title: File Download Via Bitsadmin To A Suspicious Target Folder
id: 2ddef153-167b-4e89-86b6-757a9e65dcac
related:
    - id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
      type: obsolete
    - id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
      type: similar
status: test
description: Detects usage of bitsadmin downloading a file to a suspicious target folder
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_folder:
        CommandLine|contains:
            - ':\Perflogs'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\'
            - '\$Recycle.Bin\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Desktop\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
            - '%ProgramData%'
            - '%public%'
            - '%temp%'
            - '%tmp%'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

title: File With Suspicious Extension Downloaded Via Bitsadmin
id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
status: test
description: Detects usage of bitsadmin downloading a file with a suspicious extension
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-05-30
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_extension:
        CommandLine|contains:
            - '.7z'
            - '.asax'
            - '.ashx'
            - '.asmx'
            - '.asp'
            - '.aspx'
            - '.bat'
            - '.cfm'
            - '.cgi'
            - '.chm'
            - '.cmd'
            - '.dll'
            - '.gif'
            - '.jpeg'
            - '.jpg'
            - '.jsp'
            - '.jspx'
            - '.log'
            - '.png'
            - '.ps1'
            - '.psm1'
            - '.rar'
            - '.scf'
            - '.sct'
            - '.txt'
            - '.vbe'
            - '.vbs'
            - '.war'
            - '.wsf'
            - '.wsh'
            - '.xll'
            - '.zip'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

title: LOL-Binary Copied From System Directory
id: f5d19838-41b5-476c-98d8-ba8af4929ee2
related:
    - id: fff9d2b7-e11c-4a69-93d3-40ef66189767
      type: derived
status: test
description: |
    Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
references:
    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
    - https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-29
modified: 2025-11-27
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'copy '
    selection_tools_pwsh:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'copy-item'
            - ' copy '
            - 'cpi '
            - ' cp '
    selection_tools_other:
        - Image|endswith:
              - '\robocopy.exe'
              - '\xcopy.exe'
        - OriginalFileName:
              - 'robocopy.exe'
              - 'XCOPY.EXE'
    selection_target_path:
        CommandLine|contains:
            - '\System32'
            - '\SysWOW64'
            - '\WinSxS'
    selection_target_lolbin:
        CommandLine|contains:
            # Note: add more binaries to increase coverage
            - '\bitsadmin.exe'
            - '\calc.exe'
            - '\certutil.exe'
            - '\cmdl32.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
            - '\ie4uinit.exe'
    condition: 1 of selection_tools_* and all of selection_target_*
falsepositives:
    - Unknown
level: high

title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
related:
    - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
      type: similar
    - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific
      type: derived
    - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec
      type: obsolete
    - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell
      type: obsolete
    - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32
      type: obsolete
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
    - https://twitter.com/christophetd/status/1164506034720952320
    - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
    - https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
date: 2019-06-15
modified: 2026-02-12
tags:
    - attack.stealth
    - attack.t1036.003
    - car.2013-05-009
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'Execute processes remotely'
        - Product: 'Sysinternals PsExec'
        - Description|startswith:
              - 'Windows PowerShell'
              - 'pwsh'
        - OriginalFileName:
              - 'certutil.exe'
              - 'cmstp.exe'
              - 'cscript.exe'
              - 'IE4UINIT.EXE'
              - 'finger.exe'
              - 'mshta.exe'
              - 'msiexec.exe'
              - 'msxsl.exe'
              - 'powershell_ise.exe'
              - 'powershell.exe'
              - 'psexec.c'        # old versions of psexec (2016 seen)
              - 'psexec.exe'
              - 'psexesvc.exe'
              - 'pwsh.dll'
              - 'reg.exe'
              - 'regsvr32.exe'
              - 'rundll32.exe'
              - 'WerMgr'
              - 'wmic.exe'
              - 'wscript.exe'
    filter:
        Image|endswith:
            - '\certutil.exe'
            - '\cmstp.exe'
            - '\cscript.exe'
            - '\ie4uinit.exe'
            - '\finger.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\msxsl.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\psexec.exe'
            - '\psexec64.exe'
            - '\PSEXESVC.exe'
            - '\pwsh.exe'
            - '\reg.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wermgr.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection and not filter
falsepositives:
    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
    - PsExec installed via Windows Store doesn't contain original filename field (False negative)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml

