\Users\Default\'
            - ':\Users\NetworkService\'
            - ':\Windows\addins\'
            - ':\Windows\debug\'
            - ':\Windows\Fonts\'
            - ':\Windows\Help\'
            - ':\Windows\IME\'
            - ':\Windows\Media\'
            - ':\Windows\repair\'
            - ':\Windows\security\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - '$Recycle.bin'
            - '\config\systemprofile\'
            - '\Intel\Logs\'
            - '\RSA\MachineKeys\'
    filter_optional_ibm:
        Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\'
    filter_optional_citrix:
        Image|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\'
        Image|endswith: '\CitrixReceiverUpdater.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: Process Memory Dump Via Comsvcs.DLL
id: 646ea171-dded-4578-8a4d-65e9822892e3
related:
    - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
      type: obsolete
status: test
description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
references:
    - https://twitter.com/shantanukhande/status/1229348874298388484
    - https://twitter.com/pythonresponder/status/1385064506049630211?s=21
    - https://twitter.com/Hexacorn/status/1224848930795552769
    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
    - https://twitter.com/SBousseaden/status/1167417096374050817
    - https://twitter.com/Wietze/status/1542107456507203586
    - https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py
    - https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2020-02-18
modified: 2025-02-23
tags:
    - attack.credential-access
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - car.2013-05-009
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
        - CommandLine|contains: 'rundll32'
    selection_cli_1:
        CommandLine|contains|all:
            - 'comsvcs'
            - 'full'
        CommandLine|contains:
            - '#-'
            - '#+'
            - '#24'
            - '24 '
            - 'MiniDump' # Matches MiniDump and MinidumpW
            - '#65560' # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around.  for e.g ordinal 24 can be also represented by 65560 (65536+24)
    selection_generic:
        CommandLine|contains|all:
            - '24'
            - 'comsvcs'
            - 'full'
        CommandLine|contains:
            - ' #'
            - ',#'
            - ', #'
            - '"#'
    condition: (selection_img and 1 of selection_cli_*) or selection_generic
falsepositives:
    - Unlikely
level: high

title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
related:
    - id: b471f462-eb0d-4832-be35-28d94bdb4780
      type: similar
    - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
      type: derived
status: experimental
description: |
    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1219.002
    - attack.t1036.003
logsource:
    category: process_creation
    product: macos
detection:
    selection_meshagent:
        - CommandLine|contains: '--meshServiceName'
        - OriginalFileName|contains: 'meshagent'
    filter_main_legitimate:
        Image|endswith:
            - '/meshagent'
            - '/meshagent_osx64'
    condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Remote Access Tool - Renamed MeshAgent Execution - Windows
id: b471f462-eb0d-4832-be35-28d94bdb4780
related:
    - id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
      type: similar
    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968
      type: derived
status: experimental
description: |
    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1219.002
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_meshagent:
        - CommandLine|contains: '--meshServiceName'
        - OriginalFileName|contains: 'meshagent'
    filter_main_legitimate:
        Image|endswith: '\meshagent.exe'
    condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Renamed BrowserCore.EXE Execution
id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559
status: test
description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
references:
    - https://twitter.com/mariuszbit/status/1531631015139102720
author: Max Altgelt (Nextron Systems)
date: 2022-06-02
modified: 2023-02-03
tags:
    - attack.credential-access
    - attack.stealth
    - attack.t1528
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: BrowserCore.exe
    filter_realbrowsercore:
        Image|endswith: '\BrowserCore.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high

title: Renamed CreateDump Utility Execution
id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
related:
    - id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
      type: similar
status: test
description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
    - https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems)
date: 2022-09-20
modified: 2023-02-14
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    selection_pe:
        OriginalFileName: 'FX_VER_INTERNALNAME_STR'
    selection_cli:
        - CommandLine|contains|all:
              - ' -u ' # Short version of '--full'
              - ' -f ' # Short version of '--name'
              - '.dmp'
        - CommandLine|contains|all:
              - ' --full ' # Short version of '--full'
              - ' --name ' # Short version of '--name'
              - '.dmp'
    filter:
        Image|endswith: '\createdump.exe'
    condition: 1 of selection_* and not filter
falsepositives:
    - Command lines that use the same flags
level: high

title: Renamed Jusched.EXE Execution
id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
status: test
description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
references:
    - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
author: Markus Neis, Swisscom
date: 2019-06-04
modified: 2023-02-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Description:
            - Java Update Scheduler
            - Java(TM) Update Scheduler
    filter:
        Image|endswith: '\jusched.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Renamed Msdt.EXE Execution
id: bd1c6866-65fc-44b2-be51-5588fcff82b9
status: test
description: Detects the execution of a renamed "Msdt.exe" binary
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: pH-T (Nextron Systems)
date: 2022-06-03
modified: 2023-02-03
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'msdt.exe'
    filter:
        Image|endswith: '\msdt.exe'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_msdt/info.yml

title: Renamed Office Binary Execution
id: 0b0cd537-fc77-4e6e-a973-e53495c1083d
status: test
description: Detects the execution of a renamed office binary
references:
    - https://infosec.exchange/@sbousseaden/109542254124022664
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-20
modified: 2025-12-09
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName:
              - 'Excel.exe'
              - 'MSACCESS.EXE'
              - 'MSPUB.EXE'
              - 'OneNote.exe'
              - 'OneNoteM.exe'
              - 'OUTLOOK.EXE'
              - 'POWERPNT.EXE'
              - 'WinWord.exe'
              - 'Olk.exe'
        - Description:
              - 'Microsoft Access'
              - 'Microsoft Excel'
              - 'Microsoft OneNote'
              - 'Microsoft Outlook'
              - 'Microsoft PowerPoint'
              - 'Microsoft Publisher'
              - 'Microsoft Word'
              - 'Sent to OneNote Tool'
    filter_main_legit_names:
        Image|endswith:
            - '\EXCEL.exe'
            - '\excelcnv.exe'
            - '\MSACCESS.exe'
            - '\MSPUB.EXE'
            - '\ONENOTE.EXE'
            - '\ONENOTEM.EXE'
            - '\OUTLOOK.EXE'
            - '\POWERPNT.EXE'
            - '\WINWORD.exe'
            - '\OLK.EXE'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Renamed Plink Execution
id: 1c12727d-02bf-45ff-a9f3-d49806a3cf43
status: test
description: Detects the execution of a renamed version of the Plink binary
references:
    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
    - https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
modified: 2023-02-03
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'Plink'
        - CommandLine|contains|all:
              - ' -l forward'
              - ' -P '
              - ' -R '
    filter:
        Image|endswith: '\plink.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Renamed ProcDump Execution
id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
related:
    - id: 03795938-1387-481b-9f4c-3f6241e604fe
      type: obsolete
status: test
description: |
    Detects the execution of a renamed ProcDump executable.
    This often done by attackers or malware in order to evade defensive mechanisms.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2019-11-18
modified: 2024-06-25
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    product: windows
    category: process_creation
detection:
    selection_ofn:
        OriginalFileName: 'procdump'
    selection_cli_dump_flag:
        CommandLine|contains|windash:
            - ' -ma ' # Full Dump
            - ' -mp ' # Mini Plus
    selection_cli_eula_flag:
        # Note: Even though the "accepteula" flag isn't required. We add it to avoid collision with similar utilities.
        CommandLine|contains|windash: ' /accepteula'
    filter_main_known_names:
        Image|endswith:
            - '\procdump.exe'
            - '\procdump64.exe'
    condition: (selection_ofn or all of selection_cli_*) and not 1 of filter_main_*
falsepositives:
    - Procdump illegally bundled with legitimate software.
    - Administrators who rename binaries (should be investigated).
level: high