title: Potential WerFault ReflectDebugger Registry Value Abuse
id: 0cf2e1c6-8d10-4273-8059-738778f981ad
related:
    - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
      type: derived
status: test
description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
references:
    - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
    - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
author: X__Junior
date: 2023-05-18
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
related:
    - id: b471f462-eb0d-4832-be35-28d94bdb4780
      type: similar
    - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
      type: derived
status: experimental
description: |
    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1219.002
    - attack.t1036.003
logsource:
    category: process_creation
    product: macos
detection:
    selection_meshagent:
        - CommandLine|contains: '--meshServiceName'
        - OriginalFileName|contains: 'meshagent'
    filter_main_legitimate:
        Image|endswith:
            - '/meshagent'
            - '/meshagent_osx64'
    condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Remote Access Tool - Renamed MeshAgent Execution - Windows
id: b471f462-eb0d-4832-be35-28d94bdb4780
related:
    - id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
      type: similar
    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968
      type: derived
status: experimental
description: |
    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1219.002
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_meshagent:
        - CommandLine|contains: '--meshServiceName'
        - OriginalFileName|contains: 'meshagent'
    filter_main_legitimate:
        Image|endswith: '\meshagent.exe'
    condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Renamed BrowserCore.EXE Execution
id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559
status: test
description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
references:
    - https://twitter.com/mariuszbit/status/1531631015139102720
author: Max Altgelt (Nextron Systems)
date: 2022-06-02
modified: 2023-02-03
tags:
    - attack.credential-access
    - attack.stealth
    - attack.t1528
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: BrowserCore.exe
    filter_realbrowsercore:
        Image|endswith: '\BrowserCore.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high

title: Renamed Jusched.EXE Execution
id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
status: test
description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
references:
    - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
author: Markus Neis, Swisscom
date: 2019-06-04
modified: 2023-02-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Description:
            - Java Update Scheduler
            - Java(TM) Update Scheduler
    filter:
        Image|endswith: '\jusched.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Renamed Msdt.EXE Execution
id: bd1c6866-65fc-44b2-be51-5588fcff82b9
status: test
description: Detects the execution of a renamed "Msdt.exe" binary
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: pH-T (Nextron Systems)
date: 2022-06-03
modified: 2023-02-03
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'msdt.exe'
    filter:
        Image|endswith: '\msdt.exe'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_msdt/info.yml

title: Renamed Office Binary Execution
id: 0b0cd537-fc77-4e6e-a973-e53495c1083d
status: test
description: Detects the execution of a renamed office binary
references:
    - https://infosec.exchange/@sbousseaden/109542254124022664
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-20
modified: 2025-12-09
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName:
              - 'Excel.exe'
              - 'MSACCESS.EXE'
              - 'MSPUB.EXE'
              - 'OneNote.exe'
              - 'OneNoteM.exe'
              - 'OUTLOOK.EXE'
              - 'POWERPNT.EXE'
              - 'WinWord.exe'
              - 'Olk.exe'
        - Description:
              - 'Microsoft Access'
              - 'Microsoft Excel'
              - 'Microsoft OneNote'
              - 'Microsoft Outlook'
              - 'Microsoft PowerPoint'
              - 'Microsoft Publisher'
              - 'Microsoft Word'
              - 'Sent to OneNote Tool'
    filter_main_legit_names:
        Image|endswith:
            - '\EXCEL.exe'
            - '\excelcnv.exe'
            - '\MSACCESS.exe'
            - '\MSPUB.EXE'
            - '\ONENOTE.EXE'
            - '\ONENOTEM.EXE'
            - '\OUTLOOK.EXE'
            - '\POWERPNT.EXE'
            - '\WINWORD.exe'
            - '\OLK.EXE'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Renamed ProcDump Execution
id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
related:
    - id: 03795938-1387-481b-9f4c-3f6241e604fe
      type: obsolete
status: test
description: |
    Detects the execution of a renamed ProcDump executable.
    This often done by attackers or malware in order to evade defensive mechanisms.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2019-11-18
modified: 2024-06-25
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    product: windows
    category: process_creation
detection:
    selection_ofn:
        OriginalFileName: 'procdump'
    selection_cli_dump_flag:
        CommandLine|contains|windash:
            - ' -ma ' # Full Dump
            - ' -mp ' # Mini Plus
    selection_cli_eula_flag:
        # Note: Even though the "accepteula" flag isn't required. We add it to avoid collision with similar utilities.
        CommandLine|contains|windash: ' /accepteula'
    filter_main_known_names:
        Image|endswith:
            - '\procdump.exe'
            - '\procdump64.exe'
    condition: (selection_ofn or all of selection_cli_*) and not 1 of filter_main_*
falsepositives:
    - Procdump illegally bundled with legitimate software.
    - Administrators who rename binaries (should be investigated).
level: high