title: Renamed Schtasks Execution
id: f91e51c9-f344-4b32-969b-0b6f6b8537d4
status: experimental
description: |
    Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
    One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
    Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
references:
    - https://x.com/JangPr0/status/1932034543026065833
    - https://ss64.com/nt/schtasks.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1036.003
    - attack.t1053.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd_operation:
        CommandLine|contains|windash:
            - ' /create '
            - ' /delete '
            - ' /query '
            - ' /change '
            - ' /run '
            - ' /end '
    selection_cmd_flags:
        CommandLine|contains|windash:
            - ' /tn '
            - ' /tr '
            - ' /sc '
            - ' /st '
            - ' /ru '
            - ' /fo '
    selection_pe:
        OriginalFileName: 'schtasks.exe'
    filter_main_cmd:
        CommandLine|contains: 'schtasks'
    filter_main_img:
        Image|endswith: '\schtasks.exe'
    condition: (all of selection_cmd_* and not filter_main_cmd) or (selection_pe and not filter_main_img)
falsepositives:
    - Unlikely
level: high

title: Renamed ZOHO Dctask64 Execution
id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
status: test
description: |
    Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
    This binary can be abused for DLL injection, arbitrary command and process execution.
references:
    - https://twitter.com/gN3mes1s/status/1222088214581825540
    - https://twitter.com/gN3mes1s/status/1222095963789111296
    - https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1036
    - attack.t1055.001
    - attack.t1202
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Hashes|contains:
            - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
            - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
            - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
            - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
    filter_main_legit_name:
        Image|endswith: '\dctask64.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Scheduled Task Creation Masquerading as System Processes
id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
status: experimental
description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
references:
    - https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.stealth
    - attack.t1053.005
    - attack.t1036.004
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli:
        CommandLine|contains|windash: ' /create '
        CommandLine|contains:
            - ' audiodg'
            - ' conhost'
            - ' dwm.exe'
            - ' explorer'
            - ' lsass'
            - ' lsm'
            - ' mmc'
            - ' msiexec'
            - ' regsvr32'
            - ' rundll32'
            - ' services'
            - ' spoolsv'
            - ' svchost'
            - ' taskeng'
            - ' taskhost'
            - ' wininit'
            - ' winlogon'
    condition: all of selection_*
falsepositives:
    - Legitimate system administration tasks scheduling trusted system processes.
level: high

title: Sdiagnhost Calling Suspicious Child Process
id: f3d39c45-de1a-4486-a687-ab126124f744
status: test
description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
references:
    - https://twitter.com/nao_sec/status/1530196847679401984
    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
    - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
    - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
author: Nextron Systems, @Kostastsale
date: 2022-06-01
modified: 2024-08-23
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sdiagnhost.exe'
        Image|endswith:
            # Add more suspicious LOLBins
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
            - '\mshta.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\taskkill.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            # - '\csc.exe'   # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
            - '\calc.exe'  # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
    filter_main_cmd_bits:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'bits'
    filter_main_powershell_noprofile:
        Image|endswith: '\powershell.exe'
        CommandLine|endswith:
            - '-noprofile -'
            - '-noprofile'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Suspicious Calculator Usage
id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
status: test
description: |
    Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
references:
    - https://twitter.com/ItsReallyNick/status/1094080242686312448
author: Florian Roth (Nextron Systems)
date: 2019-02-09
modified: 2023-11-09
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains: '\calc.exe '
    selection_2:
        Image|endswith: '\calc.exe'
    filter_main_known_locations:
        Image|contains:
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
    condition: selection_1 or ( selection_2 and not filter_main_known_locations )
falsepositives:
    - Unknown
level: high

title: Suspicious Child Process Of Wermgr.EXE
id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
related:
    - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
      type: similar
status: test
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
references:
    - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
    - https://www.echotrail.io/insights/search/wermgr.exe
    - https://github.com/binderlabs/DirCreate2System
author: Florian Roth (Nextron Systems)
date: 2022-10-14
modified: 2024-08-29
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\wermgr.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\ipconfig.exe'
            - '\mshta.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\netstat.exe'
            - '\nslookup.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\systeminfo.exe'
            - '\whoami.exe'
            - '\wscript.exe'
    filter_main_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains|all:
            - 'C:\Windows\system32\WerConCpl.dll'
            - 'LaunchErcApp '
        CommandLine|contains:
            - '-queuereporting'
            - '-responsepester'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Suspicious Double Extension Files
id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
related:
    - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
      type: derived
    - id: 3215aa19-f060-4332-86d5-5602511f3ca8
      type: similar
status: test
description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
references:
    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
    - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
    - https://twitter.com/malwrhunterteam/status/1235135745611960321
    - https://twitter.com/luc4m/status/1073181154126254080
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-06-19
modified: 2026-03-31
tags:
    - attack.stealth
    - attack.t1036.007
logsource:
    category: file_event
    product: windows
detection:
    selection_gen:
        TargetFilename|endswith:
            - '.exe'
            - '.iso'
            - '.rar'
            - '.svg'
            - '.zip'
            # - '.lnk'  # legitimate links can happen just anywhere
        TargetFilename|contains:
            - '.doc.'
            - '.docx.'
            - '.gif.'
            - '.jpeg.'
            - '.jpg.'
            - '.mp3.'
            - '.mp4.'
            - '.pdf.'
            - '.png.'
            - '.ppt.'
            - '.pptx.'
            - '.rtf.'
            - '.svg.'
            - '.txt.'
            - '.xls.'
            - '.xlsx.'
    selection_exe:
        TargetFilename|endswith:
            - '.rar.exe'
            - '.zip.exe'
    # Note: If you wanna keep using the ".lnk" extension. You might uncomment this filter and add additional locations
    # filter_main_lnk:
    #     TargetFilename|contains:
    #         - '\AppData\Roaming\Microsoft\Office\Recent\'
    #         - '\AppData\Roaming\Microsoft\Windows\Recent\'
    filter_icons_linux:
        TargetFilename|startswith: '/usr/share/icons/'
    condition: 1 of selection_* and not 1 of filter_*
falsepositives:
    - Unlikely
level: high

title: Suspicious Download From Direct IP Via Bitsadmin
id: 99c840f2-2012-46fd-9141-c761987550ef
related:
    - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
      type: similar
status: test
description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2023-02-15
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_extension:
        CommandLine|contains:
            - '://1'
            - '://2'
            - '://3'
            - '://4'
            - '://5'
            - '://6'
            - '://7'
            - '://8'
            - '://9'
    filter_seven_zip:
        CommandLine|contains: '://7-' # For https://7-zip.org/
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/info.yml

title: Suspicious Download From File-Sharing Website Via Bitsadmin
id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
status: test
description: Detects usage of bitsadmin downloading a file from a suspicious domain
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_domain:
        CommandLine|contains:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com' # bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll %PUBLIC%\calc.dll
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: all of selection_*
falsepositives:
    - Some legitimate apps use this, but limited.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

title: Suspicious DumpMinitool Execution
id: eb1c4225-1c23-4241-8dd4-051389fde4ce
status: test
description: Detects suspicious ways to use the "DumpMinitool.exe" binary
references:
    - https://twitter.com/mrd0x/status/1511415432888131586
    - https://twitter.com/mrd0x/status/1511489821247684615
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
author: Florian Roth (Nextron Systems)
date: 2022-04-06
modified: 2023-04-12
tags:
    - attack.credential-access
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\DumpMinitool.exe'
              - '\DumpMinitool.x86.exe'
              - '\DumpMinitool.arm64.exe'
        - OriginalFileName:
              - 'DumpMinitool.exe'
              - 'DumpMinitool.x86.exe'
              - 'DumpMinitool.arm64.exe'
    filter_folder:
        Image|contains:
            - '\Microsoft Visual Studio\'
            - '\Extensions\'  # https://github.com/microsoft/vstest/blob/b2e2126f1aa7e5753cafe9515563c99ade6a59ce/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159
    susp_flags:
        CommandLine|contains: '.txt'
    cmd_has_flags:
        CommandLine|contains:
            - ' Full'
            - ' Mini'
            - ' WithHeap'
    filter_cmd_misses_flags:
        CommandLine|contains: '--dumpType'
    condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )
falsepositives:
    - Unknown
level: high