title: Renamed Schtasks Execution
id: f91e51c9-f344-4b32-969b-0b6f6b8537d4
status: experimental
description: |
    Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
    One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
    Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
references:
    - https://x.com/JangPr0/status/1932034543026065833
    - https://ss64.com/nt/schtasks.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1036.003
    - attack.t1053.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd_operation:
        CommandLine|contains|windash:
            - ' /create '
            - ' /delete '
            - ' /query '
            - ' /change '
            - ' /run '
            - ' /end '
    selection_cmd_flags:
        CommandLine|contains|windash:
            - ' /tn '
            - ' /tr '
            - ' /sc '
            - ' /st '
            - ' /ru '
            - ' /fo '
    selection_pe:
        OriginalFileName: 'schtasks.exe'
    filter_main_cmd:
        CommandLine|contains: 'schtasks'
    filter_main_img:
        Image|endswith: '\schtasks.exe'
    condition: (all of selection_cmd_* and not filter_main_cmd) or (selection_pe and not filter_main_img)
falsepositives:
    - Unlikely
level: high

title: Suspicious Download From Direct IP Via Bitsadmin
id: 99c840f2-2012-46fd-9141-c761987550ef
related:
    - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
      type: similar
status: test
description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2023-02-15
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_extension:
        CommandLine|contains:
            - '://1'
            - '://2'
            - '://3'
            - '://4'
            - '://5'
            - '://6'
            - '://7'
            - '://8'
            - '://9'
    filter_seven_zip:
        CommandLine|contains: '://7-' # For https://7-zip.org/
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/info.yml

title: Suspicious Download From File-Sharing Website Via Bitsadmin
id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
status: test
description: Detects usage of bitsadmin downloading a file from a suspicious domain
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
            - ' /addfile '
    selection_domain:
        CommandLine|contains:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com' # bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll %PUBLIC%\calc.dll
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: all of selection_*
falsepositives:
    - Some legitimate apps use this, but limited.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

title: File Download Via Bitsadmin
id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
status: test
description: Detects usage of bitsadmin downloading a file
references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
    - https://isc.sans.edu/diary/22264
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Michael Haag, FPT.EagleEye
date: 2017-03-09
modified: 2023-02-15
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
    - attack.s0190
    - attack.t1036.003
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_cmd:
        CommandLine|contains: ' /transfer '
    selection_cli_1:
        CommandLine|contains:
            - ' /create '
            - ' /addfile '
    selection_cli_2:
        CommandLine|contains: 'http'
    condition: selection_img and (selection_cmd or all of selection_cli_*)
falsepositives:
    - Some legitimate apps use this, but limited.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/info.yml
simulation:
    - type: atomic-red-team
      name: Windows - BITSAdmin BITS Download
      technique: T1105
      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b

title: Masquerading as Linux Crond Process
id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
status: test
description: |
  Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.
  Several different variations of this technique have been observed.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-08-22
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'execve'
        a0: 'cp'
        a1: '/bin/sh'
        a2|endswith: '/crond'
    condition: selection
level: medium

title: PUA - Potential PE Metadata Tamper Using Rcedit
id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
status: test
description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
references:
    - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
    - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
    - https://github.com/electron/rcedit
author: Micah Babinski
date: 2022-12-11
modified: 2023-03-05
tags:
    - attack.stealth
    - attack.t1036.003
    - attack.t1036
    - attack.t1027.005
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\rcedit-x64.exe'
              - '\rcedit-x86.exe'
        - Description: 'Edit resources of exe'
        - Product: 'rcedit'
    selection_flags:
        CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string"
    selection_attributes:
        CommandLine|contains:
            - 'OriginalFileName'
            - 'CompanyName'
            - 'FileDescription'
            - 'ProductName'
            - 'ProductVersion'
            - 'LegalCopyright'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool by administrators or users to update metadata of a binary
level: medium