title: Suspicious MSDT Parent Process
id: 7a74da6b-ea76-47db-92cc-874ad90df734
status: test
description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
references:
    - https://twitter.com/nao_sec/status/1530196847679401984
    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
author: Nextron Systems
date: 2022-06-01
modified: 2023-02-06
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
            - '\wsl.exe'
            # Note: office applications are covered by: 438025f9-5856-4663-83f7-52f878a70a50
    selection_msdt:
        - Image|endswith: '\msdt.exe'
        - OriginalFileName: 'msdt.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious Parent Double Extension File Execution
id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c
related:
    - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine
      type: derived
status: test
description: Detect execution of suspicious double extension files in ParentCommandLine
references:
    - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-06
modified: 2023-02-28
tags:
    - attack.stealth
    - attack.t1036.007
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - ParentImage|endswith:
              - '.doc.lnk'
              - '.docx.lnk'
              - '.xls.lnk'
              - '.xlsx.lnk'
              - '.ppt.lnk'
              - '.pptx.lnk'
              - '.rtf.lnk'
              - '.pdf.lnk'
              - '.txt.lnk'
              - '.doc.js'
              - '.docx.js'
              - '.xls.js'
              - '.xlsx.js'
              - '.ppt.js'
              - '.pptx.js'
              - '.rtf.js'
              - '.pdf.js'
              - '.txt.js'
        - ParentCommandLine|contains:
              - '.doc.lnk'
              - '.docx.lnk'
              - '.xls.lnk'
              - '.xlsx.lnk'
              - '.ppt.lnk'
              - '.pptx.lnk'
              - '.rtf.lnk'
              - '.pdf.lnk'
              - '.txt.lnk'
              - '.doc.js'
              - '.docx.js'
              - '.xls.js'
              - '.xlsx.js'
              - '.ppt.js'
              - '.pptx.js'
              - '.rtf.js'
              - '.pdf.js'
              - '.txt.js'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Process Masquerading As SvcHost.EXE
id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
related:
    - id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
      type: similar
    - id: e4a6b256-3e47-40fc-89d2-7a477edd6915
      type: similar
status: test
description: |
    Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
    Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
references:
    - https://tria.ge/240731-jh4crsycnb/behavioral2
    - https://redcanary.com/blog/threat-detection/process-masquerading/
author: Swachchhanda Shrawan Poudel
date: 2024-08-07
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\svchost.exe'
    filter_main_img_location:
        Image:
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
    filter_main_ofn:
        OriginalFileName: 'svchost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml

title: Suspicious Process Parents
id: cbec226f-63d9-4eca-9f52-dfb6652f24df
status: test
description: Detects suspicious parent processes that should not have any children or should only have a single possible child program
references:
    - https://twitter.com/x86matthew/status/1505476263464607744?s=12
    - https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
author: Florian Roth (Nextron Systems)
date: 2022-03-21
modified: 2022-09-08
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\minesweeper.exe'
            - '\winver.exe'
            - '\bitsadmin.exe'
    selection_special:
        ParentImage|endswith:
            - '\csrss.exe'
            - '\certutil.exe'
         # - '\schtasks.exe'
            - '\eventvwr.exe'
            - '\calc.exe'
            - '\notepad.exe'
    filter_special:
        Image|endswith:
            - '\WerFault.exe'
            - '\wermgr.exe'
            - '\conhost.exe' # csrss.exe, certutil.exe
            - '\mmc.exe'     # eventvwr.exe
            - '\win32calc.exe' # calc.exe
            - '\notepad.exe'
    filter_null:
        Image: null
    condition: selection or ( selection_special and not 1 of filter_* )
falsepositives:
    - Unknown
level: high

title: Suspicious Windows Update Agent Empty Cmdline
id: 52d097e2-063e-4c9c-8fbb-855c8948d135
status: test
description: |
    Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
references:
    - https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-26
modified: 2023-11-11
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\Wuauclt.exe'
        - OriginalFileName: 'Wuauclt.exe'
    selection_cli:
        CommandLine|endswith:
            - 'Wuauclt'
            - 'Wuauclt.exe'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
related:
    - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
      type: derived
status: test
description: |
    Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
references:
    - https://twitter.com/GelosSnake/status/934900723426439170
    - https://asec.ahnlab.com/en/39828/
    - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2017-11-27
modified: 2026-02-12
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\atbroker.exe'
            - '\audiodg.exe'
            - '\bcdedit.exe'
            - '\bitsadmin.exe'
            - '\certreq.exe'
            - '\certutil.exe'
            - '\cmstp.exe'
            - '\conhost.exe'
            - '\consent.exe'
            - '\cscript.exe'
            - '\csrss.exe'
            - '\dashost.exe'
            - '\defrag.exe'
            - '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
            - '\dism.exe'
            - '\dllhost.exe'
            - '\dllhst3g.exe'
            - '\dwm.exe'
            - '\eventvwr.exe'
            - '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
            - '\finger.exe'
            - '\logonui.exe'
            - '\LsaIso.exe'
            - '\lsass.exe'
            - '\lsm.exe'
            - '\msiexec.exe'
            - '\ntoskrnl.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\runonce.exe'
            - '\RuntimeBroker.exe'
            - '\schtasks.exe'
            - '\services.exe'
            - '\sihost.exe'
            - '\smartscreen.exe'
            - '\smss.exe'
            - '\spoolsv.exe'
            - '\svchost.exe'
            - '\taskhost.exe'
            - '\taskhostw.exe'
            - '\Taskmgr.exe'
            - '\userinit.exe'
            - '\werfault.exe'
            - '\werfaultsecure.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
            - '\winver.exe'
            - '\wlanext.exe'
            - '\wscript.exe'
            - '\wsl.exe'
            - '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
    filter_main_generic:
        Image|startswith:
            - 'C:\$WINDOWS.~BT\'
            - 'C:\$WinREAgent\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SystemTemp\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\uus\'
            - 'C:\Windows\WinSxS\'
    filter_optional_system32:
        Image|contains: '\SystemRoot\System32\'
    filter_main_powershell:
        Image|contains:
            - 'C:\Program Files\PowerShell\7\'
            - 'C:\Program Files\PowerShell\7-preview\'
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
            - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
        Image|endswith: '\pwsh.exe'
    filter_main_wsl_programfiles:
        Image|startswith:
            - 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
            - 'C:\Program Files\WSL\'
        Image|endswith: '\wsl.exe'
    filter_main_wsl_appdata:
        Image|startswith: C:\Users\'
        Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
        Image|endswith: '\wsl.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml

title: Taskmgr as LOCAL_SYSTEM
id: 9fff585c-c33e-4a86-b3cd-39312079a65f
status: test
description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-03-18
modified: 2022-05-27
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
        Image|endswith: '\taskmgr.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Uncommon Svchost Command Line Parameter
id: f17211f1-1f24-4d0c-829f-31e28dc93cdd
status: experimental
description: |
    Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
    This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
references:
    - https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/
    - https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
    - https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
author: Liran Ravich
date: 2025-11-14
modified: 2026-03-23
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1036.005
    - attack.t1055
    - attack.t1055.012
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example of command to simulate: "C:\Windows\System32\svchost.exe" calc.exe
        Image|endswith: '\svchost.exe'
    filter_main_flags:
        CommandLine|re: '-k\s\w{1,64}(?:\s?(?:-p|-s))?'
    filter_main_empty:
        CommandLine: ''
    filter_main_null:
        CommandLine: null
    filter_optional_defender:
        ParentImage|endswith: '\MsMpEng.exe'
        CommandLine|contains: 'svchost.exe'
    filter_optional_mrt:
        ParentImage|endswith: '\MRT.exe'
        CommandLine: 'svchost.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely
level: high