title: Potential Defense Evasion Via Binary Rename
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
related:
    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
      type: similar
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
    - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-06-15
modified: 2025-07-15
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName:
            - 'Cmd.Exe'
            - 'CONHOST.EXE'
            - '7z.exe'
            - '7za.exe'
            - 'WinRAR.exe'
            - 'wevtutil.exe'
            - 'net.exe'
            - 'net1.exe'
            - 'netsh.exe'
            - 'InstallUtil.exe'
    filter:
        Image|endswith:
            - '\cmd.exe'
            - '\conhost.exe'
            - '\7z.exe'
            - '\7za.exe'
            - '\WinRAR.exe'
            - '\wevtutil.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\netsh.exe'
            - '\InstallUtil.exe'
    condition: selection and not filter
falsepositives:
    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary/info.yml

title: Potential Homoglyph Attack Using Lookalike Characters
id: 32e280f1-8ad4-46ef-9e80-910657611fbc
status: test
description: |
    Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
    This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
    are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
    - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
    - http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-07
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_upper:
        CommandLine|contains:
            - "\u0410" # А/A
            - "\u0412" # В/B
            - "\u0415" # Е/E
            - "\u041a" # К/K
            - "\u041c" # М/M
            - "\u041d" # Н/H
            - "\u041e" # О/O
            - "\u0420" # Р/P
            - "\u0421" # С/C
            - "\u0422" # Т/T
            - "\u0425" # Х/X
            - "\u0405" # Ѕ/S
            - "\u0406" # І/I
            - "\u0408" # Ј/J
            - "\u04ae" # Ү/Y
            - "\u04c0" # Ӏ/I
            - "\u050C" # Ԍ/G
            - "\u051a" # Ԛ/Q
            - "\u051c" # Ԝ/W
            - "\u0391" # Α/A
            - "\u0392" # Β/B
            - "\u0395" # Ε/E
            - "\u0396" # Ζ/Z
            - "\u0397" # Η/H
            - "\u0399" # Ι/I
            - "\u039a" # Κ/K
            - "\u039c" # Μ/M
            - "\u039d" # Ν/N
            - "\u039f" # Ο/O
            - "\u03a1" # Ρ/P
            - "\u03a4" # Τ/T
            - "\u03a5" # Υ/Y
            - "\u03a7" # Χ/X
    selection_lower:
        CommandLine|contains:
            - "\u0430" # а/a
            - "\u0435" # е/e
            - "\u043e" # о/o
            - "\u0440" # р/p
            - "\u0441" # с/c
            - "\u0445" # х/x
            - "\u0455" # ѕ/s
            - "\u0456" # і/i
            - "\u04cf" # ӏ/l
            - "\u0458" # ј/j
            - "\u04bb" # һ/h
            - "\u0501" # ԁ/d
            - "\u051b" # ԛ/q
            - "\u051d" # ԝ/w
            - "\u03bf" # ο/o
    condition: 1 of selection_*
falsepositives:
    - Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium

title: Potential Homoglyph Attack Using Lookalike Characters in Filename
id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
status: test
description: |
    Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
    This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
    are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
    - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
    - http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-08
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1036.003
logsource:
    category: file_event
    product: windows
detection:
    selection_upper:
        TargetFilename|contains:
            - "\u0410" # А/A
            - "\u0412" # В/B
            - "\u0415" # Е/E
            - "\u041a" # К/K
            - "\u041c" # М/M
            - "\u041d" # Н/H
            - "\u041e" # О/O
            - "\u0420" # Р/P
            - "\u0421" # С/C
            - "\u0422" # Т/T
            - "\u0425" # Х/X
            - "\u0405" # Ѕ/S
            - "\u0406" # І/I
            - "\u0408" # Ј/J
            - "\u04ae" # Ү/Y
            - "\u04c0" # Ӏ/I
            - "\u050C" # Ԍ/G
            - "\u051a" # Ԛ/Q
            - "\u051c" # Ԝ/W
            - "\u0391" # Α/A
            - "\u0392" # Β/B
            - "\u0395" # Ε/E
            - "\u0396" # Ζ/Z
            - "\u0397" # Η/H
            - "\u0399" # Ι/I
            - "\u039a" # Κ/K
            - "\u039c" # Μ/M
            - "\u039d" # Ν/N
            - "\u039f" # Ο/O
            - "\u03a1" # Ρ/P
            - "\u03a4" # Τ/T
            - "\u03a5" # Υ/Y
            - "\u03a7" # Χ/X
    selection_lower:
        TargetFilename|contains:
            - "\u0430" # а/a
            - "\u0435" # е/e
            - "\u043e" # о/o
            - "\u0440" # р/p
            - "\u0441" # с/c
            - "\u0445" # х/x
            - "\u0455" # ѕ/s
            - "\u0456" # і/i
            - "\u04cf" # ӏ/l
            - "\u0458" # ј/j
            - "\u04bb" # һ/h
            - "\u0501" # ԁ/d
            - "\u051b" # ԛ/q
            - "\u051d" # ԝ/w
            - "\u03bf" # ο/o
    condition: 1 of selection_*
falsepositives:
    - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium

title: Potential PendingFileRenameOperations Tampering
id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
status: test
description: |
    Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
references:
    - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
    - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
    - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
    - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
author: frack113
date: 2023-01-27
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: registry_set
    product: windows
detection:
    selection_main:
        TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
    selection_susp_paths:
        Image|contains: '\Users\Public\'
            # - '\AppData\Local\Temp\'  # Commented out as it's used by legitimate installers
    selection_susp_images:
        Image|endswith:
            - '\reg.exe'
            - '\regedit.exe'
    condition: selection_main and 1 of selection_susp_*
falsepositives:
    - Installers and updaters may set currently in use files for rename or deletion after a reboot.
level: medium

title: Suspicious Copy From or To System Directory
id: fff9d2b7-e11c-4a69-93d3-40ef66189767
related:
    - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
      type: derived
status: test
description: |
    Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
    Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
references:
    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
date: 2020-07-03
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'copy '
    selection_img_pwsh:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'copy-item'
            - ' copy '
            - 'cpi '
            - ' cp '
    selection_img_other:
        - Image|endswith:
              - '\robocopy.exe'
              - '\xcopy.exe'
        - OriginalFileName:
              - 'robocopy.exe'
              - 'XCOPY.EXE'
    selection_target:
        CommandLine|re|i: \s['"]?C:\\Windows\\(?:System32|SysWOW64|WinSxS)
    filter_optional_avira:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/c copy'
            - '\Temp\'
            - '\avira_system_speedup.exe'
        CommandLine|contains:
            - 'C:\Program Files\Avira\'
            - 'C:\Program Files (x86)\Avira\'
    condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_*
falsepositives:
    - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
    - When cmd.exe and xcopy.exe are called directly #  C:\Windows\System32\cmd.exe /c copy file1 file2
    - When the command contains the keywords but not in the correct order
level: medium

title: Suspicious Start-Process PassThru
id: 0718cd72-f316-4aa2-988f-838ea8533277
status: test
description: Powershell use PassThru option to start in background
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022-01-15
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Start-Process
            - '-PassThru '
            - '-FilePath '
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium

title: Renamed Powershell Under Powershell Channel
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
status: test
description: |
    Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020-06-29
modified: 2025-01-20
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1036.003
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains: 'HostName=ConsoleHost'
    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases.
    filter_main_ps:
        Data|contains:
            - 'HostApplication=powershell'
            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
            # In some cases powershell was invoked with inverted slashes
            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
            - 'HostApplication=C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
            - 'HostApplication=C:\\\\WINDOWS\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
    filter_main_host_application_null:
        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
        # If you're already mapping and extracting the field, then obviously use that directly.
        Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: low

title: Windows Processes Suspicious Parent Directory
id: 96036718-71cc-4027-a538-d1587e0006a7
status: test
description: Detect suspicious parent processes of well-known Windows processes
references:
    - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
    - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
    - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
author: vburov
date: 2019-02-23
modified: 2025-03-06
tags:
    - attack.stealth
    - attack.t1036.003
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\svchost.exe'
            - '\taskhost.exe'
            - '\lsm.exe'
            - '\lsass.exe'
            - '\services.exe'
            - '\lsaiso.exe'
            - '\csrss.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
    filter_sys:
        - ParentImage|endswith:
              - '\SavService.exe'
              - '\ngen.exe'
        - ParentImage|contains:
              - '\System32\'
              - '\SysWOW64\'
    filter_msmpeng:
        ParentImage|contains:
            - '\Windows Defender\'
            - '\Microsoft Security Client\'
        ParentImage|endswith: '\MsMpEng.exe'
    filter_null:
        - ParentImage: null
        - ParentImage:
              - ''
              - '-'
    condition: selection and not 1 of filter_*
falsepositives:
    - Some security products seem to spawn these
level: low