title: Windows Binaries Write Suspicious Extensions
id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
related:
    - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
      type: derived
status: test
description: Detects Windows executables that write files with suspicious extensions
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: file_event
    product: windows
detection:
    selection_generic:
        Image|endswith:
            - '\csrss.exe'
            - '\lsass.exe'
            - '\RuntimeBroker.exe'
            - '\sihost.exe'
            - '\smss.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
        TargetFilename|endswith:
            - '.bat'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.iso'
            - '.ps1'
            - '.txt'
            - '.vbe'
            - '.vbs'
    selection_special:
        Image|endswith:
            - '\dllhost.exe'
            - '\rundll32.exe'
            - '\svchost.exe'
        TargetFilename|endswith:
            - '.bat'
            - '.hta'
            - '.iso'
            - '.ps1'
            - '.vbe'
            - '.vbs'
    filter_main_AppLockerPolicyTest:
        Image: 'C:\Windows\System32\dllhost.exe'
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\Local\Temp\__PSScriptPolicyTest_'
        TargetFilename|endswith: '.ps1'
    filter_main_script_gpo_machine:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetFilename|contains|all:
            - 'C:\Windows\System32\GroupPolicy\DataStore\'
            - '\sysvol\'
            - '\Policies\'
            - '\Machine\Scripts\Startup\'
        TargetFilename|endswith:
            - '.ps1'
            - '.bat'
    filter_main_clipchamp:
        Image: 'C:\Windows\system32\svchost.exe'
        TargetFilename|contains|all:
            - 'C:\Program Files\WindowsApps\Clipchamp'
            - '.ps1'
    filter_main_powershell_preview:
        Image:
            - 'C:\Windows\system32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
        TargetFilename|startswith:
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
            - 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
        TargetFilename|endswith: '.ps1'
    condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: CodePage Modification Via MODE.COM To Russian Language
id: 12fbff88-16b5-4b42-9754-cd001a789fb3
related:
    - id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e
      type: derived
status: test
description: |
    Detects a CodePage modification using the "mode.com" utility to Russian language.
    This behavior has been used by threat actors behind Dharma ransomware.
references:
    - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode
    - https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
    - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-17
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    # VT Query: behavior:"mode con cp select=1251"
    # VT Query: behavior:"mode con cp select=866"
    selection_img:
        - Image|endswith: '\mode.com'
        - OriginalFileName: 'MODE.COM'
    selection_cli:
        CommandLine|contains|all:
            - ' con '
            - ' cp '
            - ' select='
        CommandLine|endswith:
            - '=1251' # ANSI Cyrillic; Cyrillic (Windows) - Observed ITW by Dharma ransomware
            - '=866' # OEM Russian; Cyrillic (DOS) - Observed ITW by other malware
    condition: all of selection_*
falsepositives:
    - Russian speaking people changing the CodePage
level: medium

title: Creation Of Pod In System Namespace
id: a80d927d-ac6e-443f-a867-e8d6e3897318
status: test
description: |
    Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
    System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
    Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
    Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        objectRef.namespace: kube-system
    condition: selection
falsepositives:
    - System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
level: medium

title: DumpMinitool Execution
id: dee0a7a3-f200-4112-a99b-952196d81e42
status: test
description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
references:
    - https://twitter.com/mrd0x/status/1511415432888131586
    - https://twitter.com/mrd0x/status/1511489821247684615
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
    - https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-04-06
modified: 2023-04-12
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\DumpMinitool.exe'
              - '\DumpMinitool.x86.exe'
              - '\DumpMinitool.arm64.exe'
        - OriginalFileName:
              - 'DumpMinitool.exe'
              - 'DumpMinitool.x86.exe'
              - 'DumpMinitool.arm64.exe'
    selection_cli:
        CommandLine|contains:
            - ' Full'
            - ' Mini'
            - ' WithHeap'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Explorer Process Tree Break
id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
status: test
description: |
  Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
  which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
references:
    - https://twitter.com/CyberRaiju/status/1273597319322058752
    - https://twitter.com/bohops/status/1276357235954909188?s=12
    - https://twitter.com/nas_bench/status/1535322450858233858
    - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
date: 2019-06-29
modified: 2025-10-31
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    # Note: See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference
    selection_factory:
        CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data
    selection_root:
        CommandLine|contains: 'explorer.exe'
        CommandLine|contains|windash: ' /root,'
        # There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example
        # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique.
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium